Evaluation of Prompt Injection Defenses in Large Language Models

LLM-powered applications routinely embed secrets in system prompts, yet models can be tricked into revealing them. We built an adaptive attacker that evolves its strategies over hundreds of rounds and tested it against nine defense configurations across more than 20,000 attacks. Every defense tha...

CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APPCODE=STA&PAGECODE=TABLON'. Exploiting this...

EUVD-2026-5293

SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the 'tablon' component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint '/sta/CarpetaPublic/doEvent?APPCODE=STA&PAGECODE=TABLON'. Exploiting this...

CVE-2019-16300

An issue was discovered in Open Network Operating System ONOS 1.14. In the access control application org.onosproject.acl, the host event listener does not handle the following event types: HOSTREMOVED. In combination with other applications, this could lead to the absence of intended code...

EUVD-2022-3891

Malicious code in bioql PyPI...

EUVD-2022-44672

Malicious code in bioql PyPI...

CVE-2025-47917

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtlsx509stringtonames takes a head argument that is documented as an output argument. The documentation does not suggest that the function...

PT-2025-20653 · Unknown · Seeyon Zhiyuan Oa Web Application System

Name of the Vulnerable Software and Affected Versions: Seeyon Zhiyuan OA Web Application System version 8.1 SP2 Description: A critical issue affects the function postData of the file ROOTWEB-INFclassescomourswwwehrsalaryservicedataEhrSalaryPayrollServiceImpl.class of the component Beetl Template...

OESA-2025-1475 fcgi security update

FastCGI is a language independent, scalable, open extension to CGI that provides high performance without the limitations of server specific APIs. Security Fixes: FastCGI fcgi2 aka fcgi 2.x through 2.4.4 has an integer overflow and resultant heap-based buffer overflow via crafted nameLen or...

CVE-2025-27255

Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code...

CVE-2025-27255

Use of Hard-coded Credentials vulnerability in GE Vernova EnerVista UR Setup allows Privilege Escalation. The local user database is encrypted using an hardcoded password retrievable by an attacker analyzing the application code...

The vulnerability of microprogrammed software in Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters allows a intruder to gain unauthorized access to protected information.

The vulnerability of the Vonets Industrial WiFi Bridge Relays and WiFi Bridge Repeaters exists due to the presence of rigidly encrypted credentials in the application code. Exploiting this vulnerability can allow an unauthorized attacker to gain unauthorized access to protected information...

DNSJava DNSSEC Bypass

Summary Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. Details DNS Messages are not authenticated. They do not guarantee that - received RRs are authentic - not received RRs do not exist - all or any received...

Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the...

CVE-2024-32042

CVE-2024-32042 affects CyberPower PowerPanel Business Edition (PowerPanel business). Root cause: the cryptographic key used to encrypt passwords stored in the database is present in the PowerPanel application code, allowing recovery of those passwords (Storing Passwords in a Recoverable Format). ...

CVE-2024-32042 CyberPower PowerPanel business Storing Passwords in a Recoverable Format

The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered...

CVE-2024-32888 Amazon JDBC Driver for Redshift SQL Injection via line comment generation

The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces APIs available in the Java Platform, Enterprise Editions. Prior to version 2.1.0.28, SQL injection is possible when using the non-default...

Daily Habit Tracker 1.0 - Stored Cross-Site Scripting Vulnerability

Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting XSS Exploit Author: Yevhenii Butenko Vendor Homepage: https://www.sourcecodester.com Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html Version: 1.0 Tested on: Debian...

org.postgresql:postgresql vulnerable to SQL Injection via line comment generation

Impact SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default query mode. Users that do not overri...

Path traversal

A path traversal vulnerability has been detected in Repox, which allows an attacker to read arbitrary files on the running server, resulting in a disclosure of sensitive information. An attacker could access files such as application code or data, backend credentials, operating system files...