CVE-2025-71321

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.fileutil.writefile. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code...

Budibase 代码问题漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.1 contained code-related vulnerabilities. These vulnerabilities stemmed from the integratio...

PT-2026-42698

Summary When an application using Pydantic AI opts a URL into force download='allow-local' which disables the default block on private/internal IPs, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form IPv4-mapped IPv6, 6to4, or NAT64. Dual-stack a...

Astra Linux – Vulnerability in Python 3.7, Python 2.7

A issue in the urllib.parse component of Python prior to version 3.11.4 allows attackers to bypass blocklisting methods by providing a URL that starts with blank characters...

WordPress plugin Import and export users and customers 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

OpenMage Magento Lts（Magento） 安全漏洞

OpenMage Magento Lts Magento is an e-commerce system developed by the OpenMage organization. Versions of OpenMage Magento Lts prior to 20.17.0 contained security vulnerabilities. These vulnerabilities stemmed from incomplete blocklists used during the upload of product customization files, which...

SiYuan 安全漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan 3.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from incomplete blocklists in SanitizeSVG, as well as the lack of escaping, which could lead to...

Unsafe Deserialization

The affected library is vulnerable to Unsafe Deserialization. The vulnerability is due to improper handling of pickle deserialization combined with the use of logging.FileHandler, which allows an attacker to bypass RCE-focused blocklists and create zero-byte files in arbitrary locations on the...

GHSA-8JR8-7HR4-VHFX Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect

Summary The saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. ---...

Craft CMS 代码问题漏洞

Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in versions 4.0.0-RC1 to 4.16.17, and from 5.0.0-RC1 to 5.8.21 of Craft CMS. These vulnerabilities stem from the IP address validation function’s inability to recognize alternate...

GHSA-M7J5-R2P5-C39R picklescan vulnerable to arbitrary file create using logging.FileHandler

Summary Unsafe pickle deserialization allows unauthenticated attackers to perform Arbitrary File Creation. By chaining the logging.FileHandler class, an attacker can bypass RCE-focused blocklists to create empty files on the server. The vulnerability allows creating zero-byte files in arbitrary...

Is Protective DNS Blocking the Wild West?

We perform a passive measurement study investigating how a Protective DNS service might perform in a Research & Education Network serving hundreds of member institutions. Utilizing freely-available DNS blocklists consisting of domain names deemed to be threats, we test hundreds of millions of...

Jenkins Remote Code Execution Vulnerability

Jenkins contains a remote code execution vulnerability. This vulnerability that could allowed attackers to transfer a serialized Java SignedObject object to the remoting-based Jenkins CLI, that would be deserialized using a new ObjectInputStream, bypassing the existing blocklist-based protection...

CVE-2025-9376

The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbotscheckwordpressloggedincookie' function in all versions up to, and including, 11.58. This...

CVE-2025-9376

CVE-2025-9376 affects the WordPress plugin Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection, versions up to and including 11.58. The vulnerability stems from an insufficient capability check in the stopbadbots_check_wordpress_logged_in_cookie function, allowing unaut...

GHSA-CJ55-GC7M-WVCQ req may send an unintended request when a malformed URL is provided

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in...

req may send an unintended request when a malformed URL is provided

The req library is a widely used HTTP library in Go. However, it does not handle malformed URLs effectively. As a result, after parsing a malformed URL, the library may send HTTP requests to unexpected destinations, potentially leading to security vulnerabilities or unintended behavior in...

Credit card skimming on the rise for the holiday shopping season

As we head into shopping season, customers arent the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft. One particular threat were following closely and expect to increase over the next several weeks is credi...

python: urllib.parse url blocklisting bypass

A flaw was found in the Python package. An issue in the urllib.parse component could allow attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.This may lead to compromised Integrity...

python: urllib.parse url blocklisting bypass

A flaw was found in the Python package. An issue in the urllib.parse component could allow attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.This may lead to compromised Integrity...