CVE-2026-48902

The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the serviceLfsLocksDelete function in the gitlfs.go file. An attacker can delete locks owned by other users by sending a request with the force flag set to true, bypassing ownership validation. Note: This is...

CVE-2026-22253 Soft Serve is missing an authorization check in LFS lock deletion

Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path...

PT-2026-2184

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.2 Description Soft Serve is a self-hostable Git server for the command line. An authorization bypass exists in the LFS lock deletion endpoint. Any authenticated user with repository write access can delete loc...

EUVD-2021-1228

Malware in sbrugna...

Arbitrary Code Execution in json-ptr

npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution...

GHSA-X5R6-X823-9848 Arbitrary Code Execution in json-ptr

npm json-ptr before 2.1.0 has an arbitrary code execution vulnerability. The issue occurs in the set operation when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the key being set, leading to a prototype pollution...

CVE-2020-7766

This affects all versions of package json-ptr. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/srcpointer.jsonpointer.htmlset when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the...

Code injection

This affects all versions of package json-ptr. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/srcpointer.jsonpointer.htmlset when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the...

CVE-2020-7766 Prototype Pollution

This affects all versions of package json-ptr. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/srcpointer.jsonpointer.htmlset when the force flag is set to true. The function recursively set the property in the target object, however it does not properly check the...

PT-2020-19778 · Json Ptr · Json-Ptr

Name of the Vulnerable Software and Affected Versions: json-ptr versions prior to 2.1.0 Description: The issue occurs in the set operation when the force flag is set to true. The function recursively sets the property in the target object, however it does not properly check the key being set,...

Prototype Pollution

Overview json-ptr is a complete implementation of JSON Pointer RFC 6901 for nodejs and modern browsers. Affected versions of this package are vulnerable to Prototype Pollution. The issue occurs in the set operation https://flitbit.github.io/json-ptr/classes/srcpointer.jsonpointer.htmlset when the...

PT-2004-2266 · Gnu +1 · Gzip +1

Name of the Vulnerable Software and Affected Versions: gzip version 1.3 and earlier in Solaris 8 Description: The issue allows local users to view or modify files that are hard linked to the target files when gzip is called with the -f or -force flags. Recommendations: For gzip version 1.3 and...