GO-2026-4742 Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall

Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall...

github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives

...

CVE-2023-45683 Cross site scripting via missing binding syntax validation In ACS location in github.com/crewjam/saml

github.com/crewjam/saml is a saml library for the go language. In affected versions the package does not validate the ACS Location URI according to the SAML binding being parsed. If abused, this flaw allows attackers to register malicious Service Providers at the IdP and inject Javascript in the...

CVE-2022-31570

The adriankoczuruek/ceneo-web-scrapper repository through 2021-03-15 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...

Afterpay Gateway for WooCommerce < 3.2.1 - Reflected Cross-Site Scripting

The plugin has sample files form the https://github.com/afterpay/sdk-php library, which do not escape some parameters before outputting them in attributes, leading to Reflected Cross-Site Scripting issues. PoC...

Insecure Login Defaults

github.com/go-authboss/authboss is vulnerable to insecure login. The library successfully logs in when a confirmation link is clicked. This means a malicious user can log in if they obtain a confirmation or password reset link...