atlas-mcp (=0.1.0), blackmaria (=0.1.0) +5 more potentially affected by unknown CVE via guardrails-ai (=0.10.0)

guardrails-ai PYPI version =0.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on guardrails-ai and may be impacted: - atlas-mcp =0.1.0 - blackmaria =0.1.0 - dao-ai =0.1.39, =0.0.0a0, =0.1.0, =0.1.3 Source cves: unknown CVE Source advisory:...

athina (=1.1.0), atlas-mcp (=0.1.0) +7 more potentially affected by unknown CVE via guardrails-ai (>=0.10.0 <=0.8.0)

guardrails-ai PYPI version =0.10.0, =0.1.39, =0.0.0a0, =0.0.1, =0.1.0, =0.1.3 Source cves: unknown CVE Source advisory: SNYK:PYTHON-GUARDRAILSAI-16641086...

Sensitive Information Disclosure

Spring Security is vulnerable to Sensitive Information Disclosure. The vulnerability is due to bypass of timing attack protections in DaoAuthenticationProvider when handling disabled, expired, or locked user states, which allows an attacker to infer user account status through response timing...

org.apache.dolphinscheduler:dolphinscheduler-alert-server (>=3.0.0 <=3.4.0), org.apache.dolphinscheduler:dolphinscheduler-api (>=3.0.0 <=3.0.6) +11 more potentially affected by CVE-2026-23902 via org.apache.dolphinscheduler:dolphinscheduler-dao (>=3.0.0-alpha <=3.4.0)

org.apache.dolphinscheduler:dolphinscheduler-dao MAVEN version =3.0.0-alpha, =3.0.0, =3.0.0, =3.3.2, =3.0.0, =3.0.0, =3.2.0, =3.1.0, =3.1.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.6 Source cves: CVE-2026-23902 Source advisory: SNYK:JAVA-ORGAPACHEDOLPHINSCHEDULER-16431737...

Incorrect Authorization

Overview org.apache.dolphinscheduler:dolphinscheduler-dao is an A visual DAG workflow scheduling system, dedicated to solving the complex dependencies in data processing. Affected versions of this package are vulnerable to Incorrect Authorization during workflow execution. An attacker can gain...

GHSA-VXF7-QJ7Q-83FH Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

CVE-2026-22746 User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

CVE-2026-40285

WeGIA web manager versions before 3.6.10 are affected by a SQL injection in dao/memorando/UsuarioDAO.php. The flaw stems from the cpf_usuario POST parameter being used to overwrite the session-stored user identity via extract($_REQUEST) in DespachoControle::verificarDespacho(), with the attacker-...

CVE-2026-40285 WeGIA has SQL Injection via Session Variable Override in DespachoControle.php

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpfusuario POST parameter overwrites the session-stored user identity via extract$REQUEST in DespachoControle::verificarDespacho, and the...

WeGIA 安全漏洞

WeGIA is a network manager for the welfare organization developed by Nilson Lazarin. Versions of WeGIA prior to 3.6.10 contained security vulnerabilities, which were caused by improper handling of the cpfusuario parameter in the dao/memorando/UsuarioDAO.php file. This improper handling could lead...

CVE-2026-35395

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The idmemorando parameter is extracted from $REQUEST without validation and directly interpolated into...

EUVD-2026-19495

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA Web gerenciador para instituições assistenciais contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The idmemorando parameter is extracted from $REQUEST without validation and directly interpolated into...

CVE-2026-5328

CVE-2026-5328 affects shsuishang modulithshop, specifically the ProductItemDao/ProductIndexServiceImpl.java listItem function. The vulnerability arises from manipulating the sidx/sort parameter, enabling SQL injection via remote input. A patch identified as 42bcb9463425d1be906c3b290cf29885eb5a232...

GHSA-VXG3-V4P6-F3FP Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries. Affected code in models/Dependency/Dao.php: - getFilterRequiresByPath lines 90, 95, 100 -...

CVE-2025-22234

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. Mitigation Mitigation for thi...

Spring Security has a broken timing attack mitigation implemented in DaoAuthenticationProvide

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

EUVD-2026-3787

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...

CVE-2025-22234 Spring Security - BCrypt Password Encoder maximum password length breaks timing attack mitigation

The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations...