thymeleaf 安全漏洞

Thymeleaf is an open-source Java template engine developed by Thymeleaf projects. Versions of Thymeleaf prior to 3.1.5.RELEASE contained security vulnerabilities. These vulnerabilities stemmed from a security bypass in the expression execution mechanism, which could lead to server-side template...

CVE-2026-24961

Server-Side Request Forgery SSRF vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery.This issue affects Grand Blog: from n/a through 3.1.5...

CVE-2026-21860 Werkzeug safe_join() allows Windows special device names with compound extensions

Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly present...

CVE-2025-61802

Substance3D - Stager versions 3.1.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

EUVD-2025-25270

Malicious code in bioql PyPI...

EUVD-2025-25384

Malicious code in bioql PyPI...

CVE-2025-5261

Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers. This issue affects Pik Online: before 3.1.5...

CVE-2025-5260

Server-Side Request Forgery SSRF vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Server Side Request Forgery. This issue affects Pik Online: before 3.1.5...

CVE-2025-5261

Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers. This issue affects Pik Online: before 3.1.5...

CVE-2025-5260

Server-Side Request Forgery SSRF vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Server Side Request Forgery. This issue affects Pik Online: before 3.1.5...

CVE-2025-5261

Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers. This issue affects Pik Online: before 3.1.5...

CVE-2025-5261 IDOR in PozitifIK's Pik Online

Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers. This issue affects Pik Online: before 3.1.5...

CVE-2025-5260

CVE-2025-5260 is an SSRF vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online prior to version 3.1.5. The issue is triggered via server-side requests from the application, allowing an attacker to induce requests to internal or external resources. The CVE is corroborated by multiple sourc...

PozitifIK Pik Online 代码问题漏洞

PozitifIK Pik Online is an online exam application from PozitifIK, Inc. A security vulnerability exists in PozitifIK Pik Online versions prior to 3.1.5 that stems from vulnerability to server-side request forgery attacks...

PT-2025-34026 · Unknown · Pik Online

Name of the Vulnerable Software and Affected Versions: Pik Online versions prior to 3.1.5 Description: An authorization bypass issue exists in Pik Online due to exploitation of trusted identifiers through a user-controlled key. Recommendations: Update Pik Online to version 3.1.5 or later...

CVE-2023-1730

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks...

CVE-2025-3734

Allocation of Resources Without Limits or Throttling vulnerability in Drupal Stage File Proxy allows Flooding.This issue affects Stage File Proxy: from 0.0.0 before 3.1.5...

CVE-2024-11216

Authorization Bypass Through User-Controlled Key, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in PozitifIK Pik Online allows Account Footprinting, Session Hijacking. This issue affects Pik Online: before 3.1.5...

DEBIAN-CVE-2024-56201

Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability...

ALPINE-CVE-2024-56326

Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the...