Crawl4AI Has Local File Inclusion in Docker API via file:// URLs

A local file inclusion vulnerability exists in the Crawl4AI Docker API. The /executejs, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing attackers to read arbitrary files from the server filesystem. Attack Vector: json POST /executejs "url": "file:///etc/passwd", "scripts":...

CVE-2025-52180

Cross-site scripting XSS vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfrfeditorHTML.jsp?pHtmlSource endpoint...

CVE-2025-52179

Cross-site scripting XSS vulnerability in Zucchetti Ad Hoc Revolution 4.1 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahrw/jsp/gsfrfeditorHTML.jsp endpoint...

CVE-2025-11147

Reflected cross-site scripting XSS in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts XSS to be executed in “/html/.html”...

PT-2025-39821

Name of the Vulnerable Software and Affected Versions Apt-Cacher-NG version 3.2.1 Description A reflected cross-site scripting XSS issue exists in Apt-Cacher-NG. This allows the execution of malicious scripts within the “/html/.html” path. The vulnerability enables attackers to inject and execute...

CVE-2025-57633

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftpfile parameter and executes it using os.system without sanitization ...

CVE-2025-57633

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftpfile parameter and executes it using os.system without sanitization ...

CVE-2025-57633

A command injection vulnerability in FTP-Flask-python through 5173b68 allows unauthenticated remote attackers to execute arbitrary OS commands. The /ftp.html endpoint's "Upload File" action constructs a shell command from the ftpfile parameter and executes it using os.system without sanitization ...

PT-2024-31141 · Unknown · Wayos Fbm-291W

Name of the Vulnerable Software and Affected Versions: WAYOS FBM-291W version 19.09.11 Description: The issue is related to Command Execution via msp info htm. This vulnerability occurs through the "msp info htm" endpoint, allowing for command execution. Recommendations: For WAYOS FBM-291W versio...

PT-2024-18941

Name of the Vulnerable Software and Affected Versions github.com/gotenberg/gotenberg/v8/pkg/gotenberg versions prior to 8.1.0 github.com/gotenberg/gotenberg/v8/pkg/modules/chromium versions prior to 8.1.0 github.com/gotenberg/gotenberg/v8/pkg/modules/webhook versions prior to 8.1.0 Description Th...

Mitel 6869i SIP Security Vulnerability

Mitel 6869i SIP is a powerful and scalable desk phone from Mitel Canada. A security vulnerability exists in Mitel 6869i versions 4.5.0.41 and earlier, 5.0.0.1018 and earlier, which stems from the provis.html endpoint that does not clean up the hostname parameter, and can be exploited by an attack...

Sentrifugo 跨站脚本漏洞

Sentrifugo is a human resource management system. The system includes functions for human resources management, performance appraisal, recruitment management and asset management. A cross-site scripting vulnerability exists in Sentrifugo version 3.2, which stems from the lack of effective filteri...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /convert/html endpoint when a request is made to a file via localhost, such as . By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read o...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /convert/html endpoint when a request is made to a file via localhost, such as . By exploiting this vulnerability, an attacker can achieve local file inclusion, allowing of sensitive files read o...

CVE-2022-31358

A reflected cross-site scripting XSS vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under path /api2/html/...

Proxmox Virtual Environment 跨站脚本漏洞

Proxmox Virtual Environment Proxmox VE is an open source server virtualization environment Linux distribution from Proxmox. A security vulnerability exists in Proxmox Virtual Environment versions prior to v7.2-3, which originated from a vulnerability that allows remote attackers to execute...

PT-2022-18171 · Arris · Arris Tr3300

Name of the Vulnerable Software and Affected Versions: Arris TR3300 version 1.0.13 Description: A command injection issue was found in the pptp function, accessible through the wan pptp.html endpoint, via the pptp fix ip, pptp fix mask, pptp fix gw, and wan dns1 stat parameters. This allows...

Server Side Request Forgery (SSRF)

github.com/thecodingmachine/gotenberg is vulnerable to Server Side Request Forgery SSRF. An attacker is able to send malicious requests on behalf of the application via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as...

Server side request forgery (ssrf)

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery SSRF via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as...

CVE-2021-23345 Server-side Request Forgery (SSRF)

All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery SSRF via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as...