Guardrails AI contains a code injection vulnerability in its Hub package installation mechanism

Guardrails AI thru 0.6.7 contains a code injection vulnerability CWE-94 in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieves a manifest from the Guardrails Hub and dynamically executes a script specified in the postinstall...

ThinkDashboard Cross-Site Scripting Vulnerability

ThinkDashboard is a lightweight, self-hosted bookmarking dashboard. A cross-site scripting vulnerability exists in ThinkDashboard version 0.6.7 and earlier, which stems from a lack of schema filtering and can be exploited by an attacker to cause a stored cross-site scripting attack...

CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64177

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64177 ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

EUVD-2025-38184

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64177 ThinkDashboard: Stored XSS in Dashboard via Malicious Bookmark

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, there is a stored Cross-Site Scripting XSS vulnerability in the dashboard, which can exploited when a user clicks on a malicious bookmark, made vulnerable by the lack of scheme...

CVE-2025-64327

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64176 ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64176 ThinkDashboard: Arbitrary File Upload vulnerability in the Backup Import Feature

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. In versions 0.6.7 and below, an attacker can upload any file they wish to the /data directory of the web application via the backup import feature. When importing a backup, an attacker can first choose a .zip...

CVE-2025-64327 ThinkDashboard: Blind Server-Side Request Forgery (SSRF) vulnerability in /api/ping Endpoint

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

CVE-2025-64327

CVE-2025-64327 affects ThinkDashboard (Go + JavaScript) and is caused by a blind SSRF in the /api/ping?url= endpoint in versions 0.6.7 and earlier. An attacker can cause the application to perform arbitrary requests to internal or external hosts, potentially revealing local network topology and o...

CVE-2025-64327 ThinkDashboard: Blind Server-Side Request Forgery (SSRF) vulnerability in /api/ping Endpoint

ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Versions 0.6.7 and below contain a Blind Server-Side Request Forgery SSRF vulnerability, in its /api/ping?url= endpoint. This allows an attacker to make arbitrary requests to internal or external hosts. This...

ThinkDashboard 安全漏洞

ThinkDashboard is a lightweight, self-hosted bookmarking dashboard by the individual developer MatiasDesu. A security vulnerability exists in ThinkDashboard version 0.6.7 and earlier, which stems from a server-side request forgery vulnerability in the /api/ping?url= endpoint that could lead an...

ThinkDashboard 代码问题漏洞

ThinkDashboard is a lightweight, self-hosted bookmarking dashboard by the individual developer MatiasDesu. A code issue vulnerability exists in ThinkDashboard version 0.6.7 and earlier, which stems from the backup import feature not properly validating file types, which could lead to a stored...

PT-2025-45380

Name of the Vulnerable Software and Affected Versions ThinkDashboard versions 0.6.7 and below Description ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript, contains a Blind Server-Side Request Forgery SSRF issue. The vulnerability exists in the /api/ping?url=...

PT-2025-45378

Name of the Vulnerable Software and Affected Versions ThinkDashboard versions 0.6.7 and below Description ThinkDashboard, a self-hosted bookmark dashboard built with Go and vanilla JavaScript, has an issue where an attacker can upload arbitrary files to the '/data' directory of the web applicatio...

SUSE CVE-2025-51471

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint...

PYSEC-2025-147

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint...

Ollama 安全漏洞

Ollama is an Ollama open source large-scale language model that can be started and run locally. A security vulnerability exists in Ollama version 0.6.7, which stems from a cross-domain token exposure vulnerability in server.auth.getAuthorizationToken that could lead to bypassing access control...