EUVD-2018-13445

Malware in sbrugna...

EUVD-2024-26874

Malicious code in bioql PyPI...

EUVD-2022-3915

Malicious code in bioql PyPI...

PT-2025-32216 · Unknown · Vedo Suite

Name of the Vulnerable Software and Affected Versions: Vedo Suite version 2024.17 Description: A path traversal issue exists in Vedo Suite 2024.17 that may allow remote authenticated attackers to read arbitrary filesystem files. The issue is due to an unsanitized file get contents function call...

CVE-2025-4128 Mattermost Guest User Information Disclosure Vulnerability

Mattermost versions 10.5.x = 10.5.4, 9.11.x = 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/teamid...

PT-2025-25168 · Apache · Apache Cloudstack

Name of the Vulnerable Software and Affected Versions: Apache CloudStack versions prior to 4.19.3.0 Apache CloudStack versions prior to 4.20.1.0 Description: A flaw in access control affects the "listTemplates" and "listIsos" APIs. A malicious Domain Admin or Resource Admin can exploit this issue...

CVE-2019-12277

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname...

CVE-2018-20907

cPanel before 71.9980.37 does not enforce the Mime::listhotlinks API feature restriction SEC-432...

PT-2025-15910

Name of the Vulnerable Software and Affected Versions OttoKit formerly SureTriggers versions 1.0.0 through 1.0.78 Description The vulnerability is related to an authentication bypass issue in the OttoKit WordPress plugin, which allows unauthenticated attackers to create administrator accounts on...

CVE-2025-30369

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

PYSEC-2025-3 When using the project to bypass Deezer API restrictions, project exfiltrates user data to a hardcoded server.

Published in 2019, the autodzee package is a Python library that bypasses Deezer API restrictions to download music. The package was found to exfiltrate user data to a hardcoded server, which could be used for malicious purposes...

CVE-2024-29890 Remote code execution in datalens-ui

DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem w...

PT-2024-23113 · Datalens · Datalens

Name of the Vulnerable Software and Affected Versions: DataLens versions prior to 0.1449.0 Description: A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent...

Apache Solr: Backup/Restore APIs allow for deployment of executables in malicious ConfigSets

Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected version...

PT-2023-30766 · Unknown · Torchserve

Name of the Vulnerable Software and Affected Versions: TorchServe versions 0.1.0 through 0.9.0 Description: The issue allows uploading potentially harmful archives that contain files extracted to any location on the filesystem within the process permissions, using the model/workflow management AP...

PT-2022-27765 · Unknown +3 · Cap'N Proto'S Rust Implementation +4

Name of the Vulnerable Software and Affected Versions: Cap'n Proto versions prior to 0.7.1, 0.8.1, 0.9.2, and 0.10.3 Cap'n Proto's Rust implementation versions prior to 0.13.7, 0.14.11, and 0.15.2 Description: Cap'n Proto is a data interchange format and remote procedure call RPC system. The issu...

PT-2022-5101 · Cisco · Cisco Expressway Series +1

Name of the Vulnerable Software and Affected Versions: Cisco Expressway Series and Cisco TelePresence VCS affected versions not specified Description: The issue is related to a cross-site request forgery CSRF attack. It is caused by insufficient CSRF protections for the web-based management...

GHSA-QCX4-GFH8-W5P5 Blogifier does not properly restrict APIs

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname. The issue is patched in the 2.4 branch, but 2.5.5 is the lowest available patched version on https://www.nuget.org/packages/Blogifier.Core...

Blogifier does not properly restrict APIs

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname. The issue is patched in the 2.4 branch, but 2.5.5 is the lowest available patched version on https://www.nuget.org/packages/Blogifier.Core...

CVE-2019-12277

Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as demonstrated by missing checks for .. in a pathname...