PT-2026-44932

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child process.exec which runs through /bin/sh -c. User-supplied branch names, repository URLs, and Docker credentials are...

CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

CVE-2023-29515

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can ...

EUVD-2023-41073

Malicious code in bioql PyPI...

DEBIAN-CVE-2024-58135

Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand function, and...

AZL-61741 CVE-2024-58135 affecting package perl-Mojolicious 8.57-3

Mojolicious versions from 7.28 for Perl will generate weak HMAC session cookie secrets via "mojo generate app" by default When creating a default app skeleton with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand function, and...

CVE-2024-4952

creationtimestamp| type| source ---|---|--- 2025-02-11 02:19:10+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lhultnecqo2i...

CVE-2025-24560

creationtimestamp| type| source ---|---|--- 2025-01-31 09:16:57+00:00| seen| https://bsky.app/profile/cve-notifications.bsky.social/post/3lgzo2kvxa72h 2025-01-31 10:15:44+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/3632 2025-01-31 11:11:39+00:00| seen| https://t.me/cvedetector/16913...

Spring Tips: HTMX

Hi, Spring fans! HTMX is the progressive hypertext sensation that's sweeping the process of web app creation, and - thanks to a nice integration by Spring community legend Wim Deblauwe, it's easier than ever to use it with Spring Boot and Thymeleaf. And, it's the topic of today's installment! jav...

CD: Users with `create` but not `override` privileges can perform local sync

A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforce...

CVE-2023-50726

A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforce...

CVE-2023-37153

KodExplorer 4.51 contains a Cross-Site Scripting XSS vulnerability in the Description box of the Light App creation feature. An attacker can exploit this vulnerability by injecting XSS syntax into the Description field...

Unauthorized Access

powerjob-server-starter is vulnerable to Unauthorized Access. The vulnerability exists because the library uses improper access control, allowing an attacker to create apps through the /appInfo/save interface without permission...

GHSA-XRJF-PHVV-R4VR Command injection in strapi

When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link, this happens due to improper sanitization of user input...

CVE-2019-11275

Pivotal Application Manager, versions 666.0.x prior to 666.0.36, versions 667.0.x prior to 667.0.22, versions 668.0.x prior to 668.0.21, versions 669.0.x prior to 669.0.13, and versions 670.0.x prior to 670.0.7, contain a vulnerability where a remote authenticated user can create an app with a na...

Chaturbate: Missing Rate Limitation at /apps/upload_app/

Summary I discovered that one is able to create unlimited number of apps via /apps/uploadapp/ . PS: I feel this is within the scope of your program and you want to know about it. If otherwise, I'll be happy to close this. Steps To Reproduce: 1. Login and go to https://chaturbate.com/apps/uploadap...

Boozt Fashion AB: Application code is not obfuscated -- OWASP M9 (2016)

Description : Boost android app is not obfuscated which lead to view the source code of the app. Impact : Attackers can steal code and reuse it or sell it to create new application or create a malicious fake application based on the initial one. POC : Step 1 : First, I did the basic reverse...