CVE-2026-45574

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate self-signed, expired, wrong CN and intercept all SOAP traffic. This includes patient...

epa4all-client 信任管理问题漏洞

epa4all-client is an open-source document writing client tool developed by Oviva AG. Versions of epa4all-client prior to version 1.2.2 contained a vulnerability related to trust management. This vulnerability allowed attackers to present arbitrary TLS certificates on the network path and intercep...

Astra Linux - уязвимость в firefox

An invalid downcast from nsHTMLDocument to nsIContent could result in undefined behavior. This vulnerability affects Firefox versions earlier than 110...

CVE-2026-41949 Dify < 1.14.2 Authorization Bypass via File Preview Endpoint

Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...

PT-2026-41676

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...

CVE-2026-41672 xmldom: XML node injection through unvalidated comment serialization

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, the package allows attacker-controlled comment content to be serialized into XML without validating or...

GHSA-34XJ-66V3-6J83 SiYuan has Arbitrary Document Reading within the Publishing Service

Details Document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interface was used to view the content of all documents. PoC python !/usr/bin/env python3 """SiYuan /api/block/getChildBlocks 文档内容读取""" import requests import json import sys def...

PT-2026-28170

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description The SiYuan personal knowledge management system prior to version 3.6.2 had a flaw where document IDs were retrieved via the /api/file/readDir interface, and then the /api/block/getChildBlocks interfac...

EUVD-2025-20993

Malicious code in bioql PyPI...

CVE-2025-6211 MD5 Hash Collision in run-llama/llama_index

A vulnerability in the DocugamiReader class of the run-llama/llamaindex repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk...

CVE-2025-6211

CVE-2025-6211 affects the DocugamiReader class in the run-llama/llama_index project (up to v0.12.28). It uses MD5 to generate IDs for document chunks, which can collide when chunks have identical text but different structure, causing one chunk to overwrite another and potentially losing semantica...

SUSE CVE-2025-47816

libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause an spvxml-helpers.c spvxmlparseattributes out-of-bounds read, related to extra content at the end of a document...

CVE-2025-47816

libpspp-core.a in GNU PSPP through 2.0.1 allows attackers to cause an spvxml-helpers.c spvxmlparseattributes out-of-bounds read, related to extra content at the end of a document...

CVE-2024-51210

Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted into the document. NOTE: in several similar products, this is the intentional behavior for anyone who knows the full...

CVE-2024-51210

Firepad 1.5.11 and earlier versions are affected. Remote attackers who know a pad ID can retrieve the current document text and all previously pasted content due to an access-control vulnerability; several listings note this behavior is intentional for known document IDs/URLs. The maintainer-stat...

CVE-2024-51210

Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted into the document. NOTE: in several similar products, this is the intentional behavior for anyone who knows the full...

openSUSE Security Advisory (SUSE-SU-2024:3112-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

mozilla: Fullscreen notification dialog can be obscured by document content

The Mozilla Foundation Security Advisory describes this flaw as: Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack...

mozilla: Fullscreen notification dialog can be obscured by document content

The Mozilla Foundation Security Advisory describes this flaw as: Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack...

mozilla: Fullscreen notification dialog can be obscured by document content

The Mozilla Foundation Security Advisory describes this flaw as: Select options could obscure the fullscreen notification dialog. This could be used by a malicious site to perform a spoofing attack...