13 matches found
CVE-2026-56139
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false,...
CVE-2026-49365
The vulnerability CVE-2026-49365 affects Apache Camel’s camel-netty-http server consumer. The root cause is that the default of muteException is false, so on route processing errors Camel writes the full Java stack trace into the HTTP response body instead of an empty body. This can disclose sens...
PT-2026-45052
Name of the Vulnerable Software and Affected Versions PraisonAI version 4.6.33 Description The code-generator praisonai.deploy.api.generate api server code creates a Flask API server with authentication disabled by default. When users deploy the server using the command praisonai deploy --type ap...
GHSA-9XQ9-36W5-Q796 lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
📋 Reframing 2026-05-02: implicit unsafe remote-code path, not "supply-chain" The accurate description of this vulnerability is: "getmodelarch and related helpers hardcode trustremotecode=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch." What this repor...
CVE-2026-42215
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...
PT-2026-33119
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint /api/v1/@apostrophecms/login/reset-request that allows unauthenticated username and email enumeration. When a user is not found,...
EUVD-2025-206320
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for terminateconnectiononfailedresponse is False, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the modul...
GO-2025-4152 Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault
Vault’s Terraform Provider incorrectly set default denynullbind parameter for LDAP auth method to false by default in github.com/hashicorp/terraform-provider-vault. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module...
CVE-2025-60542
SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...
OESA-2023-1882 apache-commons-net security update
Apache Commons Net library contains a collection of network utilities and protocol implementations. Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3S, SMTPS, Telnet, Whois Security Fixes: Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by...
PYSEC-2023-204
Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerability that allows an authenticated user to retrieve sensitive configuration information when the "exposeconfig" option is set to "non-sensitive-only". The exposeconfig option is False by default.It is recommended to upgrade to a...
UBUNTU-CVE-2022-25275
In some situations, the Image module does not correctly check access to image files not stored in the standard public files directory when generating derivative images using the image styles system. Access to a non-public file is checked only if it is stored in the "private" file system. However,...
SUSE-SU-2019:0418-1 Security update for python-numpy
This update for python-numpy fixes the following issue: Security issue fixed: - CVE-2019-6446: Set allowpickle to false by default to restrict loading untrusted content bsc1122208. With this update we decrease the possibility of allowing remote attackers to execute arbitrary code by misusing...