1080 matches found
mcp-package-docs vulnerable to command injection in several tools
Summary A command injection vulnerability exists in the mcp-package-docs MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to childprocess.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code...
CVE-2025-6380
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment pos...
CVE-2025-6380
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment pos...
CVE-2025-6380
The CVE-2025-6380 entry concerns ONLYOFFICE Docs for WordPress (versions 1.1.0–2.2.0). The flaw is in the oo.callback REST endpoint where the permission check only confirms an attachment ID maps to an existing post, but does not verify requester identity or capabilities, enabling unauthenticated ...
CVE-2025-6380 ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment pos...
CVE-2025-6380 ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function
The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin’s permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment pos...
WordPress plugin ONLYOFFICE Docs 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...
PT-2025-30646 · WordPress · Onlyoffice Docs Plugin For Wordpress
Name of the Vulnerable Software and Affected Versions: ONLYOFFICE Docs plugin for WordPress versions 1.1.0 through 2.2.0 Description: The ONLYOFFICE Docs plugin for WordPress is susceptible to a privilege escalation issue due to insufficient authorization checks within the oo.callback REST...
Malicious code in mozilla-l10n-docs-linter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d878786926dde4c1aa2b65c2241ee43a14fbd2a46d890e608e4374ef405ff359 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-6179 Malicious code in mozilla-l10n-docs-linter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d878786926dde4c1aa2b65c2241ee43a14fbd2a46d890e608e4374ef405ff359 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
PYSEC-2025-71
Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...
CVE-2025-53528 Cadwyn is vulnerable to an XSS attack through its docs page
Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack. This XSS would notably allow an attacker to execute JavaScript code ...
Cadwyn 跨站脚本漏洞
Cadwyn is an API version control application by the individual developer Stanislav Zmiev. A cross-site scripting vulnerability exists in Cadwyn 5.4.3 and earlier versions, which stems from insufficient validation of the /docs endpoint version parameter input and could lead to a reflective...
CVE-2025-54073
mcp-package-docs is an MCP Model Context Protocol server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol LSP capabilities. A command injection vulnerability exists in the mcp-package-docs MCP Server prior to the...
WikiDocs 代码注入漏洞
WikiDocs is a database-less Markdown flat file Wiki engine by the individual developer Manuel Zavatta in Italy. A code injection vulnerability exists in WikiDocs version 1.0.78 and earlier, which stems from cross-site scripting due to incorrect manipulation of the parameter path in the file...
CVE-2025-54073 mcp-package-docs vulnerable to command injection in several tools
mcp-package-docs is an MCP Model Context Protocol server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol LSP capabilities. A command injection vulnerability exists in the mcp-package-docs MCP Server prior to the...
CVE-2025-54073 mcp-package-docs vulnerable to command injection in several tools
mcp-package-docs is an MCP Model Context Protocol server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol LSP capabilities. A command injection vulnerability exists in the mcp-package-docs MCP Server prior to the...
CVE-2025-54073 mcp-package-docs vulnerable to command injection in several tools
mcp-package-docs is an MCP Model Context Protocol server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol LSP capabilities. A command injection vulnerability exists in the mcp-package-docs MCP Server prior to the...
CVE-2025-53547 vulnerabilities
Vulnerabilities for packages: trivy, flux, eksctl, k8sgpt, k9s, envoy-gateway, cluster-api-helm-controller, tw, teleport, linkerd2, cert-manager-cmctl, kargo, zot, kuma, rancher-helm, zarf, helm-push, kots, k8ssandra-client, cerbos, consul-k8s, flux-source-controller, helm-docs, helm-operator,...
GHSA-557J-XG8C-Q2MM vulnerabilities
Vulnerabilities for packages: trivy, flux, eksctl, k8sgpt, k9s, envoy-gateway, cluster-api-helm-controller, tw, teleport, linkerd2, cert-manager-cmctl, kargo, zot, kuma, rancher-helm, zarf, helm-push, kots, k8ssandra-client, cerbos, consul-k8s, flux-source-controller, helm-docs, helm-operator,...