PT-2025-44324

Name of the Vulnerable Software and Affected Versions Wazuh versions prior to 4.11.0 Description Wazuh is a platform for threat prevention, detection, and response. A flaw exists in the fim fetch attributes state implementation where it does not verify if time string is NULL before applying strle...

GHSA-QCPR-679Q-RHM2 Astro's bypass of image proxy domain validation leads to SSRF and potential XSS

Summary This is a patch bypass of CVE-2025-58179 in commit 9ecf359. The fix blocks http://, https:// and //, but can be bypassed using backslashes \ - the endpoint still issues a server-side fetch. PoC...

Security update for afterburn

This update for afterburn fixes the following issues: Update to version 5.9.0.git21.a73f509. Security issues fixed: CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large repetitions on empty sub-expressions can lead to excessive resource...

SUSE-SU-2025:3785-1 Security update for afterburn

This update for afterburn fixes the following issues: Update to version 5.9.0.git21.a73f509. Security issues fixed: - CVE-2022-24713: regex: no proper complexity limitation when parsing untrusted regular expressions with large repetitions on empty sub-expressions can lead to excessive resource...

Server-Side Request Forgery (SSRF)

Flowise is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of user-supplied URLs in the /api/v1/fetch-links endpoint, which allows an attacker to exploit the server as a proxy to access internal network resources and explore their link structures...

Malicious Package

Overview doppler-secrets-fetch-github-action is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...

Importing vs fetching JSON

This year, JSON module imports became baseline 'newly available', meaning they're implemented across browser engines. import data from './data.json' with type: 'json' ; // And… const default: data = await import'./data.json', with: type: 'json' , ; I'm glad JavaScript has this feature, but I can'...

MAL-2025-48550 Malicious code in doppler-secrets-fetch-github-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 15ae1d785262a986eb630a24e7abcd16bd4c799262e11059e5911a40f184ee5c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

EUVD-2025-35311

Malicious code in doppler-secrets-fetch-github-action npm...

Malicious code in doppler-secrets-fetch-github-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 15ae1d785262a986eb630a24e7abcd16bd4c799262e11059e5911a40f184ee5c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in npmrunnode-fetch-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 74027deb8f96cb586a9b82484dbb7818ccfbbfdd2147a05fdae660aad4211e53 The OpenSSF Package Analysis project identified 'npmrunnode-fetch-test' @ 1337.1.0 npm as malicious. It is considered malicious because: - The...

MAL-2025-48529 Malicious code in npmrunnode-fetch-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 74027deb8f96cb586a9b82484dbb7818ccfbbfdd2147a05fdae660aad4211e53 The OpenSSF Package Analysis project identified 'npmrunnode-fetch-test' @ 1337.1.0 npm as malicious. It is considered malicious because: - The...

EUVD-2025-35134

Malicious code in npmrunnode-fetch-test npm...

CVE-2017-20208

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 exclusive via deserialization of untrusted input from the isexpiredbydate function. This makes it possible for...

CVE-2017-20208

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 exclusive via deserialization of untrusted input from the isexpiredbydate function. This makes it possible for...

CVE-2017-20208 RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 exclusive via deserialization of untrusted input from the isexpiredbydate function. This makes it possible for...

CVE-2017-20208

CVE-2017-20208 affects the WordPress plugin RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login. All versions up to 3.7.9.3 are vulnerable to PHP Object Injection via deserialization of untrusted input from the is_expired_by_date() function. This allows unaut...

CVE-2017-20208 RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 exclusive via deserialization of untrusted input from the isexpiredbydate function. This makes it possible for...

EUVD-2025-34905

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module...

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module

Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: "naive" to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to...