Kuma 安全漏洞

Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...

Malicious code in optimal-spark-config (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a1c1bf78d6e3b593fd29329b4175a48c645abf4b4b63e93db68f25221329d14c During installation, the package starts obfuscated code that attempts to exfiltrate some basic information using DNS requests and then likely cover tracks by...

Caddy 跨站请求伪造漏洞

Caddy is an open-source, cross-platform HTTP/Web server developed by the Caddy company. Versions of Caddy prior to 2.11.1 contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the local Caddy management API accepting cross-domain requests when source forcing was n...

OpenClaw 跨站请求伪造漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a cross-site request forgery vulnerability that stems from a browser-oriented local host change route accepting cross-domain browser requests without explicit Origin/Referer validation, which can be...

Tenda W30E security vulnerabilities

The Tenda W30E is a router produced by the Chinese company Tenda. Versions of the Tenda W30E such as V2 and V16.01.0.195037 have security vulnerabilities. These vulnerabilities stem from the use of insecure cross-device resource sharing policies by management endpoints, which may allow attackers ...

Azure Linux 3.0 Security Update: slf4j (CVE-2015-9251)

The version of slf4j installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2015-9251 advisory. - jQuery before 3.0.0 is vulnerable to Cross-site Scripting XSS attacks when a cross-domain Ajax request is...

CVE-2026-21920

An Unchecked Return Value vulnerability in the DNS module of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service DoS. If an SRX Series device configured for DNS processing, receives a specifically formatted DNS request flowd will...

Client-Side Path Traversal

Nuxt is vulnerable to Client-Side Path Traversal. The vulnerability is due to improper validation of user-controlled data within the Island payload revival mechanism, which allows an attacker to craft malicious nuxtisland objects that manipulate client-side requests to arbitrary endpoints within...

EUVD-2025-35057

Stack-based Buffer Overflow in lwsadnsparselabel in warmcat libwebsockets allows, when the LWSWITHSYSASYNCDNS flag is enabled during compilation, to overflow the labelstack, when the attacker is able to sniff a DNS request in order to craft a response with a matching id containing a label longer...

EUVD-2018-0587

Malware in sbrugna...

EUVD-2017-15147

Malware in sbrugna...

EUVD-2002-1867

Malware in sbrugna...

EUVD-2011-2355

Malware in sbrugna...

EUVD-2019-0339

Malware in sbrugna...

EUVD-2024-2615

Malicious code in bioql PyPI...

EUVD-2024-48007

Malicious code in bioql PyPI...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to a lack of checks for Referer origin headers. By inspecting the r.URL.Scheme value, a user who can inject scripts can perform authenticated form submissions that bypass intended origin checks. The...

CVE-2023-43052

IBM Control Center 6.2.1 through 6.3.1 is vulnerable to an external service interaction attack, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to induce the application to perform server-side DNS lookups or HTTP requests to arbitrary domai...

CVE-2024-41657

Casdoor is a UI-first Identity and Access Management IAM / Single-Sign-On SSO platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in...

CVE-2024-6449

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by t...