EUVD-2026-22128

jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jvparsesized API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jvstringfmt, which reads until a NUL terminat...

EUVD-2021-19557

Malware in sbrugna...

EUVD-2024-2914

Malicious code in bioql PyPI...

EUVD-2024-44834

Malicious code in bioql PyPI...

EUVD-2022-26899

Malicious code in bioql PyPI...

EUVD-2024-2214

Malicious code in bioql PyPI...

EUVD-2022-0403

Malicious code in bioql PyPI...

EUVD-2024-0220

Malicious code in bioql PyPI...

EUVD-2023-38329

Malicious code in bioql PyPI...

EUVD-2022-6821

Malicious code in bioql PyPI...

EUVD-2024-2665

Malicious code in bioql PyPI...

EUVD-2022-2039

Malicious code in bioql PyPI...

CVE-2024-32001

SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: relation folder: folder | folderparent with an arrow such as folder-view can cause LookupSubjects to only return the subjects found under subjects for either folder or...

CVE-2025-47790

Nextcloud Server and Enterprise Server are affected by a session-handling bug that can skip the second-factor authentication after a successful login when remember_login_cookie_lifetime is set to 0 and the session times out. Affected versions: Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3...

CVE-2025-47790 Nextcloud Server doesn't request second factor after session timeout

Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor...

CVE-2025-30222

Shescape vulnerability (CVE-2025-30222) affects versions 1.7.2–2.1.1 of the JavaScript shell-escape library. On Windows, when shell: 'cmd.exe' or shell: true is configured and any of quote/quoteAll/escape/escapeAll is used, an attacker may gain read-only access to environment variables due to env...

GHSA-F7QJ-V3VP-4856 libafl has unsound usages of `core::slice::from_raw_parts_mut`

The library breaks the safety assumptions when using unsafe API slice::fromrawpartsmut. The pointer passed to fromrawpartsmut is misaligned by casting u8 to u16 raw pointer directly, which is unsound. The bug is patched by using alignoffset, which could make sure the memory address is aligned to ...

CVE-2024-49751

CVE-2024-49751 affects Press (a Frappe-based app) prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd. The issue allows a user to inject HTML through SaaS signup inputs, with impact limited to the submitting user, not other users. The underlying cause is unsafe HTML handling in SaaS signup f...

CVE-2024-49751 Frappe Press possible HTML injection through SaaS Signup inputs

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Prior to commit 5d118a902872d7941f099ad1fb918e2421e79ccd, a user could inject HTML through SaaS signup inputs. The user who injected the unsafe HTML code would onl...

BIT-ARGO-CD-2024-29893 Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out o...