Lucene search
K

374 matches found

CNNVD
CNNVD
added 2026/05/04 12:0 a.m.8 views

beets 跨站脚本漏洞

Beets is an open-source music collection management and metadata optimization tool developed by Beetbox. Versions of Beets prior to 2.10.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Web UI’s use of the Underscore template interpolation pattern for handling...

6CVSS5.7AI score0.003EPSS
Exploits0References2
OSV
OSV
added 2026/04/29 6:29 p.m.4 views

GHSA-3GXM-WFJX-M847 beets has a Cross-site Scripting vulnerability

During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. Overview - Verified Version: 80cd21554124da07d17a4f962c7d770a4f70d0f2 - Vulnerability Type: Stored XSS - Affected Location: beetsplug/web/templates/index.html:42 - Trigger Scenario:...

6CVSS6AI score0.003EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/04/29 6:29 p.m.12 views

beets has a Cross-site Scripting vulnerability

During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. Overview - Verified Version: 80cd21554124da07d17a4f962c7d770a4f70d0f2 - Vulnerability Type: Stored XSS - Affected Location: beetsplug/web/templates/index.html:42 - Trigger Scenario:...

6CVSS5.6AI score0.003EPSS
Exploits0References5Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:52 p.m.5 views

CVE-2026-3837

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without...

4.6CVSS5.9AI score0.00193EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.6 views

PT-2026-37153

Name of the Vulnerable Software and Affected Versions i18next-fs-backend versions prior to 2.6.4 Description i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath and addPath templates to read or write files from the disk. Because this interpolation is...

8.2CVSS6AI score0.00292EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.10 views

PT-2026-34548

Name of the Vulnerable Software and Affected Versions Frappe version 16.10.10 Description An authenticated attacker can store a crafted tag value in user tags to trigger JavaScript execution when a victim opens the list or report view where tags are rendered. This occurs because the renderer...

5.4CVSS5.9AI score0.00201EPSS
Exploits1References7
EUVD
EUVD
added 2026/04/21 3:18 p.m.6 views

EUVD-2026-23992

Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values...

6.3CVSS5.8AI score0.00212EPSS
Exploits1References4
SUSE CVE
SUSE CVE
added 2026/04/20 11:25 p.m.8 views

SUSE CVE-2026-40527

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DWTAGformalparameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute...

8.5CVSS6.2AI score0.00915EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/20 1:44 p.m.6 views

CVE-2026-40527

A flaw was found in radare2. A remote attacker can exploit this by crafting an ELF Executable and Linkable Format binary that embeds malicious commands within its DWARF Debugging With Attributed Record Formats parameter names. When radare2 analyzes such a binary, these embedded commands are...

8.5CVSS5.9AI score0.00915EPSS
Exploits1References2
NVD
NVD
added 2026/04/17 9:16 p.m.9 views

CVE-2026-40527

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DWTAGformalparameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute...

8.5CVSS0.00915EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/14 10:29 p.m.6 views

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/04/07 8:17 p.m.4 views

EUVD-2026-19724

Emissary has Stored XSS via Navigation Template Link Injection...

4.8CVSS5.9AI score0.00176EPSS
Exploits1References4
PyPA
PyPA
added 2026/04/06 6:16 p.m.7 views

PYSEC-2026-158

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates systempackages directly into a...

7.8CVSS6.5AI score0.00315EPSS
Exploits2References1Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/06 5:56 p.m.6 views

Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation

Vulnerability Details CWE: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic All 66+ CQL queries in internal/storage/db/cassandradb/ use fmt.Sprintf to interpolate user-controlled values directly into CQL query strings without parameterization. Unauthenticated endpoints...

6.1AI score
Exploits0References5Affected Software1
CVE
CVE
added 2026/04/06 5:10 p.m.11 views

CVE-2026-35043

CVE-2026-35043 affects BentoML prior to 1.4.38. The cloud deployment path in bentoml/_internal/cloud/deployment.py interpolates system_packages directly into a shell command in the generated setup.sh, enabling remote code execution on the CI/CD cloud build infrastructure during deployment. The is...

7.8CVSS6.5AI score0.00315EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/04/03 9:53 p.m.5 views

GHSA-GJW9-34GF-RP6M Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

8.8CVSS6.5AI score0.00466EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/03 9:53 p.m.9 views

Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

8.8CVSS6.5AI score0.00466EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/04/03 4:16 p.m.11 views

CVE-2026-25044

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

8.8CVSS0.00466EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/03 3:38 p.m.17 views

CVE-2026-25044 Budibase: Command Injection in Bash Automation Step

Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

8.7CVSS0.00466EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/02 8:32 p.m.2 views

EUVD-2026-18380

Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory...

5.3CVSS5.9AI score0.0024EPSS
Exploits0References2
Rows per page
Query Builder