61 matches found
CVE-2026-40908
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash enabling version fingerprinting against known CVEs,...
EUVD-2026-24286
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash enabling version fingerprinting against known CVEs,...
WWBN AVideo 信息泄露漏洞
WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to version 29 contain an information leakage vulnerability. This vulnerability stems from the git.json.php file located in the root directory, which executes and returns the complet...
GHSA-52HF-63Q4-R926 WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php Exposes Developer Emails and Deployed Version
Summary The file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash enabling version fingerprinting against known CVEs, developer names and email addresses PII, and commit messages which may...
PT-2026-28395
Name of the Vulnerable Software and Affected Versions CodeRider-Kilo affected versions not specified Description A flaw exists in the command auto-approval module of CodeRider-Kilo that bypasses its whitelist security mechanism, leading to a potential OS Command Injection. This is due to the use ...
CVE-2026-25763
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
EUVD-2026-5556
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint /projects/:projectid/repository/changes when rendering the “latest changes” view via git log. By...
CVE-2026-25763
OpenProject suffers a command-injection like arbitrary file write in the repository changes endpoint (/projects/:project_id/repository/changes) when rendering the latest changes via git log. A crafted rev parameter (for example rev=--output=/tmp/poc.txt) is interpreted by Git as an option, causin...
MiracleLinux 8 : git-2.31.1-3.el8 (AXSA:2023-4991:01)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-4991:01 advisory. git: gitattributes parsing integer overflow CVE-2022-23521 git: Heap overflow in git archive, git log --format leading to RCE CVE-2022-41903 Tenable...
Fedora 42 : composer (2026-13b4dbe546)
The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-13b4dbe546 advisory. Version 2.9.3 - 2025-12-30 Security: Fixed ANSI sequence injection GHSA-59pp-r3rg-353g / CVE-2025-67746 Fixed COMPOSERNOSECURITYBLOCKING env var not being...
EUVD-2017-0136
Malware in sbrugna...
EUVD-2025-30450
Malicious code in bioql PyPI...
CVE-2025-59433
Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags API, which allows extra paramete...
Arbitrary Argument Injection
Overview @conventional-changelog/git-client is a Simple git client for conventional changelog packages. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the getTags API which allows specifying extra parameters passed to the git log command. An attacker can...
CVE-2025-59433
The CVE-2025-59433 vulnerability affects the @conventional-changelog/git-client library prior to v2.0.0. Affected API: getTags() does not sanitize or validate user-supplied parameters, allowing crafted arguments to be passed to the underlying git log command (e.g., --output=), which can enable ar...
CVE-2025-59433 @conventional-changelog/git-client has an Argument Injection vulnerability
Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags API, which allows extra paramete...
GHSA-VH25-5764-9WCR @conventional-changelog/git-client has Argument Injection vulnerability
Background on exploitation This vulnerability manifests with the library's getTags API, which allows specifying extra parameters passed to the git log command. In another API by this library - getRawCommits there are secure practices taken to ensure that the extra parameter path is unable to inje...