JLSEC-2026-104 Deno's improper suffix match testing for DENO_AUTH_TOKENS

Summary Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com. Details authtokens.rs uses a simple endswi...

GitLab 18.0 < 18.6.6 / 18.7 < 18.7.4 / 18.8 < 18.8.4 (CVE-2025-12073)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.0 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions, could have allowed an...

CVE-2022-38845

Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious...

EUVD-2017-18448

Malware in sbrugna...

EUVD-2019-18531

Malware in sbrugna...

EUVD-2019-6738

Malware in sbrugna...

EUVD-2018-12726

Malware in sbrugna...

EUVD-2023-28696

Malicious code in bioql PyPI...

CVE-2025-52133

CVE-2025-52133 affects the Mocca Calendar application for XWiki (versions before 2.15). The issue is a cross-site scripting (XSS) vulnerability triggered by a crafted title during calendar import, caused by an XSS in the calendar import header. CVSSv3.1 base score is 6.4 (Medium) with Network att...

CVE-2024-2656

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escapin...

Path Relative Stylesheet Import

A Path Relative Style Sheet Import occurs when the application imports a style sheet via a relative URL and uses user input in the file name. This vulnerability mainly affects older browsers such as Internet Explorer and allows an attacker to exploit the way the browser handles stylesheet imports...

CVE-2024-22020

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

CVE-2024-22020

A security flaw in Node.js allows a bypass of network import restrictions. By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security. Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports...

Deno's improper suffix match testing for DENO_AUTH_TOKENS

Summary Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for example.com may be sent to notexample.com. Details authtokens.rs uses a simple endswi...

CVE-2023-26492 Directus vulnerable to Server-Side Request Forgery On File Import

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery SSRF when importing a file from a remote web server POST to /files/import. An attacker can bypass the security controls by performing a DNS rebinding attack and...

GitLab -- two vulnerabilities

GitLab reports: Remote Command Execution in git client An external code review performed by Recurity-Labs identified a remote command execution vulnerability in git that could be exploited via the "Repo by URL" import option in GitLab. The command line git client was not properly escaping command...