nginx-ui Backup Restore Allows Tampering with Encrypted Backups

Summary The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. Details The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the clie...

SUSE CVE-2025-69263

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

CVE-2025-69263 pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package...

CVE-2025-69263

CVE-2025-69263 affects the pnpm package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without an integrity hash, enabling a remote server to serve different content on each install. An attacker publishing a package with an HTTP tarba...

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

Summary HTTP tarball dependencies and git-hosted tarballs are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. Details When a package depends on an HTTP tarball URL, pnpm's tarball resolve...

EUVD-2024-1019

Malicious code in bioql PyPI...

CVE-2020-15262 Invalid integrity hashes in webpack-subresource-integrity

In webpack-subresource-integrity before version 1.5.1, all dynamically loaded chunks receive an invalid integrity hash that is ignored by the browser, and therefore the browser cannot validate their integrity. This removes the additional level of protection offered by SRI for such chunks. Top-lev...

mantis -- multiple vulnerabilities

The Mantis developers report: CVE-2019-15715: Admin Required - Post Authentication Command Execution / Injection Vulnerability CVE-2019-8331: In Bootstrap before 3.4.1, XSS is possible in the tooltip or popover data-template attribute Missing integrity hashes for CSS resources from CDNs...