CVE-2025-12613

Versions of the package cloudinary before 2.7.0 are vulnerable to Arbitrary Argument Injection due to improper parsing of parameter values containing an ampersand. An attacker can inject additional, unintended parameters. This could lead to a variety of malicious outcomes, such as bypassing...

CVE-2025-62419

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...

EUVD-2012-5659

Malware in sbrugna...

mongodb -- Malformed $group Query May Cause MongoDB Server to Crash

[email protected] reports: An authorized user can cause a crash in the MongoDB Server through a specially crafted $group query. This vulnerability is related to the incorrect handling of certain accumulator functions when additional parameters are specified within the $group operation. This...

PT-2025-36331

Name of the Vulnerable Software and Affected Versions: MongoDB Server versions prior to 6.0.25 MongoDB Server versions prior to 7.0.22 MongoDB Server versions prior to 8.0.12 MongoDB Server versions prior to 8.1.2 Description: An authorized user can cause a crash in the MongoDB Server through a...

CVE-2012-5776

Dokeos 2.1.1 has multiple XSS issues involving "extra" parameters in main/auth/profile.php...

express-param vulnerable to Improper Handling of Extra Parameters

A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file lib/fetchParams.js. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0...

GHSA-FR54-72WR-CQVQ express-param vulnerable to Improper Handling of Extra Parameters

A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file lib/fetchParams.js. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0...

CVE-2017-20160

A vulnerability was found in flitto express-param up to 0.x. It has been classified as critical. This affects an unknown part of the file lib/fetchParams.js. The manipulation leads to improper handling of extra parameters. It is possible to initiate the attack remotely. Upgrading to version 1.0.0...

CVE-2017-20160

CVE-2017-20160 affects flitto express-param up to 0.x, due to improper handling of extra parameters in lib/fetchParams.js. The issue can be exploited remotely, and upgrading to version 1.0.0 addresses it; the patch is identified as db94f7391ad0a16dcfcba8b9be1af385b25c42db (VDB-217149).

express 安全漏洞

express is expressjs open source a fast, unconstrained, minimalist web framework for Node.js. A security vulnerability exists in express version 0.x and earlier versions, which stems from improper handling of extra parameters...

Dropbox: Full Response SSRF via Google Drive

This researcher pointed out that HelloSign's Google Drive doc export feature had a URL parsing issue that could allow extra parameters to be passed to Google Drive API. By making use of an extra parameter in the Google Drive API, it was possible for researchers to force HelloSign to parse externa...

CVE-2012-5776

Dokeos 2.1.1 has multiple XSS issues involving "extra" parameters in main/auth/profile.php...

CVE-2019-11218

Improper handling of extra parameters in the AccountController User Profile edit in Jakub Chodounsky Bonobo Git Server before 6.5.0 allows authenticated users to gain application administrator privileges via additional form parameter submissions...

CVE-2016-10045

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. NOT...

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " backslash double quote in a crafted Sender property...

CVE-2016-10034

The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " backslash double...

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a " backslash double quote in a crafted Sender property...

CVE-2016-10033

The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \” backslash double quote in a crafted Sender property. Recent assessments: Assessed Attacker Value: 0...