Medium: golist

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

CVE-2026-27759

Featured Image from Content featured-image-from-content WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations ...

CVE-2025-11521 Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attacke...

CVE-2025-10281 Insecure URL Handling in git_clone Leading to Leaked API Key

BBOT's gitclone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL...

CVE-2025-10281 Insecure URL Handling in git_clone Leading to Leaked API Key

BBOT's gitclone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL...

CVE-2025-31476

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

CVE-2025-31476

tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges access to the site's source code or a CMS plugin to enter a URL containing an insecure scheme such as javascript:alert. Before the fix, URL...

PT-2025-15240 · Unknown · Tarteaucitron.Js

Name of the Vulnerable Software and Affected Versions: tarteaucitron.js versions prior to 1.20.1 Description: A vulnerability was identified in tarteaucitron.js, allowing a user with high privileges to enter a URL containing an insecure scheme, such as javascript:alert. Insufficient URL validatio...

CVE-2024-50624

CVE-2024-50624 affects KDE PIM’s KMail, specifically the Account Wizard, where configuration retrieval uses cleartext HTTP instead of HTTPS for autoconfig servers (e.g., http://autoconfig.example.com or http://example.com/.well-known/autoconfig). Connected advisories confirm this issue in KMail A...

CVE-2024-8663

The WP Simple Booking Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.0.10. This makes it possible for unauthenticated attackers to inject...

google-translate-api-browser Code Issue Vulnerability

google-translate-api-browser is the free and unlimited Google Translate API. A code issue vulnerability exists in versions of google-translate-api-browser prior to 4.1.0, which stems from the translateOptions.tld field not being properly cleaned before being placed in a Google Translate URL. An...

CVE-2022-44795

An issue was discovered in Object First Ootbi BETA build 1.0.7.712. A flaw was found in the Web Service, which could lead to local information disclosure. The command that creates the URL for the support bundle uses an insecure RNG. That can lead to prediction of the generated URL. As a result, a...

URL Redirection

node-forge is vulnerable to URL redirection. The use of an insecure URL parsing in forge.util.parseUrl and forge.http.parseUrl alias allows a URL redirection to malicious site...

CVE-2020-15258

In Wire before 3.20.x, shell.openExternal was used without checking the URL. This vulnerability allows an attacker to execute code on the victims machine by sending messages containing links with arbitrary protocols. The victim has to interact with the link and sees the URL that is opened. The...

CVE-2019-11065

A flaw was discovered in Gradle, where it uses an insecure HTTP URL to download dependencies. This flaw causes dependency artifacts to be maliciously compromised by a Man-in-the-middleMITM attack...

cvoo.nl XSS vulnerability

Vulnerable URL: https://www.cvoo.nl/opendag/20160306opendag/album/index.html?bg=xss" Details: Description| Value ---|--- Patched:| No Latest check for patch:| 10.12.2017 Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not calculated VIP website status:| No...

ownCloud: apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only)

Due to a bug in the URL generation component mainly used by forms on the ownCloud appstore available at apps.owncloud.com is vulnerable to multiple reflected XSS. This problem seems only to be exploitable in Internet Explorer since other browsers are URL encoding GET parameters. This was...

Moodle 2.1.x < 2.1.6 / 2.2.x < 2.2.3 Multiple Vulnerabilities

Binary data 8715.prm...

Insomnia : ISVA-110822.1 - Pidgin IM Insecure URL Handling Remote Code Execution

Insomnia Security Vulnerability Advisory: ISVA-110822.1 Name: Pidgin IM Insecure URL Handling Remote Code Execution Reported: 21 July 2011 Vendor Link: http://www.pidgin.im Affected Products: Pidgin Instant Messaging Client = 2.9.0 Original Advisory:...

Unfixed XSS vulnerability at www.citypoint.com.ar

Security researcher 444Team, has submitted on 11/02/2009 a cross-site-scripting XSS vulnerability affecting www.citypoint.com.ar, which at the time of submission ranked 17871675 on the web according to Alexa. We manually validated and published a mirror of this vulnerability on 29/06/2009. It is...