Lucene search
K

126 matches found

OSV
OSV
added 2025/09/22 7:39 p.m.6 views

CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...

9.6CVSS6.7AI score0.03146EPSS
Exploits0References3
CVE
CVE
added 2025/09/22 7:39 p.m.25 views

CVE-2025-59434

Flowise Cloud prior to August 2025 was vulnerable to a cross-tenant data exposure through the Custom JavaScript Function node, allowing authenticated users on the free tier to access environment variables from other tenants (e.g., OpenAI keys, cloud credentials, and tokens). The issue has been pa...

9.6CVSS6.3AI score0.03146EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/09/22 12:0 a.m.7 views

PT-2025-39070

Name of the Vulnerable Software and Affected Versions Flowise versions prior to August 2025 Cloud-Hosted Flowise Description Flowise is a drag & drop user interface used to build customized large language model flows. A vulnerability in Flowise Cloud, prior to the August 2025 release, allows...

9.6CVSS6.3AI score0.03146EPSS
Exploits0References7
OSV
OSV
added 2025/09/15 7:51 p.m.3 views

GHSA-7944-7C6R-55VV FlowiseAI Pre-Auth Arbitrary Code Execution

Summary An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync to launch reverse...

9.1CVSS8.4AI score0.00581EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2025/09/15 7:51 p.m.55 views

FlowiseAI Pre-Auth Arbitrary Code Execution

Summary An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync to launch reverse...

6.5CVSS8.4AI score0.00581EPSS
Exploits1References6Affected Software1
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/08/29 6:55 p.m.3 views

Malicious code in tailwind-supabase (npm)

The package tailwind-supabase was found to contain malicious code...

7AI score
Exploits0
OSV
OSV
added 2025/08/29 6:55 p.m.2 views

MAL-2025-42094 Malicious code in tailwind-supabase (npm)

The package tailwind-supabase was found to contain malicious code...

7AI score
Exploits0
RedhatCVE
RedhatCVE
added 2025/08/23 4:16 p.m.6 views

CVE-2025-57754

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...

9.8CVSS6.4AI score0.00338EPSS
Exploits0References1
NVD
NVD
added 2025/08/21 5:15 p.m.10 views

CVE-2025-57754

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...

9.8CVSS0.00338EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/08/21 4:14 p.m.3 views

CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...

9.8CVSS7.2AI score0.00338EPSS
Exploits0References2
CVE
CVE
added 2025/08/21 4:14 p.m.18 views

CVE-2025-57754

CVE-2025-57754 affects eslint-ban-moment (plugin for ESLint) with versions 3.0.0 and earlier. The root cause is exposure of a sensitive Supabase URI in the .env file, which, if valid and contains embedded credentials, can grant an attacker complete unauthorized access and control over the databas...

9.8CVSS7.2AI score0.00338EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/08/21 4:14 p.m.9 views

CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...

9.8CVSS0.00338EPSS
Exploits0References2
OSV
OSV
added 2025/08/21 4:14 p.m.2 views

CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)

eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...

9.8CVSS6.7AI score0.00338EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/08/21 12:0 a.m.5 views

PT-2025-34243 · WordPress · Eslint-Ban-Moment

Name of the Vulnerable Software and Affected Versions: eslint-ban-moment versions 3.0.0 and earlier Description: The eslint-ban-moment plugin exposes a sensitive Supabase URI in the .env file. A valid Supabase URI containing a username and password grants an attacker complete unauthorized access...

9.8CVSS7.2AI score0.00338EPSS
Exploits0References7
CNNVD
CNNVD
added 2025/08/21 12:0 a.m.10 views

eslint-ban-moment 安全漏洞

eslint-ban-moment is an application by the individual developer Kristófer Fannar Björnsson. A security vulnerability exists in eslint-ban-moment 3.0.0 and earlier versions, which originates from the exposure of sensitive Supabase URIs in .env files, which could lead to data exfiltration,...

9.8CVSS6.4AI score0.00338EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/07/10 10:24 p.m.6 views

Malicious code in supabase-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d99002d0e83f91ca297ecb91950c973f76ba284c9b63eba89946e9bfac2672de Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.9AI score
Exploits0References1
OSV
OSV
added 2025/07/10 10:24 p.m.6 views

MAL-2025-5797 Malicious code in supabase-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d99002d0e83f91ca297ecb91950c973f76ba284c9b63eba89946e9bfac2672de Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
Veracode
Veracode
added 2025/05/29 2:36 a.m.11 views

Path Traversal

@supabase/auth-js is vulnerable to Path Traversal . The vulnerability is due to missing UUID validation on user-supplied inputs, which allows an attacker to manipulate URL paths and invoke unintended API functions...

6.9CVSS6.6AI score0.00745EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2025/05/27 4:15 p.m.34 views

CVE-2025-48370

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the...

6.9CVSS0.00745EPSS
Exploits0References3
OSV
OSV
added 2025/05/27 3:27 p.m.7 views

CVE-2025-48370 auth-js Vulnerable to Insecure Path Routing from Malformed User Input

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the...

6.9CVSS5.8AI score0.00745EPSS
Exploits0References5
Rows per page
Query Builder