CVE-2025-10569

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls...

EUVD-2021-2492

Malware in sbrugna...

EUVD-2022-0671

Malicious code in bioql PyPI...

BIT-NIFI-2020-13940

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services via XXE...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...

CVE-2023-26566

Sangoma FreePBX 1805 through 2203 on Linux contains hardcoded credentials for the Asterisk REST Interface ARI, which allows remote attackers to reconfigure Asterisk and make external and internal calls via HTTP and WebSocket requests sent to the API...

Vyper's external calls can overflow return data to return input buffer

Summary When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that typ...

GHSA-GP3W-2V2M-P686 Vyper's external calls can overflow return data to return input buffer

Summary When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that typ...

PYSEC-2024-148

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 overlapping with the input buffer. When checking RETURNDATASIZE for dynamic...

[M1] LastDonationBlockNumber should be updated at the beginning of the function to prevent from reentracy attack

Lines of code Vulnerability details Impact The ineffectiveness of an update against a flashloans attack. Analysis of the vulnerability You update lastDonationBlockNumber after every donation. However, you update is done at the end of the function trackServiceDonations function trackServiceDonatio...

SUSE CVE-2020-13940

In Apache NiFi 1.0.0 to 1.11.4, the notification service manager and various policy authorizer and user group provider objects allowed trusted administrators to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services via XXE...

Using .call for external calls leaves the contract vulnerable to reentrancy.

Lines of code Vulnerability details Impact claimConcentratedRewards and claimAmbientRewards call external contracts via call. This could leave the contract vulnerable to reentrancy attacks if the recipient contract calls back into the contract before updating state. Proof of Concept The calls to...

[M-15] Reentrancy in the BranchPort contract

Lines of code Vulnerability details Impact In a Re-entrancy attack, a malicious contract calls back into the calling contract before the first invocation of the function is finished. This may cause the different invocations of the function to interact in undesirable ways, especially in cases wher...

PYSEC-2023-167

Vyper is a Pythonic Smart Contract Language. For the following probably non-exhaustive list of expressions, the compiler evaluates the arguments from right to left instead of left to right. unsafeadd, unsafesub, unsafemul, unsafediv, powmod256, |, &, ^ bitwise operators, bitwiseor deprecated,...

removeFromAllTicks() withdraws all tick assets before deposit and withdraw and re-deposit them creates reentrancy attacks.

Lines of code Vulnerability details Impact reentrancy attacks can result to stolen funds Proof of Concept The key issue is that removeFromAllTicks calls removeFromTickindex in a loop, which calls lendingPool.withdraw and tr.withdraw. These external calls could trigger a reentrant call back into t...

[M-02] Denial of Service on failed call Dos

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its...

Reentrancy vulnerability in BigBang.execute

Lines of code Vulnerability details Impact This vulnerability could allow an attacker to withdraw funds from the BigBang contract. This could result in a loss of funds for the user. Proof of Concept The BigBang.execute function has external calls inside a loop. This could potentially lead to...

Unintended or Malicious Use of Prize Winners' Hooks

Lines of code Vulnerability details Impact The setHooks function in Vault.sol allows users to set arbitrary hooks, potentially enabling them to make external calls with unintended consequences. This vulnerability could lead to various unexpected behaviors, such as unauthorized side transactions...

Potential Ownership Issues Due to External Calls in LSP0ERC725AccountCore's execute and executeBatch Functions

Lines of code Vulnerability details Impact In the LSP0ERC725AccountCore contract, the execute and executeBatch functions use the LSP20CallVerification standard. In some cases, you may need to use verifyCallAfter. However, because an external call is made between verifyCall and verifyCallAfter, th...