LDAP Injection

Overview lemur is a Certificate management and orchestration service Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the username field during the authentication process. An attacker can escalate privileges and gain unauthorized access to sensitive...

Security Bulletin: upload filename directly from the multipart Content-Disposition header without sanitization

Summary Langflow OSS 1.2.0 - 1.8.4 are affected by a critical arbitrary file write vulnerability in the files endpoint due to improper handling of uploaded filenames. The application extracts the filename directly from the multipart Content-Disposition header without sanitization and uses unsafe...

Security Bulletin: Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id

Summary Langflow OSS is affected by an insecure direct object reference vulnerability in its Monitor API due to missing authorization checks. Although these endpoints require authentication, they fail to verify ownership of the provided flowid, allowing any authenticated user to access or...

Security Bulletin: Langflow OSS Authenticated Remote Code Execution (RCE) vulnerability exists in the validate_code function

Summary Langflow OSS contains a critical vulnerability in code validate endpoint due to unsafe use of Python's exec function within the validatecode routine. While the feature is intended to validate user-supplied function definitions, it fails to account for Python decorators, which are executed...

CVE-2025-52435

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange...

CVE-2025-62235

Authentication Bypass by Spoofing vulnerability in Apache NimBLE. Receiving specially crafted Security Request could lead to removal of original bond and re-bond with impostor. This issue affects Apache NimBLE: through 1.8.0. Users are recommended to upgrade to version 1.9.0, which fixes the issu...

CVE-2025-52435

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange...

CVE-2025-52435

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange...

CVE-2025-52435

CVE-2025-52435 affects Apache NimBLE (Mynewt NimBLE) up to version 1.8.0. The issue is caused by improper handling of the Pause Encryption procedure on the Link Layer, which can leave a previously encrypted connection in an unencrypted state and allow an eavesdropper to observe the remainder of t...

EUVD-2026-1854

J2EE Misconfiguration: Data Transmission Without Encryption vulnerability in Apache NimBLE. Improper handling of Pause Encryption procedure on Link Layer results in a previously encrypted connection being left in un-encrypted state allowing an eavesdropper to observe the remainder of the exchange...

CVE-2025-53477 Apache Mynewt NimBLE: NULL Pointer Dereference in NimBLE host HCI layer

NULL Pointer Dereference vulnerability in Apache Nimble. Missing validation of HCI connection complete or HCI command TX buffer could lead to NULL pointer dereference. This issue requires disabled asserts and broken or bogus Bluetooth controller and thus severity is considered low. This issue...

CVE-2025-53477

CVE-2025-53477 is a NULL pointer dereference vulnerability in Apache NimBLE (NimBLE host HCI layer). The issue stems from missing validation of HCI connection complete or HCI command TX buffers, which can lead to a NULL pointer dereference when combined with disabled asserts and a malfunctioning ...

PT-2026-1816

Name of the Vulnerable Software and Affected Versions Apache NimBLE versions through 1.8.0 Description A flaw exists in Apache NimBLE where missing validation of an HCI connection complete or HCI command TX buffer can result in a NULL pointer dereference. This issue requires disabled asserts and ...

CVE-2023-43668

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... . Users are advised to upgrade to Apache InLong's 1.9.0 or...

PT-2026-1837

Name of the Vulnerable Software and Affected Versions Apache NimBLE versions through 1.8.0 Description A flaw exists in Apache NimBLE that allows authentication bypass through spoofing. Receiving a specially crafted Security Request can result in the removal of the original bond and re-bonding wi...

PT-2024-19928 · Apache · Apache Fineract

Name of the Vulnerable Software and Affected Versions: Apache Fineract versions prior to 1.8.5 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential exploitation. Users are advised t...

CVE-2023-43666

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick 1 to solve it. 1 ...

CVE-2023-43667

Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection' vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false log records, making it harder to audit and trace malicious...

PT-2022-24448 · Archery · Archery

Name of the Vulnerable Software and Affected Versions: Archery versions 1.4.0 through 1.8.5 Description: The issue is related to a SQL injection vulnerability. It occurs via the ThreadIDs parameter in the "kill session" interface. Recommendations: For versions 1.4.0 through 1.8.5, upgrade to...

PT-2020-6926 · Jquery +5 · Jquery +5

Name of the Vulnerable Software and Affected Versions: jquery versions prior to 1.9.0 Description: The issue allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove HTML tags that contain a whitespace character, i.e: , which results in the enclosed...