Lucene search
K

149 matches found

Github Security Blog
Github Security Blog
added 2025/03/20 12:32 p.m.12 views

Open WebUI denial of service through endpoint for converting markdown

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until...

7.5CVSS6.6AI score0.00811EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2025/03/20 12:32 p.m.8 views

GHSA-GJ27-76GQ-5V3P Open WebUI stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...

8.4CVSS6.1AI score0.00897EPSS
Exploits1References3
NVD
NVD
added 2025/03/03 5:15 p.m.9 views

CVE-2024-53388

A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element...

8.8CVSS0.00571EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/02/05 6:25 a.m.18 views

CVE-2024-5827

Vanna v0.3.4 is vulnerable to SQL injection in its DuckDB integration exposed to its Flask Web APIs. Attackers can inject malicious SQL training data and generate corresponding queries to write arbitrary files on the victim's file system, such as backdoor.php with contents . This can lead to...

9.8CVSS8.1AI score0.03452EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/02/04 12:0 a.m.2 views

WordPress plugin JustRows free 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

7.1CVSS7.6AI score0.00556EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/02/04 12:0 a.m.6 views

WordPress plugin iBuildApp 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

6.1CVSS7.7AI score0.00567EPSS
Exploits1References1
PyPA
PyPA
added 2025/01/27 6:15 p.m.9 views

PYSEC-2025-58

vLLM is a library for LLM inference and serving. vllm/modelexecutor/weightutils.py implements hfmodelweightsiterator to load the model checkpoint, which is downloaded from huggingface. It uses the torch.load function and the weightsonly parameter defaults to False. When torch.load loads malicious...

8.8CVSS7.8AI score0.00694EPSS
Exploits0References5Affected Software1
CNNVD
CNNVD
added 2025/01/22 12:0 a.m.3 views

WordPress plugin Flexible Blogtitle 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. WordPress plugin is an application plugin. A cross-site scripting...

7.1CVSS7.8AI score0.00289EPSS
Exploits0References2
OSV
OSV
added 2024/12/27 12:0 a.m.5 views

CVE-2024-39025

Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data...

7.5CVSS7AI score0.00392EPSS
Exploits0References4
CNNVD
CNNVD
added 2024/11/19 12:0 a.m.4 views

WordPress plugin Amazon Associate Filter 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

7.1CVSS6.5AI score0.00206EPSS
Exploits0References1
OSV
OSV
added 2024/11/15 10:15 a.m.3 views

CVE-2024-10311

The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. This is due to a missing capability check in the 'edbaadminhandle' function. This makes it possible for authenticated attackers, with subscriber-level permissions...

8.8CVSS5.8AI score0.00433EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2024/11/14 12:0 a.m.11 views

PT-2024-35215 · Labs64 · Digipass

Name of the Vulnerable Software and Affected Versions: DigiPass versions 0.3.0 and earlier Description: The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows Absolute Path Traversal in Labs64 DigiPass. Recommendations:...

7.5CVSS9.3AI score0.0055EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/09/18 12:0 a.m.4 views

PT-2024-20172

Name of the Vulnerable Software and Affected Versions libfluid version 0.1.0 Description The issue is related to an Unchecked Return Value to NULL Pointer Dereference vulnerability in the Open Networking Foundation ONF libfluid, specifically in the libfluid msg module. This vulnerability is...

7.5CVSS6.4AI score0.00546EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2024/09/18 12:0 a.m.4 views

PT-2024-23827 · Open Networking Foundation · Libfluid

Name of the Vulnerable Software and Affected Versions: libfluid version 0.1.0 Description: The issue is related to an Unchecked Return Value to NULL Pointer Dereference vulnerability in the libfluid msg module of the Open Networking Foundation ONF libfluid. This vulnerability is associated with t...

7.5CVSS6.8AI score0.00443EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/06/28 12:0 a.m.4 views

PT-2024-28049 · Hush Line · Hush Line

Name of the Vulnerable Software and Affected Versions: Hush Line versions prior to 0.1.0 Description: Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. There is a stored XSS in the Inbox. The input is displayed using the safe Jinja2 attribute,...

8.8CVSS6.2AI score0.00425EPSS
Exploits1References6
OSV
OSV
added 2024/06/04 12:31 p.m.18 views

GHSA-WF7F-8FXF-XFXC MLFlow unsafe deserialization

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with...

8.8CVSS7.4AI score0.00618EPSS
Exploits1References3
CNNVD
CNNVD
added 2024/05/06 12:0 a.m.3 views

wasm3 安全漏洞

wasm3 is the fastest WebAssembly interpreter, as well as the most versatile runtime. A security vulnerability exists in version v0.5.0 of wasm3, which originates from a segmentation error via the function PreserveRegisterIfOccupied in wasm3/source/m3compile.c. The vulnerability is caused by the...

7.5CVSS6.8AI score0.00627EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2024/03/04 12:0 a.m.6 views

VulnCheck KEV: CVE-2021-32849

Gerapy is a distributed crawler management framework. Prior to version 0.9.9, an authenticated user could execute arbitrary commands. This issue is fixed in version 0.9.9. There are no known workarounds...

9CVSS7.5AI score0.0765EPSS
Exploits1References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2024/02/15 7:12 a.m.6 views

Malicious code in rb-web-popup (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 04b85d0e4dc2479fa94e653c94a102e902b4154168a9797a2677ef30c1af062e The OpenSSF Package Analysis project identified 'rb-web-popup' @ 0.1.0 npm as malicious. It is considered malicious because: - The package...

6.9AI score
Exploits0
CNNVD
CNNVD
added 2024/01/22 12:0 a.m.4 views

MetaGPT Security Vulnerabilities

MetaGPT is a multi-agent framework from MetaGPT, Inc. A security vulnerability exists in MetaGPT version 0.6.4 and prior versions, which stems from a vulnerability that allows a malicious attacker to execute arbitrary code...

8.8CVSS7.3AI score0.0096EPSS
Exploits1References2
Rows per page
Query Builder