437 matches found
Argo Events users can gain privileged access to the host system and cluster with EventSource and Sensor CR
Summary: A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. Details: The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customiz...
MongoDB Shell < 2.3.9 Control Character Injection (MONGOSH-2024, MONGOSH-2025, MONGOSH-2026)
The version of MongoDB Shell installed on the remote host is prior to 2.3.9. It is, therefore, affected by a vulnerability as referenced in the MONGOSH-2024, MONGOSH-2025, MONGOSH-2026 advisories. - The MongoDB Shell may be susceptible to control character injection where an attacker with control...
Malicious code in paypal-url-generator (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eee5e504dfd1a8b2c6e07c8e238a743be5b370d288b12b38eb37e16d82051ae9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-27913
Passbolt API before 5, if the server is misconfigured with an incorrect installation process and disregarding of Health Check results, can send email messages with a domain name taken from an attacker-controlled HTTP Host header...
CVE-2025-20141
A vulnerability in the handling of specific packets that are punted from a line card to a route processor in Cisco IOS XR Software Release 7.9.2 could allow an unauthenticated, adjacent attacker to cause control plane traffic to stop working on multiple Cisco IOS XR platforms. This vulnerability ...
Ubiquiti UniFi Protect Cameras Firmware Update Insufficient Authentication Vulnerability
Ubiquiti UniFi Protect Cameras is a line of security cameras from Ubiquiti Networks that support the UniFi Protect platform for centralized management with remote access, smart monitoring and more. Ubiquiti UniFi Protect Cameras suffers from a Firmware Update Validation Insufficiency vulnerabilit...
CVE-2025-1693
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying...
Malicious code in react-content-loader-fork (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 29f4fac1cd9b3669fd66345e097ee2be915ef08de77e2fe1a0473640df479d33 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-26326
A vulnerability was identified in the NVDA Remote version 2.6.4 and Tele NVDA Remote version 2025.3.3 remote connection add-ons, which allows an attacker to obtain total control of the remote system by guessing a weak password. The problem occurs because these add-ons accept any password entered ...
MongoDB Shell may be susceptible to control character Injection via shell output
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying...
CVE-2025-1693 MongoDB Shell may be susceptible to control character Injection via shell output
The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying...
MAL-2025-1543 Malicious code in fgrttry565be (npm)
This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain...
CVE-2025-25304
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site...
Vega allows Cross-site Scripting via the vlSelectionTuples function
Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...
GHSA-MP7W-MHCV-673J Vega allows Cross-site Scripting via the vlSelectionTuples function
Summary The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS. Details vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. Example call: vlSelectionTuplesdatum:, fields:getter:...
CVE-2020-6296
SAP NetWeaver ABAP Server and ABAP Platform, versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 753, 755, allows an attacker to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application...
CVE-2020-6262
Service Data Download in SAP Application Server ABAP ST-PI, before versions 2008146C, 20081620, 20081640, 20081700, 20081710, 740 allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application and the whole ABAP system...
CVE-2024-12084
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths s2length in the code. When MAXDIGESTLEN exceeds the fixed SUMLENGTH 16 bytes, an attacker can write out of bounds in the sum2 buffer...
CVE-2023-24010 Data Distribution Service (DDS) Chain of Trust (CoT) violation in Fast DDS
An attacker can arbitrarily craft malicious DDS Participants or ROS 2 Nodes with valid certificates to compromise and get full control of the attacked secure DDS databus system by exploiting vulnerable attributes in the configuration of PKCS7 certificate’s validation. This is caused by a...
cups: libppd: remote command injection via attacker controlled data in PPD file
A security vulnerability was found in OpenPrinting CUPS. The function ppdCreatePPDFromIPP2 in the libppd library is responsible for generating a PostScript Printer Description PPD file based on attributes retrieved from an Internet Printing Protocol IPP response. Essentially, it takes printer...