Langroid code injection vulnerability

Langroid is an open-source tool developed using multi-agent programming for LLM tasks. Versions of Langroid prior to 0.63.0 contained a code injection vulnerability. This vulnerability stemmed from SQLChatAgent executing SQL statements generated by the LLM. It could be exploited via prompt...

Veeam ONE Upgrade Fails with "Win32 exception occurred while executing SQL script."

Challenge When upgrading Veeam ONE from version 12.3 to version 13, the following error occurs: Win32 exception occurred while executing SQL script. Error code: 0x80004004. Error details: The SELECT permission was denied on the object 'sysjobs', database 'msdb', schema 'dbo'. Cause This error...

EUVD-2014-7083

Malware in sbrugna...

EUVD-2006-4216

Malware in sbrugna...

EUVD-2023-0197

Malicious code in bioql PyPI...

EUVD-2025-11391

Malicious code in bioql PyPI...

EUVD-2025-22521

Malicious code in bioql PyPI...

EUVD-2023-46062

Malicious code in bioql PyPI...

EUVD-2025-11389

Malicious code in bioql PyPI...

EUVD-2025-11386

Malicious code in bioql PyPI...

CVE-2023-41566

OA EKP v16 was discovered to contain an arbitrary download vulnerability via the component /ui/sysuiextend/sysUiExtend.do. This vulnerability allows attackers to obtain the password of the background administrator and further obtain database permissions...

CVE-2023-41566

OA EKP v16 was discovered to contain an arbitrary download vulnerability via the component /ui/sysuiextend/sysUiExtend.do. This vulnerability allows attackers to obtain the password of the background administrator and further obtain database permissions...

PT-2025-29922 · Unknown · Oa Ekp Version 16

Name of the Vulnerable Software and Affected Versions: OA EKP version 16 Description: OA EKP version 16 contains an arbitrary download vulnerability within the /ui/sys ui extend/sysUiExtend.do component. This issue allows attackers to obtain the background administrator password and subsequently...

CVE-2023-41566

CVE-2023-41566 affects OA EKP v16. An arbitrary download vulnerability exists in the component /ui/sys_ui_extend/sysUiExtend.do that can enable attackers to obtain the background administrator password and subsequently gain database permissions. Reported CVSS v3.1 metrics indicate a network-adjac...

Incorrect Default Permissions

github.com/filebrowser/filebrowser is vulnerable to Incorrect Default Permissions. The vulnerability is due to insecure default file permissions because the application not explicitly setting access permissions for uploaded files or its database, relying instead on the system’s default umask, whi...

CVE-2014-7210

pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected...

CVE-2014-7210

pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected...

SUSE CVE-2025-48935

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

CVE-2023-47128

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...