client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect

Summary Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. Vulnerable Code javascript //...

Improper Verification of Cryptographic Signature

Overview altcha is an A lightweight library for creating and verifying ALTCHA challenges. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the HMAC computation. An attacker can bypass intended challenge expiration and reuse previously solved...

PT-2025-51162

A flaw has been found in DecoCMS Mesh up to 1.0.0-alpha.31. Affected by this vulnerability is the function createTool of the file packages/sdk/src/mcp/teams/api.ts of the component Workspace Domain Handler. This manipulation of the argument domain causes improper access controls. The attack can b...

Open Redirect

Overview local-deep-research is an AI-powered research assistant with deep, iterative analysis using LLMs and web searches Affected versions of this package are vulnerable to Open Redirect via the nextpage query parameter in the post-authentication redirection flow. An attacker can exploit this...

Insecure Inherited Permissions

Overview django-helpdesk is a Django-powered ticket tracker for your helpdesk Affected versions of this package are vulnerable to Insecure Inherited Permissions due to the improper setting of os.umask0 in models.py. An attacker can access sensitive data without proper authorization by exploiting...

PT-2024-35958 · Unknown · Sp-Php-Email-Handler

Name of the Vulnerable Software and Affected Versions: sp-php-email-handler versions prior to 1.0.0 Description: The sp-php-email-handler PHP package is vulnerable to abuse, allowing malicious actors to specify arbitrary email recipients and include user-provided content in confirmation emails...

PT-2024-39123 · Techexcel · Techexcel Back Office

Name of the Vulnerable Software and Affected Versions: TechExcel Back Office Software versions prior to 1.0.0 Description: This issue exists due to improper access controls on certain API endpoints, allowing an authenticated remote attacker to exploit the vulnerability by manipulating a parameter...

PT-2024-24606 · Tillitis · Tillitis Tkey Signer Device Application

Name of the Vulnerable Software and Affected Versions: Tillitis TKey signer device application versions prior to 1.0.0 Description: A vulnerability has been found in the Tillitis TKey signer device application, an ed25519 signing tool, which makes it possible to disclose portions of the TKey’s da...

PT-2023-32940

Name of the Vulnerable Software and Affected Versions encoded id-rails versions before 1.0.0.beta2 Description The issue is an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an...

PT-2023-10209 · Sukohi · Sukohi Surpass

Name of the Vulnerable Software and Affected Versions: SUKOHI Surpass versions prior to 1.0.0 Description: A critical vulnerability has been found in SUKOHI Surpass, affecting unknown code in the file src/Sukohi/Surpass/Surpass.php. The manipulation of the argument dir leads to pathname traversal...

PT-2023-11353 · Unknown · Ldapcherry

Name of the Vulnerable Software and Affected Versions: kakwa LdapCherry versions up to 0.x Description: A problematic issue was found in the URL Handler component, leading to cross site scripting. The attack can be launched remotely, affecting an unknown function. Recommendations: For versions up...

PT-2023-10114 · Unknown · Soshtolsus Wing-Tight

Name of the Vulnerable Software and Affected Versions: soshtolsus wing-tight versions prior to 1.0.0 Description: A critical vulnerability was found in soshtolsus wing-tight, affecting an unknown part of the file index.php. The manipulation of the p argument leads to file inclusion, and it is...

PT-2022-8024 · Unknown · Rf Keynote

Name of the Vulnerable Software and Affected Versions: rf Keynote versions up to 0.x Description: A vulnerability was found in rf Keynote, affecting some unknown functionality of the file lib/keynote/rumble.rb. The manipulation of the argument value leads to cross-site scripting. The attack may b...