23 matches found
EUVD-2025-23412
Malicious code in bioql PyPI...
EUVD-2025-23404
Malicious code in bioql PyPI...
CVE-2025-54790
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10...
CVE-2025-54789
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...
CVE-2025-54790 Files: Potential for SQL Injection through File Browse and List Operations
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10...
CVE-2025-54789 Files is Vulnerable to Reflected Self-XSS through its File Move Functionality
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user’s session. This is fixed i...
CVE-2024-35183
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...
CVE-2024-35183
CVE-2024-35183 affects wolfictl (Wolfi) and involves a git authentication issue in versions before 0.16.10. The vulnerability arises from a GetGitAuth flow that reads a GitHub token from the GITHUB_TOKEN environment variable and uses it for HTTP basic auth with go-git, in cases where the remote r...
CVE-2024-35183 wolfictl leaks GitHub tokens to remote non-GitHub git servers
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...
DEBIAN-CVE-2024-28244
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...
DEBIAN-CVE-2024-28246
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...
DEBIAN-CVE-2024-28243
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where...
UBUNTU-CVE-2024-28246
KaTeX is a JavaScript library for TeX math rendering on the web. Code that uses KaTeX's trust option, specifically that provides a function to blacklist certain URL protocols, can be fooled by URLs in malicious inputs that use uppercase characters in the protocol. In particular, this can allow fo...
UBUNTU-CVE-2024-28243
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where...
UBUNTU-CVE-2024-28244
KaTeX is a JavaScript library for TeX math rendering on the web. KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. KaTeX supports an option named...
GHSA-F98W-7CXR-FF2H KaTeX's `\includegraphics` does not escape filename
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \includegraphics that runs arbitrary JavaScript, or generate invalid HTML. Patches Upgrade to KaTeX v0.16.10 to remove this vulnerability. Workarounds Avoid use of or turn off the trust option, ...
GHSA-CVR6-37GX-V8WC KaTeX's maxExpand bypassed by Unicode sub/superscripts
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \def or \newcommand that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTe...
GHSA-64FM-8HW2-V72W KaTeX's maxExpand bypassed by `\edef`
Impact KaTeX users who render untrusted mathematical expressions could encounter malicious input using \edef that causes a near-infinite loop, despite setting maxExpand to avoid such loops. This can be used as an availability attack, where e.g. a client rendering another user's KaTeX input will b...
PT-2024-22360
Name of the Vulnerable Software and Affected Versions: KaTeX versions prior to 0.16.10 Description: KaTeX is a JavaScript library for TeX math rendering on the web. Users who render untrusted mathematical expressions could encounter malicious input using includegraphics that runs arbitrary...
KaTeX 安全漏洞
KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering on the web. A security vulnerability existed prior to the KaTeX v0.16.10 release, which arose from the fact that KaTeX users rendering untrusted mathematical expressions could encounter a malicious input using def or ewcommand...