FuncVul: an Effective Function Level Vulnerability Detection Model Using LLM and Code Chunk

Software supply chain vulnerabilities arise when attackers exploit weaknesses by injecting vulnerable code into widely used packages or libraries within software repositories. While most existing approaches focus on identifying vulnerable packages or libraries, they often overlook the specific...

CVE-2025-52557 Mail-0 Zero Session Hijacking Via Email

Mail-0's Zero is an open-source email solution. In version 0.8 it's possible for an attacker to craft an email that executes javascript leading to session hijacking due to improper sanitization. This issue has been patched in version 0.81...

Security Bulletin: IBM Cognos Analytics is affected by security vulnerabilities

Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Cognos Analytics. Additionally, IBM Cognos Analytics is vulnerable to Cross Site Scripting XSS, Java Script Source Map and Denial of Service DOS vulnerabilities. This Security Bulletin relates only t...

[SECURITY] Fedora 42 Update: chromium-137.0.7151.68-1.fc42

Chromium is an open-source web browser, powered by WebKit Blink...

Unifiedtransform 安全漏洞

Unifiedtransform is an open source school management software by Hasib Mahmud Individual Developer. A security vulnerability exists in Unifiedtransform version v2.0, which stems from the /course/edit/id endpoint vulnerability and could lead to remote elevation of privilege...

CVE-2025-48998

DataEase CVE-2025-48998: Affects DataEase prior to 2.10.6 where a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The issue has been fixed in v2.10.10; no public workarounds are documented. Connected...

CVE-2025-48949 Navidrome allows SQL Injection via role parameter

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48070

Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. This can lead to account takeover when chained with another vulnerability such as cross-site...

CVE-2025-48375

Schule is open-source school management system software. Prior to version 1.0.1, the file forgotpassword.php or equivalent endpoint responsible for email-based OTP generation lacks proper rate limiting controls, allowing attackers to abuse the OTP request functionality. This vulnerability can be...

CVE-2025-48375

CVE-2025-48375 concerns Schule, an open-source school management system. Prior to version 1.0.1, the endpoint responsible for email-based OTP generation (forgot_password.php) lacks proper rate limiting, enabling abuse of the OTP request function. This can lead to excessive OTP emails, risking den...

CVE-2024-52599

Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 16.1.99.50 and Tuleap Enterprise Edition prior to versions 16.1-4 and 16.0-7, a malicious user with the ability to create an artifact in a tracker with a...

CVE-2024-49373

No Fuss Computing Centurion ERP is open source enterprise resource planning ERP software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem...

CVE-2024-31455

Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit 5c381cf added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would...

CVE-2024-24818

EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2...

CVE-2024-24768

1Panel is an open source Linux server operation and maintenance management panel. The HTTPS cookie that comes with the panel does not have the Secure keyword, which may cause the cookie to be sent in plain text if accessed using HTTP. This issue has been patched in version 1.9.6...

CVE-2024-28193

yourspotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version 1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify A...

CVE-2024-24808

pyLoad is an open-source Download Manager written in pure Python. There is an open redirect vulnerability due to incorrect validation of input values when redirecting users after login. pyLoad is validating URLs via the getredirecturl function when redirecting users at login. This vulnerability h...

CVE-2024-53272

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The login and social media function in RegisterLoginReset.vue contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify...

CVE-2024-53264

bunkerweb is an Open-source and next-generation Web Application Firewall WAF. A open redirect vulnerability exists in the loading endpoint, allowing attackers to redirect authenticated users to arbitrary external URLs via the "next" parameter. The loading endpoint accepts and uses an unvalidated...

CVE-2023-44397

CloudExplorer Lite is an open source, lightweight cloud management platform. Prior to version 1.4.1, the gateway filter of CloudExplorer Lite uses a controller with path starting with matching/API/, which can cause a permission bypass. Version 1.4.1 contains a patch for this issue...