Cross-site Request Forgery (CSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the export process in modules/sso/keys.php when CSRF validation is not enforced. An attacker can...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the export process. An attacker can write files to arbitrary locations on the filesystem by uploading an asset with a crafted filename containing directory traversal sequences and then triggering an administrator...

CVE-2026-44522

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

CVE-2026-44522

Vulnerability summary (CVE-2026-44522) Note Mark up to 0.19.3 allows authenticated users to upload assets with a crafted X-Name header containing directory traversal. The asset name is stored in the database without validation, and is later passed directly to filepath.Join()/path.Join() during ex...

CVE-2026-44522 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leading to Remote Code Execution

Note Mark is an open-source note-taking application. From 0.13.0 to before 0.19.4, the Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored...

GHSA-G49P-4QXJ-88V3 Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...

Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution

Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/noteID/assets, where the asset filename is provided through the X-Name HTTP request header. This value is stored directly in the database without any sanitization or validation - no path...

PT-2026-38621

Name of the Vulnerable Software and Affected Versions Note Mark versions 0.13.0 through 0.19.3 Description Authenticated users can upload assets to notes via the "/api/notes/noteID/assets" endpoint. The application stores the asset filename provided in the X-Name HTTP request header directly in t...

CVE-2026-22923

A vulnerability has been identified in NX All versions V2512, NX Managed Mode All versions V2512. The affected application contains a data validation vulnerability that could allow an attacker with local access to interfere with internal data during the PDF export process that could potentially...

MAL-2025-189656 Malicious code in star-route-query-export-process (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c20beac557c34a749310f87e0f1b74f8044729c51c474177886ce1fc005f2d3b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176219

Malicious code in star-route-query-export-process npm...

CVE-2024-25675

An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp...

Code injection

An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp...

CVE-2024-25675

An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp...

PT-2024-21083 · Misp · Misp

Name of the Vulnerable Software and Affected Versions: MISP versions prior to 2.4.184 Description: An issue was discovered where a client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp...

How to export a VPX instance on an SDX to an XVA file

This article will describe how to export an XVA file of a VPX from an SDX. This file contains the entire contents of the VPX including an image of the VPX's file systems...

PT-2023-20625 · Ox Software Gmbh +1 · Ox App Suite +1

Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: The issue arises from control characters not being removed when exporting user feedback content, allowing attackers to include unexpected content and potentially break the exported data...

CVE-2022-45026

An issue in Markdown Preview Enhanced v0.6.5 and v0.19.6 for VSCode and Atom allows attackers to execute arbitrary commands during the GFM export process...

Octopus Server 安全漏洞

Octopus Deploy is an automation tool for .NET, Java, and other application development and deployment from Octopus Deploy Australia. A security vulnerability exists in Octopus Server that stems from storing sensitive information in plaintext in multiple versions of Octopus Server, where in some...

Apache Derby Overwrite Arbitrary File Vulnerability

Apache Derby is the United States Apache Apache Software Foundation developed a set of open source database management system. A security vulnerability exists in the export process in Apache Derby. A remote attacker could exploit the vulnerability to overwrite an existing file...