13677 matches found
Heap-based Buffer Overflow
Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the ReadOneJNGImage function. An attacker can access data on the heap or cause memory corruption by tricking a user into processing a specially crafted image file. Remediation A fix was pushed into the...
Sensitive Data Exposure
@finos/git-proxy is vulnerable to sensitive data exposure. The vulnerability is due to improper validation of commits in the pack sent to GitHub, which allows an attacker to inject unreferenced commits containing sensitive data and retrieve them via direct commit URLs without appearing in the...
CVE-2025-51691
Cross-Site Scripting XSS vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 May 2025 allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before renderin...
CVE-2025-54800
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...
CVE-2025-54864
CVE-2025-54864 affects Hydra (Nix-based CI) where the endpoints /api/push-github and /api/push-gitea were called without HTTP Basic authentication, despite the forges implementing HMAC with a secret key. The root cause is missing authentication on those calls, enabling heavy evaluations that can ...
CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins
Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...
CVE-2025-54864 Hydra missing authentication when triggering evaluations through GitHub and Gitea plugins
Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be...
CVE-2025-54800 Hydra persistent XSS in build metrics
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...
CVE-2025-54800 Hydra persistent XSS in build metrics
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...
CVE-2025-54800 Hydra persistent XSS in build metrics
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the ASN1ObjectIdentifier. An attacker can cause excessive resource consumption by submitting specially crafted ASN.1 Object Identifiers, potentially leading to service disruption...
Security Bulletin: NVIDIA Merlin Transformers4Rec - August 2025
NVIDIA has released a software update for NVIDIA Merlin Transformers4Rec. To protect your system, install the software including the Github commit b7eaea5 of NVIDIA Merlin Transformers4Rec. Go to NVIDIA Product Security...
Security Bulletin: NVIDIA Isaac-GR00T - August 2025
NVIDIA has released a software update for NVIDIA Isaac-GR00T. To protect your system, install the software including the Github commit 9ca97e1 of NVIDIA Isaac-GR00T. Go to NVIDIA Product Security...
Linux Distros Unpatched Vulnerability : CVE-2024-58094
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - jfs: add check read-only before truncation in jfstruncatenolock Added a check for read-only mode in the jfstruncatenolock function to avoid errors related to...
Security Bulletin: NVIDIA WebDataset - August 2025
NVIDIA has released a software update for NVIDIA WebDataset. To protect your system, install the software including the Github commit 9e95f50 of NVIDIA WebDataset. Go to NVIDIA Product Security...
PT-2025-32685 · Hydra · Hydra
Name of the Vulnerable Software and Affected Versions: Hydra versions prior to commit f7bda02 Description: Hydra is a continuous integration service for Nix based projects. The /api/push-github and /api/push-gitea API endpoints were called by their respective forges without HTTP Basic...
Linux Distros Unpatched Vulnerability : CVE-2022-48996
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix wrong empty schemes assumption under online tuning in damonsysfssetschem...
Linux Distros Unpatched Vulnerability : CVE-2024-26892
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix use-after- free in freeirq From commit a304e1b82808 PATCH Debug...
Linux Distros Unpatched Vulnerability : CVE-2017-7495
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=ordered mode is used, mishandles a needs- flushing-before-commit list, which allows local users...
Linux Distros Unpatched Vulnerability : CVE-2019-11478
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Jonathan Looney discovered that the TCP retransmission queue implementation in tcpfragment in the Linux kernel could be fragmented when handling certain TCP...