42 matches found
Always-Incorrect Control Flow Implementation
Overview Flask-Security is a Simple security for Flask apps. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation in the OAuth reauthentication for stale sessions. An attacker can perform unauthorized account actions by completing OAuth verification wit...
Allocation of Resources Without Limits or Throttling
Overview devalue is a JSON.stringify, but handles cyclical references, repeated references, undefined, regular expressions, dates, Map and Set. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the parse function. An attacker can cause...
CVE-2026-39349 OrangeHRM Uses AES-ECB for Sensitive Data Encryption Enables Pattern Disclosure
OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaintext patterns in ciphertext and enables pattern disclosure against stored data. This vulnerability i...
CVE-2026-39346 OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding
OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fix...
EUVD-2026-19856
OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fix...
CVE-2026-39346 OrangeHRM has Improper Access Control Allowing Access to Disabled Modules via URL Encoding
OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fix...
CVE-2026-5529
A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now...
PT-2026-30389
A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now...
CVE-2026-3419
Fastify incorrectly accepts malformed Content-Type headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1https://httpwg.org/specs/rfc9110.htmlfield.content-type. For example, a request sent with Content-Type: application/json garbage passes validation and ...
Incorrect Regular Expression
Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Incorrect Regular Expression in the Content-Type header validation. An attacker can cause the server to incorrectly process requests with malformed Content-Type headers by sending value...
CVE-2022-31781
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service ReDoS in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on...
CVE-2023-50360
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 2024/02/26 and later...
EUVD-2019-4507
Malware in sbrugna...
EUVD-2025-5766
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2021-45444
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In zsh before 5.8.1, an attacker can achieve code execution if they control a command output inside the prompt, as demonstrated by a %F argument. This occurs...
Fedora 42 : xz (2025-7f00e5e744)
The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-7f00e5e744 advisory. New upstream version 5.8.1 with a rebuild to try and fix a gating problem. ---- New upstream version 5.8.1 Tenable has extracted the preceding description...
WordPress plugin Simple History 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
Uncontrolled Search Path Element
Overview Affected versions of this package are vulnerable to Uncontrolled Search Path Element due to the shared %PROGRAMDATA% directory being searched for configuration files. An attacker can introduce unintended behavior and affect other users by creating malicious configuration files in the...
UBUNTU-CVE-2025-31115
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...
CVE-2023-50360 Video Station
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 2024/02/26 and later...