CVE-2026-9133

Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme arn:aws-debug:file accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the...

CVE-2026-9133

CVE-2026-9133 affects the rabbitmq-aws plugin’s ARN resolver. Active debug code enables a debug ARN scheme (arn:aws-debug:file) that is accepted by PUT /api/aws/arn/validate, allowing remote authenticated users to perform arbitrary file reads on files accessible to the RabbitMQ process. This issu...

Timing Attack

Overview pyquorum is a Cryptographic library for secret sharing and key management, powered by Rust Affected versions of this package are vulnerable to Timing Attack via mulmod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the...

CVE-2026-32737 Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod...

Improper Restriction of Communication Channel to Intended Endpoints

Overview Affected versions of this package are vulnerable to Improper Restriction of Communication Channel to Intended Endpoints due to a misconfigured NetworkPolicy inter-ns. An attacker can gain unauthorized access to resources in other namespaces by exploiting an overly permissive network...

Heap-based Buffer Overflow

Overview sentencepiece is an Unsupervised text tokenizer and detokenizer. Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the processing of a malicious model file. An attacker can cause the application to access invalid memory regions by supplying a model file...

CVE-2025-13168

A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overridedpastorderlist of the file ury/ury/api/posextend.py. This manipulation of the argument searchterm causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available t...

EUVD-2025-197608

A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overridedpastorderlist of the file ury/ury/api/posextend.py. This manipulation of the argument searchterm causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available t...

CVE-2025-13168 ury-erp ury pos_extend.py overrided_past_order_list sql injection

A weakness has been identified in ury-erp ury up to 0.2.0. This affects the function overridedpastorderlist of the file ury/ury/api/posextend.py. This manipulation of the argument searchterm causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available t...

PT-2025-46957

Name of the Vulnerable Software and Affected Versions ury-erp ury versions up to 0.2.0 Description A weakness exists in ury-erp ury that allows for SQL injection. This issue is related to the manipulation of the search term argument within the overrided past order list function located in the fil...

Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Who is impacted: - Any application using...

Uncontrolled Search Path Element

Overview Affected versions of this package are vulnerable to Uncontrolled Search Path Element via the unpack function, when using the CLI flag --remote-image on untrusted container images. An attacker can write arbitrary files to the host system. This allows the attacker to create or overwrite...

Command Injection

Overview connection-tester is a module that tests to check if the connection can be established or host/port reachable for a given host and port. Useful for testing all the connection in your node application at server startup. Affected versions of this package are vulnerable to Command Injection...