CVE-2025-12355

CVE-2025-12355 refers to the Payaza WordPress plugin. The vulnerability is a missing capability check on the AJAX endpoint wp_ajax_nopriv_update_order_status, allowing unauthenticated attackers to modify order statuses. Affected versions are all up to and including 0.3.8. The public reports descr...

EUVD-2025-201357

The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxnoprivupdateorderstatus' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses...

PT-2025-49226

The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp ajax nopriv update order status' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses...

langchain-text-splitters 代码问题漏洞

langchain-text-splitters is a Python package open-sourced by LangChain. A code issue vulnerability exists in langchain-text-splitters version 0.3.8, which stems from the HTMLSectionSplitter class allowing the use of arbitrary XSLT stylesheets, which could lead to an XML External Entity Attack,...

EUVD-2023-0272

Malicious code in bioql PyPI...

EUVD-2023-0270

Malicious code in bioql PyPI...

EUVD-2023-0271

Malicious code in bioql PyPI...

EUVD-2025-6939

Malicious code in bioql PyPI...

EUVD-2023-0269

Malicious code in bioql PyPI...

EUVD-2025-6928

Malicious code in bioql PyPI...

EUVD-2023-0276

Malicious code in bioql PyPI...

Viglet Shio CMS 安全漏洞

Viglet Shio CMS is a content management system from Viglet Open Source. A security vulnerability exists in Viglet Shio CMS version 0.3.8 and earlier, which stems from the incorrect operation of the parameter fileName in the file...

CVE-2023-30837

Vyper is a pythonic smart contract language for the EVM. The storage allocator does not guard against allocation overflows in versions prior to 0.3.8. An attacker can overwrite the owner variable. This issue was fixed in version 0.3.8...

CVE-2023-32058

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, due to missing overflow check for loop variables, by assigning the iterator of a loop to a variable, it is possible to overflow the type of the latter. The issue seems to happen only in loops of...

CVE-2023-32059

Vyper is a Pythonic smart contract language for the Ethereum virtual machine. Prior to version 0.3.8, internal calls with default arguments are compiled incorrectly. Depending on the number of arguments provided in the call, the defaults are added not right-to-left, but left-to-right. If the type...

CVE-2025-47578

CVE-2025-47578 is a DOM-based XSS vulnerability in the WordPress plugin BNS Twitter Follow Button (versions up to and including 0.3.8). The issue arises from improper input neutralization during web page generation, enabling cross-site scripting. Affected software: BNS Twitter Follow Button

CVE-2024-7034

In open-webui version 0.3.8, the endpoint /models/upload is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the usage of filepath = f"UPLOADDIR/file.filename" without proper input validation or sanitization. An attacker can...

CVE-2024-7990

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

Open WebUI stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

GHSA-5V9M-57MQ-QC75 Open WebUI denial of service through endpoint for converting markdown

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until...