EUVD-2025-199686

Webform Multiple File Upload module for Drupal 7.x contains a cross-site scripting XSS vulnerability in the file name renderer. An unauthenticated attacker can exploit this vulnerability by uploading a file with a malicious filename containing JavaScript code e.g., "" to a Webform node with a...

EUVD-2021-0367

Malware in sbrugna...

OESA-2025-1591 perl-YAML-LibYAML security update

Security Fixes: A vulnerability was found in TINITA YAML-LibYAML up to 0.902.x on Perl. It has been classified as problematic.CWE is classifying the issue as CWE-552. The product makes files or directories accessible to unauthorized actors, even though they should not be.This is going to have an...

CVE-2025-3704

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DBAR Productions Volunteer Sign Up Sheets pta-volunteer-sign-up-sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a through 5.5.5...

CVE-2025-3704 WordPress Volunteer Sign Up Sheets plugin < 5.5.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DBAR Productions Volunteer Sign Up Sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a before 5.5.5. The patch is available exclusively on GitHub at...

CVE-2025-3704

CVE-2025-3704 concerns the WordPress plugin “Volunteer Sign Up Sheets” by DBAR Productions. The vulnerability is an stored XSS caused by improper input neutralization during web page generation in versions prior to 5.5.5. Public references indicate the patch is available only on GitHub (pt a-volu...

Brave Software: Prompt Injection via GitHub Patch in Brave AI Chat (Leo)

Component: Brave AI Chat brave-core/components/aichat/ Severity: High Confirmed ability to override AI instructions and persona via fetched content Vulnerability Summary The Brave AI Chat feature allows fetching .patch files from GitHub pull request pages to use as context. A combination of...

CVE-2022-24900

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The os.path.join call is unsafe for use with untrusted input. When the os.path.join call encounters an absolute...

GHSA-9CQ2-PCGR-8H62 Cross-site Scripting in eZFind spellcheck

This security advisory fixes a vulnerability in the legacy eZ Find extension, which can be used with the LegacyBridge in eZ Platform. It affects sites using the "Did you mean...?" spell check / search suggestion feature. This feature is vulnerable to Cross-site Scripting XSS injection reflected...

BIT-TENSORFLOW-2021-37679 Heap OOB in nested `tf.map_fn` with `RaggedTensor`s in TensorFlow

TensorFlow is an end-to-end open source platform for machine learning. In affected versions it is possible to nest a tf.mapfn within another tf.mapfn call. However, if the input tensor is a RaggedTensor and there is no function signature provided, code assumes the output is a fully specified tens...

Reflected XSS Vulnerability in dpaste

Impact A security vulnerability has been identified in the expires parameter of the dpaste API, allowing for a POST Reflected XSS attack. This vulnerability can be exploited by an attacker to execute arbitrary JavaScript code in the context of a user's browser, potentially leading to unauthorized...

CVE-2023-41336: symfony/ux-autocomplete Prevent injection of invalid entity ids for "autocomplete" fields

Affected Versions Versions 2.11.1 are of the symfony/ux-autocomplete package are affected by this security issue. Description Under certain circumstances, an attacker could successfully submit an entity id for an EntityType that is not part of the valid choices. Affected applications are any that...

CVE-2022-41880 ThreadUnsafeUnigramCandidateSampler Heap out of bounds in Tensorflow

TensorFlow is an open source platform for machine learning. When the BaseCandidateSamplerOp function receives a value in trueclasses larger than rangemax, a heap oob read occurs. We have patched the issue in GitHub commit b389f5c944cadfdfe599b3f1e4026e036f30d2d4. The fix will be included in...

CVE-2022-41894 Buffer overflow in `CONV_3D_TRANSPOSE` on TFLite

TensorFlow is an open source platform for machine learning. The reference kernel of the CONV3DTRANSPOSE TensorFlow Lite operator wrongly increments the dataptr when adding the bias to the result. Instead of dataptr += numchannels; it should be dataptr += outputnumchannels; as if the number of inp...

CVE-2022-36001 `CHECK` fail in `DrawBoundingBoxes` in TensorFlow

TensorFlow is an open source platform for machine learning. When DrawBoundingBoxes receives an input boxes that is not of dtype float, it gives a CHECK fail that can trigger a denial of service attack. We have patched the issue in GitHub commit da0d65cdc1270038e72157ba35bf74b85d9bda11. The fix wi...

CVE-2022-35959 `CHECK` failures in `AvgPool3DGrad` in TensorFlow

TensorFlow is an open source platform for machine learning. The implementation of AvgPool3DGradOp does not fully validate the input originputshape. This results in an overflow that results in a CHECK failure which can be used to trigger a denial of service attack. We have patched the issue in...

CVE-2022-35939

TensorFlow is an open source platform for machine learning. The ScatterNd function takes an input argument that determines the indices of of the output tensor. An input index greater than the output tensor or less than zero will either write content at the wrong index or trigger a crash. We have...

PT-2022-23111 · Google · Tensorflow

Name of the Vulnerable Software and Affected Versions: TensorFlow versions prior to 2.10.0 TensorFlow versions 2.9.1 and earlier TensorFlow versions 2.8.1 and earlier TensorFlow versions 2.7.2 and earlier Description: The issue occurs when the mlir::tfg::ConvertGenericFunctionToFunctionDef functi...

Microweber vulnerable to cross-site scripting (XSS)

Microweber is a drag and drop website builder and a powerful next generation CMS. Microweber versions 1.2.15 and prior are vulnerable to cross-site scripting. This could lead to injection of arbitrary JaveScript code, defacement of a page, or stealing cookies. A patch is available on the master...

GHSA-6346-5R4H-FF5X Microweber vulnerable to cross-site scripting (XSS)

Microweber is a drag and drop website builder and a powerful next generation CMS. Microweber versions 1.2.15 and prior are vulnerable to cross-site scripting. This could lead to injection of arbitrary JaveScript code, defacement of a page, or stealing cookies. A patch is available on the master...