CVE-2026-33609

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees...

PT-2026-34446

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing enforcement of organization scopes in the zitadel process. An attacker can gain unauthorized access to resources or perform actions outside their permitted organization by exploiting this lack of sco...

CVE-2026-25492 Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveimagesAsset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a...

Microsoft Warns Misconfigured Email Routing Can Enable Internal Domain Phishing

Threat actors engaging in phishing attacks are exploiting routing scenarios and misconfigured spoof protections to impersonate organizations' domains and distribute emails that appear as if they have been sent internally. "Threat actors have leveraged this vector to deliver a wide variety of...

Use of Single-factor Authentication

Overview Affected versions of this package are vulnerable to Use of Single-factor Authentication due to improper session validation in the authentication process. An attacker can gain unauthorized access to accounts protected by multi-factor authentication by submitting only a single authenticati...

EUVD-2019-15088

Malware in sbrugna...

EUVD-2020-7841

Malware in sbrugna...

EUVD-2025-6712

Malicious code in bioql PyPI...

CVE-2020-15860

Parallels Remote Application Server RAS 17.1.1 has a Business Logic Error causing remote code execution. It allows an authenticated user to execute any application in the backend operating system through the web application, despite the affected application not being published. In addition, it wa...

CVE-2020-5132

SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN authentication page, an attacker with knowledge of...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration through the Session API. An attacker can authenticate on behalf of the user by repeatedly using idp intents to retrieve the id and token from the application's URI. Remediation Upgrade...

CVE-2025-30140

An issue was discovered on G-Net Dashcam BB GONX devices. A Public Domain name is Used for the Internal Domain Name. It uses an unregistered public domain name as an internal domain, creating a security risk. This domain was not owned by GNET originally, allowing an attacker to register it and...

IROAD V Series 安全漏洞

IROAD V Series is a series of car recorders from IROAD. A security vulnerability exists in IROAD V Series that stems from the use of an unregistered public domain name as an internal domain name, which could lead to data exfiltration or man-in-the-middle attacks...

GNET G-ONX 安全漏洞

GNET G-ONX is a series of car recorders from GNET. A security vulnerability exists in GNET G-ONX that stems from the use of an unregistered public domain name as an internal domain name, which could lead to data exfiltration or man-in-the-middle attacks...

CVE-2025-30140

An issue was discovered on G-Net Dashcam BB GONX devices. A Public Domain name is Used for the Internal Domain Name. It uses an unregistered public domain name as an internal domain, creating a security risk. This domain was not owned by GNET originally, allowing an attacker to register it and...

CVE-2025-30140

CVE-2025-30140 concerns G-Net Dashcam BB GONX devices where an internal domain uses an unregistered public domain name. This creates a risk that an attacker could register that domain and, if the device resolves it publicly, could intercept traffic and enable data exfiltration or a man‑in‑the‑mid...

CVE-2024-37164

Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. CVAT allows users to supply custom endpoint URLs for cloud storages based on Amazon S3 and Azure Blob Storage. Starting in version 2.1.0 and prior to version 2.14.3, an attacker with a CVAT...

Exploit for Server-Side Request Forgery in Microsoft

CVE-2021-26855 CVE-2021-26855 ssrf brute-force attack Golang e...

SSRF in Rendertron

Rendertron versions prior to 3.0.0 are are susceptible to a Server-Side Request Forgery SSRF attack. An attacker can use a specially crafted webpage to force a rendertron headless chrome process to render internal sites it has access to, and display it as a screenshot. Suggested mitigations are t...