108 matches found
EUVD-2022-0362
Malicious code in bioql PyPI...
CVE-2025-54433
Bugsink suffers from a Path Traversal vulnerability (CVE-2025-54433) where ingestion paths are constructed from unvalidated event_id input. Affected versions include 1.4.2 and earlier, 1.5.0–1.5.4, 1.6.0–1.6.3, and 1.7.0–1.7.3. An attacker with a valid DSN can craft an event_id to cause file writ...
PT-2025-30550 · Unknown · Main Web Interface
Name of the Vulnerable Software and Affected Versions: Apache affected versions not specified Description: An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to improper sanitizing of user input in the Main Web Interface. The vulnerable...
CVE-2025-54314
CVE-2025-54314 is tied to Ruby’s Thor library. The IBM/endorsement bulletin confirms Thor versions before 1.4.0 can construct an unsafe shell command from library input. The vulnerability is mitigated by upgrading to Thor 1.4.0 or newer, as noted in official fixes; the supplier disputes the claim...
WordPress Events Manager Plugin SQL Injection Vulnerability
WordPress Events Manager plugin is a full-featured event management tool that supports event registration, ticket sales, booking management and recurring event settings. The WordPress Events Manager plugin suffers from a SQL injection vulnerability that stems from the plugin's failure to adequate...
CVE-2025-3466
langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictio...
PT-2025-24524 · Unknown · Wc Myparcel Belgium
Name of the Vulnerable Software and Affected Versions: WC MyParcel Belgium versions 4.5.5 through beta Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential attackers to...
CVE-2025-27242
This CVE-2025-27242 affects OpenHarmony v5.0.3 and earlier, where an improper input handling vulnerability allows a local attacker to cause a denial of service. The root cause is input validation/handling weakness in the OpenHarmony security component (security_component_manager). Reported impact...
USN-7549-1 php-twig vulnerability
It was discovered that Twig did not correctly handle securing user input. An attacker could possibly use this issue to cause Twig to expose sensitive information if it opened a specially crafted file. CVE-2024-45411...
CVE-2023-47130
Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution RCE if the application calls unserialize on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been developed for the 1.1.29...
CVE-2021-46034
A problem was found in ForestBlog, as of 2021-12-29, there is a XSS vulnerability that can be injected through the nickname input box...
CVE-2020-25750
An issue was discovered in DotPlant2 before 2020-09-14. In class Pay2PayPayment in payment/Pay2PayPayment.php, there is an XXE vulnerability in the checkResult function. The user input $POST'xml' is used for simplexmlloadstring without sanitization. NOTE: This vulnerability only affects products...
CVE-2019-9094
A Reflected Cross Site Scripting XSS Vulnerability was discovered in /s/adada/cfiles/upload in Humhub 1.3.10 Community Edition. The user-supplied input containing JavaScript in the filename is echoed back in JavaScript code, which resulted in XSS...
CVE-2017-1002201
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code...
SAP Data Services Management Console Cross-Site Scripting Vulnerability
SAP Data Services Management Console is a console for managing and monitoring data services. A cross-site scripting vulnerability exists in SAP Data Services Management Console that stems from the system failing to adequately encode user-controlled input. An attacker could exploit the vulnerabili...
PT-2025-19739 · Unknown · Retrieval-Based-Voice-Conversion-Webui
Name of the Vulnerable Software and Affected Versions: Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior Description: Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The variables exp dir1, np7, and f0method8 take user input and pass it into...
PT-2025-17170 · Unknown · Rtpharry Bulk Page Stub Creator
Name of the Vulnerable Software and Affected Versions: rtpHarry Bulk Page Stub Creator versions n/a through 1.1 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting', which allows Reflected XSS. This means an attacke...
Moodle < 3.9.20 Multiple Vulnerabilities
According to its self-reported version, the Moodle install hosted on the remote host is prior to 3.9.20, 3.11.x prior to 3.11.13, 4.0.x prior to 4.0.7 or 4.1.x prior to 4.1.2. It is, therefore, affected by multiple vulnerabilities. - The course participation report required additional checks to...
CVE-2025-26653 Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled inputs, leading to Stored Cross-Site Scripting XSS vulnerability. This enables an attacker, without requiring any privileges, to inject malicious JavaScript into a website. When a user visits the compromised page,...
BIT-JOOMLA-2020-13763
In Joomla! before 3.9.19, the default settings of the global textfilter configuration do not block HTML inputs for Guest users...