Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

Github Security Blog
Github Security Blogadded yesterday4 views

Arc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks

Summary Arc's user-SQL validator internal/api/query.go:ValidateSQLRequest blocked only readparquet and arcpartitionagg via regex denylist. The broader DuckDB I/O function family — readcsvauto, readcsv, readjson, readjsonauto, readtext, readblob, glob, parquetmetadata, parquetschema, readxlsx, etc...

5.6AI score
Exploits0References4Affected Software1
OSV
OSVadded 2026/03/16 6:46 p.m.2 views

GHSA-42PH-PF9Q-CR72 Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Impact An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under t...

8.3CVSS5.4AI score0.00014EPSS
Exploits0References7
Snyk
Snykadded 2026/01/08 9:13 p.m.2 views

Inclusion of Sensitive Information in Source Code

Overview Affected versions of this package are vulnerable to Inclusion of Sensitive Information in Source Code via the EnvironmentPlugin , which exposed all build environment variables. An attacker can access sensitive environment variables, including credentials and API keys, by inspecting...

8.7CVSS7.1AI score
Exploits0References2
Github Security Blog
Github Security Blogadded 2025/05/20 7:20 p.m.9 views

TYPO3 CMS Webhooks Server Side Request Forgery

Problem Webhooks are inherently vulnerable to Server-Side Request Forgery SSRF, which can be exploited by adversaries to target internal resources e.g., localhost or other services on the local network. While this is not a vulnerability in TYPO3 itself, it may enable attackers to blindly access...

4.4CVSS6.8AI score0.00174EPSS
Exploits0References5Affected Software1
Amazon
Amazonadded 2023/08/09 12:0 a.m.16 views

Important: openssh

Issue Overview: The PKCS11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if the target user's ssh-agent is forwarded to an attacker-controlled system the code in /usr/lib is not necessarily safe for loading into...

9.8CVSS7.9AI score0.64352EPSS
Exploits13
Veracode
Veracodeadded 2023/02/02 8:15 a.m.17 views

Cross-Site Scripting (XSS)

sanitize is vulnerable to Cross-Site Scripting XSS. An attacker is able to inject and execute arbitrary HTML on victim's browser due to improper sanitization when the library is configured with a custom allowlist that allows noscript elements...

6.1CVSS6AI score0.00439EPSS
Exploits0References2Affected Software2
Snyk
Snykadded 2023/01/28 1:17 a.m.2 views

Cross-site Scripting (XSS)

Overview sanitize is a Ruby HTML and CSS sanitizer. Affected versions of this package are vulnerable to Cross-site Scripting XSS when a custom allowlist is configured to allow noscript elements. Workarounds Users who are unable to upgrade to the fixed version can prevent this issue by using one o...

6.1CVSS5.3AI score0.00439EPSS
Exploits0References2
Rows per page
Query Builder