PYSEC-2025-124

Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attack...

PYSEC-2025-124

Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attack...

org.apache.iotdb:client-example (>=2.0.1-beta <=2.0.2-1), org.apache.iotdb:customize-mqtt-example (=2.0.1-beta) +8 more potentially affected by CVE-2025-26864 via org.apache.iotdb:node-commons (>=2.0.1-beta <=2.0.2-1)

org.apache.iotdb:node-commons MAVEN version =2.0.1-beta, =2.0.1-beta, =2.0.1-beta, =2.0.2-1 - org.apache.iotdb:iotdb-distribution =2.0.1-beta - org.apache.iotdb:iotdb-server =2.0.1-beta - org.apache.iotdb:pipe-count-point-processor-example =2.0.1-beta - org.apache.iotdb:trigger-example =2.0.1-bet...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the confKey parameter. An attacker can execute arbitrary scripts in the context of the victim's browser session by injecting a malicious payload into this parameter. Note: This is only exploitable if the...

Label Studio 跨站脚本漏洞

Label Studio is an open source data labeling tool from Heartex Open Source. It allows you to label data types such as audio, text, images, video, and time series using a straightforward UI and export to a variety of model formats. A cross-site scripting vulnerability exists in Label Studio versio...

CVE-2025-46833 Programs/P73_SimplePythonEncryption.py has weak cryptographic key

Programs/P73SimplePythonEncryption.py illustrates a simple Python encryption example using the RSA Algorithm. In versions prior to commit 6ce60b1, an attacker may be able to decrypt the data using brute force attacks and because of this the whole application can be impacted. This issue has been...

Exploit for Out-of-bounds Write in Openprinting Cups

CUPS-Exploit Heap-based buffer overflow example based on C...

MAL-2025-3678 Malicious code in ascpc-npm-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7dfc46bf902782d78e5120173d965b16776b6f7d52ac27e8b6a05eb734290dce Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Ensure That Old Passwords Are Verified When Users Change Them

To prevent a third party from maliciously changing the password of another user, the old password must be verified when a user changes the password. According to the common practice in the industry, the old password does not need to be verified when the root user changes its own password. The roo...

MAL-2025-3597 Malicious code in msl-example-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0c52efb23287b19a22a63e448d5f7075ec0f2e9410801d21797a93a6caf6180b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Exploit for Unrestricted Upload of File with Dangerous Type in Sap Netweaver

CVE-2025-31324PoC Proof-of-Concept for CVE-2025-31324: Unauth...

GHSA-6P68-W45G-48J7 Traefik has a possible vulnerability with its path matchers

Impact There is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a matcher based on the path, if the URL contains a /../ in its path, it’s possible to target a backend,...

Apache Commons Text 1.10.0 - Remote Code Execution

Exploit Title: Apache Commons Text 1.10.0 - Remote Code Execution Text4Shell - POST-based Date: 2025-04-17 Exploit Author: Arjun Chaudhary Vendor Homepage: https://commons.apache.org/proper/commons-text/ Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/ Version: Apache...

Exploit for CVE-2025-2294

🚨 Kubio AI Page Builder = 2.5.1 - Unauthenticated Local File...

DocsGPT 0.12.0 - Remote Code Execution

Exploit Title: DocsGPT 0.12.0 - Remote Code Execution Date: 09/04/2025 Exploit Author: Shreyas Malhotra OSMSEC Vendor Homepage: https://github.com/arc53/docsgpt Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip Version: 0.8.1 through 0.12.0 Tested on: Debian Linux/Ubunt...

Malicious code in rzp-ionic3-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9cfbb00d339b881a5d6c275d13e76761973d000bf055e23329150e4105bafb62 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3118 Malicious code in rzp-ionic3-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9cfbb00d339b881a5d6c275d13e76761973d000bf055e23329150e4105bafb62 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3124 Malicious code in twc-app-example-vue (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 274ea59bea6b31be4c1b08dce0b142ccdff5b3d9541c5edecd6cab49226d93cd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in ehackify-example-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 60ffba72c4fb6005e35ffd9acb8fde18eaa73f3c647a76de85a153ed9b5f0a89 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2023-46988

Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service DoS...