537 matches found
DEBIAN-CVE-2025-46688
quickjs-ng through 0.9.0 has an incorrect size calculation in JSReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected...
VSCode-Diana 安全漏洞
VSCode-Diana is a VSCode plugin that provides basic language support for DianaScript by the individual developer Taine Zhao. A security vulnerability exists in VSCode-Diana version 0.0.1, which stems from an injection issue in the Jinja2 template handling component in the file Gen.py...
CVE-2025-39437 WordPress Anthologize plugin <= 0.8.3 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3...
whoogle-search 安全漏洞
whoogle-search is an application from the personal developer Ben Busby. Self-hosted, ad-free, privacy-respecting meta-search engine. A security vulnerability exists in whoogle-search version v0.9.0, which stems from the /models/config.py component that allows execution of arbitrary code via a...
PT-2025-15748 · Unknown · More Mime Type Filters
Name of the Vulnerable Software and Affected Versions: More Mime Type Filters versions 0.3 and earlier Description: The issue is related to improper neutralization of input during web page generation, also known as 'Cross-site Scripting', which allows for Stored XSS attacks. Recommendations: For...
CVE-2025-3323
A vulnerability classified as critical was found in godcheese/code-projects Nimrod 0.8. Affected by this vulnerability is the function searchAllByName of the file ViewMenuCategoryRestController.java. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely...
CVE-2025-31462 WordPress CGM Event Calendar <= 0.8.5 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in rzfarrell CGM Event Calendar allows Reflected XSS. This issue affects CGM Event Calendar: from n/a through 0.8.5...
WordPress plugin Posten 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
WordPress So-Called Air Quotes plugin <= 0.1 - Unauthenticated Arbitrary Shortcode Execution vulnerability
Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Avraham Shemesh in WordPress Plugin So-Called Air Quotes versions = 0.1...
Malicious code in 0-8 (PyPI)
--- -= Per source details. Do not edit below this line.=-...
CVE-2025-2888
During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20...
CVE-2024-12215
In kedro-org/kedro version 0.19.8, the pullpackage API function allows users to download and extract micro packages from the Internet. However, the function projectwheelmetadata within the code path can execute the setup.py file inside the tar file, leading to remote code execution RCE by running...
CVE-2024-10831
In eosphoros-ai/db-gpt version 0.6.0, the endpoint for uploading files is vulnerable to absolute path traversal. This vulnerability allows an attacker to upload arbitrary files to arbitrary locations on the target server. The issue arises because the filekey and docfile.filename parameters are...
GHSA-GJ27-76GQ-5V3P Open WebUI stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting XSS vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the /api/v1/models/add endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious...
Open WebUI denial of service through endpoint for converting markdown
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of service. The server becomes unresponsive to other requests until...
LlamaIndex SQL注入漏洞
LlamaIndex is a data framework for LLM applications from LlamaIndex open source. A SQL injection vulnerability exists in LlamaIndex v0.12.3 and earlier versions, which stems from an unvalidated SQL query and could lead to a SQL injection attack...
feast 访问控制错误漏洞
feast is an AI/ML open source function library from Feast Open Source. An access control error vulnerability exists in feast version 0.40.0, which stems from a misconfiguration of CORS and could lead to the disclosure of sensitive information...
SuperAGI 路径遍历漏洞
SuperAGI is an open source infrastructure application from SuperAGI Open Source. It is used to build components, tools, frameworks and models to implement open source AGI. A path traversal vulnerability exists in SuperAGI version 0.0.14, which stems from path traversal in the file upload...
dify 代码问题漏洞
dify is an open source LLM application development platform from LangGenius Open Source. A code issue vulnerability exists in version 0.10.1 of dify, which stems from an unvalidated URL and could lead to a server-side request forgery attack...
DB-GPT 安全漏洞
DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A security vulnerability exists in DB-GPT version 0.6.0, which stems from an arbitrary file write vulnerability in the RAG-knowledge endpoint, which allows an attacker to write a file to ...