CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token

Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that...

PT-2026-23440

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 1.20.1 Description Backstage is a framework for building developer portals. A flaw in how Backstage handles SCM URLs within integrations permitted path traversal sequences, even when encoded. This allowed requests t...

编号撤回

JetBrains YouTrack is a browser-based bug tracking and project management software from the Czech company JetBrains. The software features bug tracking, creating workflows and monitoring project progress. A security vulnerability exists in versions prior to JetBrains YouTrack 2025.3.104432, which...

EUVD-2014-3700

Malware in sbrugna...

SUSE CVE-2023-5752

When installing a package from a Mercurial VCS URL ie "pip install hg+..." with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the "hg clone" call ie "--config". Controlling the Mercurial configuration can modify how and which...

CVE-2021-43444

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key...

parse-url 信息泄露漏洞

parse-url is an advanced url parser with git url support. An information disclosure vulnerability exists in versions of parse-url prior to 7.0.0, which can be exploited by attackers to expose sensitive information to unauthorized participants...

U.S. Dept Of Defense: Reflected XSS through clickjacking at https://████

Description: I'm able to control the url being inserted into the query line at https://█████/████&url=http%3a%2f%2fgalnagli.com%2f%3Cimg+src%3dx+onerror%3dalert%28document.domain%29%3E The server issues a request there is also SSRF here I'll report later to the domain specified, and it renders th...

Sofacy Russia-Linked APT Debuts Fresh Zebrocy Variant

The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy a.k.a. APT28, Fancy Bear or Sednit – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go programming language. The similarities between the new paylo...

CVE-2014-3761

Cross-site scripting XSS vulnerability in D-Link DAP 1150 with firmware 1.2.94 allows remote attackers to inject arbitrary web script or HTML via the resbuf parameter to index.cgi in the Control/URL-filter section...

Cross site scripting

Cross-site scripting XSS vulnerability in D-Link DAP 1150 with firmware 1.2.94 allows remote attackers to inject arbitrary web script or HTML via the resbuf parameter to index.cgi in the Control/URL-filter section...

CVE-2014-3760

Multiple cross-site request forgery CSRF vulnerabilities in D-Link DAP 1150 with firmware 1.2.94 allow remote attackers to hijack the authentication of administrators for requests that 1 enable or 2 disable the DMZ in the Firewall/DMZ section via a request to index.cgi or 3 add, 4 modify, or 5...