CVE-2024-52791 Denial of service through memory exhaustion in Matrix Media Repo

Matrix Media Repo MMR is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and...

CVE-2024-52791 Denial of service through memory exhaustion in Matrix Media Repo

Matrix Media Repo MMR is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and...

CVE-2024-52594 Server-Side Request Forgery (SSRF) on redirects and federation in gomatrixserverlib

Gomatrixserverlib is a Go library for matrix federation. Gomatrixserverlib is vulnerable to server-side request forgery, serving content from a private network it can access, under certain conditions. The commit c4f1e01 fixes this issue. Users are advised to upgrade. Users unable to upgrade shoul...

CVE-2024-52005

CVE-2024-52005 affects Git via ANSI escape sequence injections in the sideband channel. A PoC demonstrates exploitation; affected versions include pre-2.48.1, 2.47.3, 2.46.5, 2.45.4, and 2.44.3. Impacts include hiding/misrepresenting output, fake security prompts, social‑engineering payloads, and...

CVE-2024-52005 The sideband payload is passed unfiltered to the terminal in git

Git is a source code management tool. When cloning from a server or fetching, or pushing, informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the...

CVE-2024-47605 Cross-site Scripting via insert media remote file oembed in silverstripe-asset-admin

silverstripe-asset-admin is a silverstripe assets gallery for asset management. When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payloa...

CVE-2024-54142 Cross-site Scripting via Discourse-ai SharedAiConversation onebox in Discourse

Discourse AI is a Discourse plugin which provides a number of AI features. When sharing Discourse AI Bot conversations into posts, if the conversation had HTML entities those could leak into the Discourse application when a user visited a post with a onebox to said conversation. This issue has be...

Rancher UI has Stored Cross-site Scripting vulnerability

Impact A vulnerability has been identified within Rancher UI that allows a malicious actor to perform a Stored XSS attack through the cluster description field. Please consult the associated MITRE ATT&CK - Technique - Drive-by Compromise for further information about this category of attack...

CVE-2024-55924

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstrea...

CVE-2024-55893

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstrea...

CVE-2024-55893 TYPO3 Cross-Site Request Forgery in Log Module

TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery CSRF. Additionally, state-changing actions in downstrea...

CVE-2025-23042

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

ALPINE-CVE-2024-50349

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...

DEBIAN-CVE-2024-50349

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...

CVE-2024-49375

Open source machine learning framework. A vulnerability has been identified in Rasa that enables an attacker who has the ability to load a maliciously crafted model remotely into a Rasa instance to achieve Remote Code Execution. The prerequisites for this are: 1. The HTTP API must be enabled on t...

CVE-2025-23041 Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade...

CVE-2025-23041 Short and Long Answer Fields Are Not Validated Server-Side For Maximum Length in Umbraco.Forms

Umbraco.Forms is a web form framework written for the nuget ecosystem. Character limits configured by editors for short and long answer fields are validated only client-side, not server-side. This issue has been patched in versions 8.13.16, 10.5.7, 13.2.2, and 14.1.2. Users are advised to upgrade...

CVE-2025-23042

Gradio Blocked Path ACL bypass vulnerability (CVE-2025-23042) arises from missing case normalization in file-path validation. On case-insensitive file systems (e.g., Windows/macOS), an attacker can circumvent ACLs by altering the letter case of a blocked path, potentially accessing restricted fil...

CVE-2024-50349

CVE-2024-50349 affects Git. When prompting for credentials in terminal (no credential helper), Git decodes URL-encoded parts and prints the host; attackers can craft URLs with ANSI escape sequences to mislead users. The issue was patched via commits 7725b81 and c903985 and is addressed in multipl...

CVE-2024-50349 Git does not sanitize URLs when asking for credentials interactively

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...