CVE-2026-9136

A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...

GHSA-9F8M-9547-2GQM Gophish is vulnerable to Incorrect Access Control

Gophish = 0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context...

CVE-2025-62395

A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data...

CVE-2025-62395

CVE-2025-62395 affects Moodle LMS via a flaw in the cohort search web service. The issue allows users with permissions in lower contexts to access cohort information from the system context, potentially exposing restricted administrative data. The Connected documents confirm the vulnerability des...

EUVD-2022-1860

Malicious code in bioql PyPI...

AZL-68054 CVE-2025-4953 affecting package podman for versions less than 5.6.1-2

A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files...

PT-2025-38004

Name of the Vulnerable Software and Affected Versions Podman affected versions not specified Description A flaw exists in Podman where data written to RUN --mount=type=bind mounts during the podman build process is not discarded. This can result in files created within the container appearing in...

Path Traversal

Copier is vulnerable to Path Traversal. The vulnerability is due to exposing unconstrained pathlib.Path objects in the Jinja context, which allows an attacker to read and write arbitrary files on the filesystem...

CVE-2023-50439

ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 ANSSI qualification submission, ZED! for Windows before Q.2021.2 ANSSI qualification submission, ZONECENTRAL for Windows before Q.2021.2 ANSSI qualification submission, ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows...

CVE-2023-50439

ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 ANSSI qualification submission, ZED! for Windows before Q.2021.2 ANSSI qualification submission, ZONECENTRAL for Windows before Q.2021.2 ANSSI qualification submission, ZONECENTRAL for Windows before 2023.5, or ZEDMAIL for Windows...

PT-2023-24654 · Spring · Spring For Graphql

Name of the Vulnerable Software and Affected Versions: Spring for GraphQL versions 1.1.0 through 1.1.5 Spring for GraphQL versions 1.2.0 through 1.2.2 Description: A batch loader function in Spring for GraphQL may be exposed to GraphQL context with values, including security context values, from ...

PT-2022-14865

Name of the Vulnerable Software and Affected Versions metacalc versions prior to 0.0.2 Description The issue allows for Arbitrary Code Execution when the Math class is exposed to the v8 context, enabling access to JavaScript's Function constructor. This exposure to user-land can be exploited...

Siren Federate 安全漏洞

Siren Federate is an application from Siren Ireland. It extends the Elasticsearch API to add high performance and scalable joins. A security vulnerability exists in Siren Federate that discloses user information across thread contexts when a low-privileged user and a high-privileged user execute...

JSONP Callback Attack

Overview Affected versions of this package are vulnerable to JSONP Callback Attack. JSONP JSON with padding is a method used to request data from a server residing in a different domain than the client. Any url could perform JSONP requests, allowing full access to the browser and the JavaScript...

mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list

modcluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed...

mod_cluster registers and exposes the root context of a server by default, despite ROOT being in the excluded-contexts list

modcluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed...