CVE-2026-27118 Cache poisoning in @sveltejs/adapter-vercel

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration ISR is accessible on all routes, allowi...

Jenkins Start Windocks Containers Plugin vulnerable to cross-site request forgery

Jenkins Start Windocks Containers Plugin 1.4 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified URL. Additionally, this endpoint does not require POST requests, resulting in a cross-site reque...

EUVD-2022-4409

Malicious code in bioql PyPI...

EUVD-2022-5458

Malicious code in bioql PyPI...

CVE-2024-9219

The WordPress Social Share Buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg without appropriate escaping on the URL in all versions up to, and including, 1.19. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-1613

A vulnerability was found in FiberHome AN5506-01A ONU GPON RP2511. It has been rated as problematic. This issue affects some unknown processing of the file /goform/URLfilterCfg of the component URL Filtering Submenu. The manipulation of the argument urlIP leads to cross site scripting. The attack...

CVE-2025-1074

Webkul QloApps 1.6.1 is affected by a cross-site request forgery in the URL Handler logout function at /en/?mylogout. The vulnerability stems from the logout endpoint logic, enabling remote CSRF exploitation. Public exploit/disclosures exist and the vendor has been informed and is working on a fi...

Sensitive Information Disclosure

@lobehub/chat is vulnerable to Sensitive Information Disclosure. The vulnerability is due to insecure handling of the base URL in the frontend, allowing an attacker to modify it to their own attack URL. The attacker can then set up a server-side request to obtain the real backend API key...

CVE-2023-37963

A missing permission check in Jenkins Benchmark Evaluator Plugin 1.0.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and to check for the existence of directories, .csv, and .ycsb files on the Jenkins controller file system...

GHSA-M6Q8-MWF6-6MMC CSRF vulnerability in Jenkins GitHub Pull Request Builder Plugin

A cross-site request forgery CSRF vulnerability in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

PT-2022-22071 · Jenkins · Jenkins Convertigo Mobile Platform Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Convertigo Mobile Platform Plugin versions 1.1 and earlier Description: A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified URL. Recommendations: For Jenkins...

al.qwertygame.com XSS vulnerability

Open Bug Bounty ID: OBB-674495 Description| Value ---|--- Affected Website:| al.qwertygame.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

LocalTapiola: Reflected XSS Vulnerability in https://www.lahitapiola.fi/cs/Satellite

Basic report information Summary: Reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite. Description: There exists a reflected XSS vulnerability in https://www.lahitapiola.fi/cs/Satellite?pagename=TAMaster/FWBlogAsset/FWNav. Value of query string parameter rendermode is not...

CVE-2017-17524

library/wwwbrowser.pl in SWI-Prolog 7.2.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL...

Openemr-4.1.0 - SQL Injection Vulnerability

No description provided by source. Exploit Title: Openemr-4.1.0 SQL injection Vulnerability Date: 2011/10/18 Author: I2sec-dae jin Oh Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download Vendor : www.open-emr.com Version: Openemr-4.1.0...

New Exploit Kit RedKit Discovered in Wild

A new exploit kit hit the scene recently, and according to Arseny Levin of Spiderlabs, the RedKit exploit kit contains an API that generates new host-site URLs every hour. The authors of the kit haven’t named it, so Levin and Spiderlabs simply chose to call it RedKit in reference to its color...

CURL-CVE-2012-0036 URL sanitization vulnerability

curl is vulnerable to a data injection attack for certain protocols through control characters embedded or percent-encoded in URLs. When parsing URLs, libcurl's parser is liberal and only parses as little as possible and lets as much as possible through as long as it can figure out what to do. In...

Openemr-4.1.0 - SQL Injection

Exploit Title: Openemr-4.1.0 SQL injection Vulnerability Date: 2011/10/18 Author: I2sec-dae jin Oh Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download Vendor : www.open-emr.com Version: Openemr-4.1.0 Tested on: Windows 7...

Openemr 4.1.0 SQL Injection

Exploit Title: Openemr-4.1.0 SQL injection Vulnerability Date: 2011/10/18 Author: I2sec-dae jin Oh Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download Vendor : www.open-emr.com Version: Openemr-4.1.0 Tested on: Windows 7...

Openemr-4.1.0 - SQL Injection

Openemr-4.1.0 - SQL Injection Exploit Title: Openemr-4.1.0 SQL injection Vulnerability Date: 2011/10/18 Author: I2sec-dae jin Oh Software Link: http://sourceforge.net/projects/openemr/files/OpenEMR%20Current/4.1.0/openemr-4.1.0.zip/download Vendor : www.open-emr.com Version: Openemr-4.1.0 Tested...