GHSA-JPJH-JM2P-39HH Arcane: Missing admin authorization on global variables endpoint

Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...

CVE-2026-0957

There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted file in Digilent DASYLab. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted...

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

Quick-Media Batik Codec FIX package has Code Injection vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in liuyueyi quick-media plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules. This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects all...

CVE-2025-67342

CVE-2025-67342 affects Ruoyi (RuoYi) 4.8.1 and earlier, with a stored XSS in the /system/menu/edit endpoint where the XSS filter can be bypassed. Because the menu is shared across all users, any user with menu modification permissions can impact all users. Affected component: /system/menu/edit; r...

PT-2025-50954

Name of the Vulnerable Software and Affected Versions RuoYi versions 4.8.1 and earlier Description The software contains a stored cross-site scripting XSS issue in the /system/menu/edit API endpoint. The existing XSS filter can be bypassed, allowing for exploitation. Because the menu is shared...

CVE-2025-6454

Removed by vendor...

CVE-2025-57778

There is an out of bounds write vulnerability due to improper bounds checking resulting in an invalid source address when parsing a DSB file with Digilent DASYLab. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a...

Linux Distros Unpatched Vulnerability : CVE-2025-3580

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An access control vulnerability was discovered in Grafana OSS where an Organization administrator could permanently delete the Server administrator account. Thi...

CVE-2025-7677 DOS attack possible

A denial-of-service DoS attack is possible if access to the local network is provided to unauthorized users. This is due to a buffer copy issue that may lead to a software crash. This issue affects all versions of ASPECT...

PT-2025-6202 · Siemens · Simatic Ipc Diagmonitor +1

Name of the Vulnerable Software and Affected Versions: SIMATIC IPC DiagBase All versions SIMATIC IPC DiagMonitor All versions Description: A vulnerability has been identified where the affected devices do not properly restrict user permissions for the registry key. This could allow an authenticat...

QPDF Command Injection Vulnerability

QPDF is a software application. A C++ library and a set of programs to inspect and manipulate the structure of PDF files. A security vulnerability exists in all versions of QPDF, which stems from the inability of the encrypt method to filter parameters, resulting in a command injection...

CVE-2023-35082

An authentication bypass vulnerability in Ivanti EPMM 11.10 and older, allows unauthorized users to access restricted functionality or resources of the application without proper authentication. This vulnerability is unique to CVE-2023-35078 announced earlier. Recent assessments: sfewer-r7 at...

PT-2023-20498 · Unknown · Node-Static

Name of the Vulnerable Software and Affected Versions: @node-static versions all node-static versions all Description: The issue arises from improper file path sanitization in the startsWith method within the servePath function, leading to Directory Traversal. This allows attackers to access file...

Seowon 130-SLC router 安全漏洞

Seowon 130-SLC router is a router from Seowon, South Korea. A security vulnerability exists in all versions of the Seowon 130-SLC router from September 15, 2021, which stems from the queriesCnt parameter being susceptible to remote code execution...

CVE-2022-22571

An authenticated high privileged user can perform a stored XSS attack due to incorrect output encoding in Incapptic connect and affects all current versions...

Incapptic Connect 跨站脚本漏洞

Incapptic Connect is an application plugin. A security vulnerability exists in Incapptic Connect that, due to incorrect output encoding in Incapptic Connect, allows an authenticated, elevated privileged user to perform a stored XSS attack and affects all current versions...

CVE-2021-23416

This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input...