Lucene search
+L

149 matches found

Github Security Blog
Github Security Blog
added 2025/08/20 6:30 p.m.12 views

Spree Commerce is vulnerable to RCE through Search API

Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the searchinstanceeval parameter, which is dynamically invoked using Ruby’s send method. Thi...

9.8CVSS7.9AI score0.02464EPSS
Exploits1References11Affected Software2
Cvelist
Cvelist
added 2025/06/17 6:31 a.m.25 views

CVE-2025-6167 themanojdesai python-a2a api.py create_workflow path traversal

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function createworkflow of the file pythona2a/agentflow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommend...

5.5CVSS0.00726EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2025/06/08 1:18 p.m.6 views

CVE-2025-30989

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Renzo Tejada Libro de Reclamaciones y Quejas libro-de-reclamaciones-y-quejas allows SQL Injection.This issue affects Libro de Reclamaciones y Quejas: from n/a through = 0.9...

7.6CVSS5.9AI score0.00355EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/05/30 7:43 p.m.31 views

CVE-2025-48882 PHPOffice Math allows XXE when processing an XML file in the MathML format

PHPOffice Math is a library that provides a set of classes to manipulate different formula file formats. Prior to version 0.3.0, loading XML data using the standard libxml extension and the LIBXMLDTDLOAD flag without additional filtration, leads to XXE. Version 0.3.0 fixes the vulnerability...

8.7CVSS0.00417EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/05/23 8:41 a.m.6 views

CVE-2024-46362

FrogCMS V0.9.5 was discovered to contain a Cross-Site Request Forgery CSRF vulnerability via /admin/?/plugin/filemanager/createdirectory...

8.8CVSS7.6AI score0.00304EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 8:20 a.m.14 views

CVE-2024-5170

The Logo Manager For Enamad WordPress plugin through 0.7.1 does not sanitise and escape in its widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

5.7CVSS5.7AI score0.00315EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 10:45 p.m.9 views

CVE-2022-29188

Smokescreen is an HTTP proxy. The primary use case for Smokescreen is to prevent server-side request forgery SSRF attacks in which external attackers leverage the behavior of applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny access to additional...

6.5CVSS6.9AI score0.00811EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/05/22 7:58 p.m.6 views

CVE-2021-36434

SQL injection vulnerability in jocms 0.8 allows remote attackers to run arbitrary SQL commands and view sentivie information via jojsoncheck function in jocms/apps/mask/inc/getmask.php...

9.1CVSS8.1AI score0.00864EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 8:34 a.m.9 views

CVE-2019-17493

Jiangnan Online Judge aka jnoj 0.8.0 has XSS via the Problemsampleinput parameter to web/admin/problem/create or web/polygon/problem/update...

6.1CVSS5.9AI score0.01068EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 8:22 a.m.5 views

CVE-2019-17489

Jiangnan Online Judge aka jnoj 0.8.0 has XSS via the Problemtitle parameter to web/polygon/problem/create or web/polygon/problem/update or web/admin/problem/create...

6.1CVSS5.9AI score0.01058EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 12:38 a.m.6 views

CVE-2011-3731

e107 0.7.24 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by e107plugins/pdf/e107pdf.php and certain other files...

5CVSS6.5AI score0.01335EPSS
Exploits1References1
OSV
OSV
added 2025/04/27 8:15 p.m.4 views

DEBIAN-CVE-2025-46688

quickjs-ng through 0.9.0 has an incorrect size calculation in JSReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected...

8.4CVSS6.2AI score0.00271EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/04/19 12:0 a.m.5 views

VSCode-Diana 安全漏洞

VSCode-Diana is a VSCode plugin that provides basic language support for DianaScript by the individual developer Taine Zhao. A security vulnerability exists in VSCode-Diana version 0.0.1, which stems from an injection issue in the Jinja2 template handling component in the file Gen.py...

5.3CVSS5.7AI score0.00201EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2025/04/17 3:16 p.m.7 views

CVE-2025-39437 WordPress Anthologize plugin <= 0.8.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3...

4.3CVSS6.9AI score0.00153EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/04/16 12:0 a.m.6 views

whoogle-search 安全漏洞

whoogle-search is an application from the personal developer Ben Busby. Self-hosted, ad-free, privacy-respecting meta-search engine. A security vulnerability exists in whoogle-search version v0.9.0, which stems from the /models/config.py component that allows execution of arbitrary code via a...

7.3CVSS7.2AI score0.00502EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/04/01 8:58 p.m.4 views

CVE-2025-31462 WordPress CGM Event Calendar <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5...

7.1CVSS6.9AI score0.00363EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/04/01 12:0 a.m.3 views

WordPress plugin Posten 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

6.5CVSS6.5AI score0.00331EPSS
Exploits0References2
OSV
OSV
added 2025/03/27 10:23 p.m.5 views

CVE-2025-2888 Improper timestamp caching during snapshot rollback in tough

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20...

5.7CVSS6AI score0.00307EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2025/03/22 12:26 p.m.10 views

CVE-2024-12215

In kedro-org/kedro version 0.19.8, the pullpackage API function allows users to download and extract micro packages from the Internet. However, the function projectwheelmetadata within the code path can execute the setup.py file inside the tar file, leading to remote code execution RCE by running...

8.8CVSS8.3AI score0.00986EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/03/22 12:9 p.m.8 views

CVE-2024-10831

In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the filekey and docfile.filename parameters are...

9.1CVSS7AI score0.00769EPSS
Exploits1References1
Rows per page
Query Builder