149 matches found
Spree Commerce is vulnerable to RCE through Search API
Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...
CVE-2025-6167 themanojdesai python-a2a api.py create_workflow path traversal
A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function createworkflow of the file pythona2a/agentflow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommend...
CVE-2025-30989
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Renzo Tejada Libro de Reclamaciones y Quejas libro-de-reclamaciones-y-quejas allows SQL Injection.This issue affects Libro de Reclamaciones y Quejas: from n/a through = 0.9...
CVE-2025-48882 PHPOffice Math allows XXE when processing an XML file in the MathML format
PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard libxml extension and the LIBXMLDTDLOAD flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability...
CVE-2024-46362
FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/?/plugin/filemanager/createdirectory...
CVE-2024-5170
The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
CVE-2022-29188
Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery SSRF attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional...
CVE-2021-36434
SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jojsoncheck function in jocms/apps/mask/inc/getmask.php...
CVE-2019-17493
Jiangnan Online Judge aka jnoj 0.8.0 has XSS via the Problemsampleinput parameter to web/admin/problem/create or web/polygon/problem/update...
CVE-2019-17489
Jiangnan Online Judge aka jnoj 0.8.0 has XSS via the Problemtitle parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create...
CVE-2011-3731
e107 0.7.24 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by e107plugins/pdf/e107pdf.php and certain other files...
DEBIAN-CVE-2025-46688
quickjs-ng through 0.9.0 has an incorrect size calculation in JSReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected...
VSCode-Diana 安全漏洞
VSCode-Diana is a VSCode plugin that provides basic language support for DianaScript by the individual developer Taine Zhao. A security vulnerability exists in VSCode-Diana version 0.0.1, which stems from an injection issue in the Jinja2 template handling component in the file Gen.py...
CVE-2025-39437 WordPress Anthologize plugin <= 0.8.3 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3...
whoogle-search 安全漏洞
whoogle-search is an application from the personal developer Ben Busby. Self-hosted, ad-free, privacy-respecting meta-search engine. A security vulnerability exists in whoogle-search version v0.9.0, which stems from the /models/config.py component that allows execution of arbitrary code via a...
CVE-2025-31462 WordPress CGM Event Calendar <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5...
WordPress plugin Posten 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
CVE-2025-2888 Improper timestamp caching during snapshot rollback in tough
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20...
CVE-2024-12215
In kedro-org/kedro version 0.19.8, the pullpackage API function allows users to download and extract micro packages from the Internet. However, the function projectwheelmetadata within the code path can execute the setup.py file inside the tar file, leading to remote code execution RCE by running...
CVE-2024-10831
In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the filekey and docfile.filename parameters are...