SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the GetRelationships API when a forged pagination token is provided. An attacker can execute arbitrary SQL queries by submitting crafted pagination tokens if the secrets.pagination configuration is not set or is known ...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the GetRelationships API when a forged pagination token is provided. An attacker can execute arbitrary SQL queries by submitting crafted pagination tokens if the secrets.pagination configuration is not set or is known ...

GHSA-C38G-MX2C-9WF2 Ory Keto has a SQL injection via forged pagination tokens

Description The GetRelationships API in Ory Keto is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including malicious token...

GHSA-HGX2-28F8-6G2R Ory Kratos has a SQL injection via forged pagination tokens

Description The ListCourierMessages Admin API in Ory Kratos is vulnerable to SQL injection due to flaws in its pagination implementation. Pagination tokens are encrypted using the secret configured in secrets.pagination. An attacker who knows this secret can craft their own tokens, including...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in multiple functions in the gRPC API layer, including MemberList and Compact. An attacker can gain unauthorized access to sensitive cluster operations and information, such as viewing cluster topology, disrupting...

etcd: Authorization bypasses in multiple APIs

Impact What kind of vulnerability is it? Who is impacted? Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters...

SQL Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the onpublish function. An attacker can extract sensitive database contents, including user password hashes, email addresses, API keys, and...

langflow has Unauthenticated IDOR on Image Downloads

Summary The /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns the image with HTTP 200. Details src/backend/base/langflow/api/v1/files.py:138-164 — downloadimage takes...

CVE-2026-4504 eosphoros-ai db-gpt Incomplete Fix editor sql injection

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. Th...

CVE-2026-4504

A vulnerability (CVE-2026-4504) affects eosphoros-ai db-gpt up to version 0.7.5. The flaw involves unknown code in the /api/v1/editor/ path of the Incomplete Fix component, enabling SQL injection through manipulation. It can be exploited remotely and an exploit has been published. The vendor was ...

CVE-2026-4504

A flaw has been found in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. Th...

EUVD-2026-13756

A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available a...

EUVD-2026-13758

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been release...

EUVD-2026-13752

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

CVE-2026-32317 Cryptomator for Android: Tampered vault configuration allows MITM attack on Hub API

Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism...

CVE-2026-32318 Cryptomator for IOS: Tampered vault configuration allows MITM attack on Hub API

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Befo...

CVE-2026-4494

A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available a...

CVE-2026-32844

XinLiangCoder phpapidoc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in listmethod.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with...

CVE-2026-4495 atjiu pybbs CommentApiController.java create cross site scripting

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been release...