CVE-2026-10863 MISP User-controlled order parameter in correlations over-correlation endpoint

A security issue was fixed in the correlations over-correlation endpoint where the order query parameter was accepted from user-controlled named request parameters. This allowed an authenticated user to override the server-defined ordering of over-correlating values. Depending on how the value wa...

CVE-2026-40302

zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the...

CVE-2026-33332

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without...

OpenC3 COSMOS 安全漏洞

OpenC3 COSMOS is an OpenC3 open source application. A security vulnerability exists in OpenC3 COSMOS versions 5.0.0 through 6.10.1, which stems from improper parsing of the text of an attacker-controlled parameter in Stringconverttovalue in the JSON-RPC API, which could lead to an unauthenticated...

CVE-2025-66507

1Panel is an open-source, web-based control panel for Linux server management. Versions 2.0.13 and below allow an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA...

1Panel – CAPTCHA Bypass via Client-Controlled Flag

A CAPTCHA bypass vulnerability in the 1Panel authentication API allows an unauthenticated attacker to disable CAPTCHA verification by abusing a client-controlled parameter. Because the server previously trusted this value without proper validation, CAPTCHA protections could be bypassed, enabling...

EUVD-2021-18859

Malware in sbrugna...

EUVD-2018-2024

Malware in sbrugna...

EUVD-2020-12717

Malware in sbrugna...

EUVD-2018-1978

Malware in sbrugna...

EUVD-2022-50908

Malicious code in bioql PyPI...

CVE-2024-53995

SickChill is an automatic video library manager for TV shows. A user-controlled login endpoint's next parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open...

CVE-2022-48198

The ntpddriver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System ROS allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled timereftopic...

CVE-2022-45165

An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It causes this service to be prone to SQL injection...

CVE-2018-1000647

LibreHealthIO lh-ehr version REL-2.0.0 contains a Authenticated Unrestricted File Deletion vulnerability in Import template that can result in Denial of service. This attack appear to be exploitable via User controlled parameter...

GPT Academic 输入验证错误漏洞

GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from an open redirection vulnerability that originates from a user redirecting to a URL specified by the user-controlled file parameter without proper validation o...

jsPDF 安全漏洞

jsPDF is a JavaScript-based PDF document generation library from Parallax. A security vulnerability exists in jsPDF versions prior to 3.0.1, which stems from the first parameter of the addImage method being user-controlled, and could lead to CPU utilization and denial of service...

Vega 跨站脚本漏洞

Vega is a Javscript-based software from the Vega team that can be used to create interactive visual displays. The software can describe data visualizations using JSON format and generate interactive views using HTML5 Canvas or SVG. Vega suffers from a cross-site scripting vulnerability that stems...

CVE-2024-53995

SickChill is an automatic video library manager for TV shows. A user-controlled login endpoint's next parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open...

CVE-2024-53995 GHSL-2024-288: SickChill open redirect in login

SickChill is an automatic video library manager for TV shows. A user-controlled login endpoint's next parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open...