CVE-2025-64752

grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack...

EUVD-2021-21697

Malware in sbrugna...

EUVD-2025-12335

Malicious code in bioql PyPI...

EUVD-2021-3010

Malicious code in bioql PyPI...

EUVD-2024-34420

Malicious code in bioql PyPI...

Design/Logic Flaw

In wifi.RequestToggleWifiActivity of AndroidManifest.xml, there is a possible EoP due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10...

Reverb.com: Possible Blind Writing to S3 Bucket

Hi All, I noticed that you are using S3 and I believe I may have found one of your buckets and am able to write to it. However, I can not list the files in the bucket and such can not be 100% sure you own it. If you don't, I'd really appreciate being able to close this report myself or have you...

Shopify: Attach Pinterest account - no State/CSRF parameter in Oauth Call back

Hello There is no csrf protection for oauth call backs to attach a pinterest account. An attacker can escalate this to attach his account with the victims profile and monitor his activities. Vulnerable URL:...