Lucene search
K

313963 matches found

Packet Storm News
Packet Storm News
added 2026/12/29 12:0 a.m.254 views

GNUnet P2P Framework 0.26.2

GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP IPv4 and IPv6, TCP IPv4 and IPv6, HTTP, o...

6.8AI score
Exploits0
NVD
NVD
added 1 hour ago3 views

CVE-2024-56141

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager encryption routine CryptManager.kt initializes its AES cipher using an initialization vector IV that is set equal to the secret...

5CVSS
Exploits0References2
Rockylinux
Rockylinux
added 1 hour ago6 views

nodejs:22 security, bug fix, and enhancement update

An update is available for nodejs-packaging, module.nodejs-nodemon, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...

9.8CVSS7.1AI score0.02445EPSS
Exploits1
Rockylinux
Rockylinux
added 1 hour ago5 views

nodejs:24 security, bug fix, and enhancement update

An update is available for nodejs-packaging, module.nodejs-nodemon, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...

9.8CVSS7.1AI score0.02445EPSS
Exploits1
EUVD
EUVD
added yesterday3 views

EUVD-2024-55650

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager encryption routine CryptManager.kt initializes its AES cipher using an initialization vector IV that is set equal to the secret...

5CVSS6AI score
Exploits0References2
CVE
CVE
added yesterday6 views

CVE-2024-56141

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager encryption routine CryptManager.kt initializes its AES cipher using an initialization vector IV that is set equal to the secret...

5CVSS6AI score
Exploits0References2
Cvelist
Cvelist
added yesterday5 views

CVE-2024-56141 Minosoft has IV equal to key

Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit f1ae30e2b046a490026a8413b075685deb795122, the CryptManager encryption routine CryptManager.kt initializes its AES cipher using an initialization vector IV that is set equal to the secret...

5CVSS
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-PMF6-RCX4-V53V mkfifo: permissions of an existing file are changed after FIFO creation fails

When mkfifo fails e.g. target already exists, the code shows an error but is missing a continue;, so it falls through to fs::setpermissions and changes the permissions of the pre-existing file to the default FIFO mode 0o666 & umask - 0644. $ touch secret; chmod 000 secret $ coreutils mkfifo secre...

7.1CVSS6AI score0.00165EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added yesterday3 views

mkfifo: permissions of an existing file are changed after FIFO creation fails

When mkfifo fails e.g. target already exists, the code shows an error but is missing a continue;, so it falls through to fs::setpermissions and changes the permissions of the pre-existing file to the default FIFO mode 0o666 & umask - 0644. $ touch secret; chmod 000 secret $ coreutils mkfifo secre...

7.1CVSS6AI score0.00165EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...

6.3AI score
Exploits0References3Affected Software1
OSV
OSV
added yesterday2 views

GHSA-CGFV-JRFP-2R7V OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...

7.2CVSS6.3AI score
Exploits0References3
Github Security Blog
Github Security Blog
added yesterday3 views

9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...

6AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-7CFM-PQRJ-XGQ7 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...

7.3CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added yesterday3 views

Craft CMS: Sensitive File Disclosure / Server-Side File Read

The dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its content...

6CVSS6.1AI score0.00268EPSS
Exploits0References4Affected Software1
OSV
OSV
added yesterday2 views

GHSA-287W-MXQ6-X2CP Craft CMS: Sensitive File Disclosure / Server-Side File Read

The dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its content...

6CVSS6.1AI score0.00268EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added yesterday3 views

9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: = 0.4.41 severity: critical cverequest: true --- Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoin...

6.1AI score
Exploits0References2Affected Software1
OSV
OSV
added yesterday2 views

GHSA-VJC7-JRH9-9J86 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: = 0.4.41 severity: critical cverequest: true --- Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoin...

10CVSS6.1AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-F5VP-W269-392G Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints

Summary AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Note: Exploitation requires authenticated access to the AI Bridge endpoints and the impact is...

6.5CVSS6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added yesterday2 views

Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints

Summary AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Note: Exploitation requires authenticated access to the AI Bridge endpoints and the impact is...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

5.9AI score
Exploits0References2Affected Software1
Rows per page
Query Builder