28 matches found
CVE-2026-61502
CVE-2026-61502 affects Rejetto HFS versions 3.0.0 through 3.2.0. The root cause is that state-changing API requests can be issued via GET and are exempt from the anti-CSRF header check, enabling a remote attacker to perform administrative actions (e.g., account creation, configuration changes) an...
view_component 安全漏洞
viewcomponent is an open-source framework developed by ViewComponent, designed for building reusable and testable view components. There are security vulnerabilities in the viewcomponent version 3.0.0 to 4.9.0. These vulnerabilities arise from the system’s testing entry point using File.realpath ...
Astra Linux – Vulnerability in node-brace-expansion
A vulnerability was discovered in the juliangruber brace-expansion library, up to versions 1.1.11/2.0.1/3.0.0/4.0.0. This issue has been identified as problematic. The affected function is the “expand” function of the file index.js. Manipulation of this function leads to inefficient use of regula...
SUSE CVE-2026-44699
LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL backend, this causes HMAC verification to run with a zero-length key, so an attacker can forge a valid...
CVE-2026-41645
CVE-2026-41645 affects Nuclei up to version 3.8.0, where the expression evaluation engine can be tricked by HTTP response-derived DSL expressions reused in multi-step templates. If -env-vars (-ev) is explicitly enabled, response data containing DSL expressions can expose host environment variable...
EUVD-2026-18423
Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing...
acpx-teams (=0.1.0), arifos (>=2026.2.22 <=2026.4.16) +58 more potentially affected by CVE-2026-27124 via fastmcp (>=3.0.0 <=3.1.1)
fastmcp PYPI version =3.0.0, =2026.2.22, =2026.3.13, =1.0.0, =0.56.0, =0.1.0, =0.3.2, =0.2.0, =0.3.0, =1.1.0, =0.0.1, =0.1.0, =0.5.12b18, =0.5.12b19 - efn-mcp =0.1.0 and more Source cves: CVE-2026-27124 Source advisory: SNYK:PYTHON-FASTMCP-15871030...
PT-2026-29125
Name of the Vulnerable Software and Affected Versions Botan versions 3.0.0 through 3.10.9 Description Botan is a C++ cryptography library. During X509 path validation, versions prior to 3.11.0 did not verify the signature of Online Certificate Status Protocol OCSP responses, only checking for an...
airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +39 more potentially affected by CVE-2026-28779 via apache-airflow-core (>=3.0.0 <=3.1.8)
apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =0.2.0, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =1.28.0rc1 and more Source cves: CVE-2026-28779 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-15674486...
com.github.psi-probe:psi-probe-tomcat10 (>=5.0.0 <=5.3.0), com.github.psi-probe:psi-probe-tomcat11 (>=5.0.0 <=5.3.0) +5 more potentially affected by CVE-2026-3270 via com.github.psi-probe:psi-probe-core (>=3.0.0 <=5.3.0)
com.github.psi-probe:psi-probe-core MAVEN version =3.0.0, =5.0.0, =5.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =5.3.0 Source cves: CVE-2026-3270 Source advisory: SNYK:JAVA-COMGITHUBPSIPROBE-15369739...
CVE-2026-25891
Fiber is an Express inspired web framework written in Go. A Path Traversal CWE-22 vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been...
Duplicate Advisory: Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgx6-5cf9-rr43. This link is maintained to preserve external references. Original Description Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 throu...
CVE-2025-67644
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB both sync and async, via aiosqlite. Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through...
CVE-2025-67644 LangGraph SQLite Checkpoint is vulnerable to SQL Injection via metadata filter key in checkpointer list method
LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB both sync and async, via aiosqlite. Versions 3.0.0 and below are vulnerable to SQL injection through the checkpoint implementation. Checkpoint allows attackers to manipulate SQL queries through...
PT-2025-42765
Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0.0 through 3.0.13 Apache Syncope versions 4.0.0 through 4.0.1 Description Apache Syncope allows a malicious administrator to inject Groovy code that can be executed remotely by a running Apache Syncope Core instance...
@hpcc-js/esbuild-plugins (>=1.4.2 <=1.4.9), @yangzw/bruce-app (>=1.3.7 <=1.3.8) +1 more potentially affected by CVE-2025-57753 via vite-plugin-static-copy (>=3.0.0 <=3.1.1)
vite-plugin-static-copy NPM version =3.0.0, =1.4.2, =1.3.7, =1.3.8 - auto-reveal =0.7.0 Source cves: CVE-2025-57753 Source advisory: OSV:GHSA-PP7P-Q8FX-2968...
cn.acyou:leo-gateway (>=1.0.0.RELEASE <=1.1.1.RELEASE), cn.bctools:jvs-gateway (=1.1.0) +59 more potentially affected by CVE-2025-41235 via org.springframework.cloud:spring-cloud-gateway-server (>=3.0.0 <=3.1.1)
org.springframework.cloud:spring-cloud-gateway-server MAVEN version =3.0.0, =1.0.0.RELEASE, =8.1.0.286, =8.1.0.286, =2.0.1, =1.1.93, =1.0.0.Beta9, =1.1.0, =0.3.3, =1.1.1, =1.0.1, =1.0.4, =1.0.5 and more Source cves: CVE-2025-41235 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKCLOUD-10265481...
Nuxt 安全漏洞
Nuxt is a free open source framework from Nuxt Open Source. A security vulnerability exists in Nuxt version 3.0.0 through versions prior to 3.15.3, which stems from a potential source code theft during development if a victim opens a malicious website...
a-api-server (=1.3.0), aau-ais-dipaal (>=0.1.22 <=0.1.29) +2287 more potentially affected by CVE-2024-56201 via jinja2 (>=3.0.0 <=3.1.4)
jinja2 PYPI version =3.0.0, =0.1.22, =1.0.2, =0.0.2, =0.0.1, =0.0.1, =1.0.0, =1.3.0, =1.5.2, =1.5.6 and more Source cves: CVE-2024-56201 Source advisory: OSV:GHSA-GMJ6-6F8F-6699...
CVE-2024-1763
The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wpsocial/v1/ REST API endpoint in all versions up to, and including, 3.0.0. This makes it possible for unauthenticated attackers to...