CVE-2026-30942 Flare has a Path Traversal in /api/avatars/[filename]

Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools. Prior to 1.7.3, an authenticated path traversal vulnerability in /api/avatars/filename allows any logged-in user to read arbitrary files from within the application container. The filename URL...

EUVD-2022-1370

Malicious code in bioql PyPI...

EUVD-2008-7179

Malicious code in bioql PyPI...

Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.18.tgz CVE-2025-46565 vulnerability

Summary Security Bulletin: IBM Maximo Application Suite - Manage Component uses vite-5.4.18.tgz CVE-2025-46565.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-46565 DESCRIPTION: Vite is a frontend tooling framework for javascrip...

CVE-2025-31486 Vite allows server.fs.deny to be bypassed with .svg or relative paths

Vite is a frontend tooling framework for javascript. The contents of arbitrary files can be returned to the browser. By adding ?.svg with ?.wasm?init or with sec-fetch-dest: script header, the server.fs.deny restriction was able to bypass. This bypass is only possible if the file is smaller than...

Malicious code in example-nodejs-express (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cb2351b3777bfaea370237b22b5155a53e293162cb01bca791717b05107a4b7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...

Iranian Tortoiseshell Hackers Targeting Israeli Logistics Industry

At least eight websites associated with shipping, logistics, and financial services companies in Israel were targeted as part of a watering hole attack. Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as Tortoiseshell,...

Default credentials

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions user sessions are not logged out if the password is reset via password recovery. This issue has been resolved in version 6.4.8.1. For older versions of 6.1, 6.2, and 6.3...

CVE-2022-24744

CVE-2022-24744 – Shopware Affected: Shopware (open commerce platform based on Symfony and Vue) where, in affected versions, user sessions remain active after a password reset via the recovery flow. Root cause (as described in security docs): insufficient session expiration management allowing a u...

CVE-2022-24745 Guest session is shared between customers in shopware

Shopware is an open commerce platform based on the Symfony php Framework and the Vue javascript framework. In affected versions guest sessions are shared between customers when HTTP cache is enabled. This can lead to inconsistent experiences for guest users. Setups with Varnish are not affected b...

CVE-2022-24745

CVE-2022-24745 affects Shopware (Shopware platform) when HTTP caching is enabled. The issue allows guest sessions to be shared between customers due to improper handling of HTTP cache headers in affected versions (Varnish setups are not affected). Root cause is related to caching behavior that ex...

Dojo Toolkit 1.13 Cross Site Scripting

Advisory ID: SYSS-2018-010 Product: Dojo Toolkit Manufacturer: JS Foundation Affected Versions: 1.13 Tested Versions: 1.13, 1.10.7 Vulnerability Type: Cross-Site Scripting CWE-79 Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2018-07-02 Solution Date: 2018-10-13 Public...

DNS Rebinding Attack: DNS Rebind Toolkit

DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network LAN. It can be used to target devices like Google Home, Roku, Sonos WiFi speakers, WiFi routers, “smart” thermostats, and other IoT devices. Wi...

Prototype JavaScript Framework跨站Ajax请求漏洞

Bugraq ID: 36926 CVE ID：CVE-2008-7220 Prototype JavaScript Framework是一款由Sam Stephenson开发的JavaScript开发函数库及框架。它提供了完整的Ajax框架及其它的工具。 Prototype JavaScript Framework存在一个未明错误，远程攻击者可以利用漏洞进行一个跨站ajax请求攻击，可以以受影响浏览器安全上下文执行任意代码。 Asterisk包含一个基于AJAX的演示管理接口，ajamdemo.html使用prototype.js框架，受此漏洞影响允许攻击者执行跨站AJAX请求攻击。...

CVE-2008-7220

Unspecified vulnerability in Prototype JavaScript framework prototypejs before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors...

CVE-2008-7220

Unspecified vulnerability in Prototype JavaScript framework prototypejs before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors...

CVE-2008-7220

Unspecified vulnerability in Prototype JavaScript framework prototypejs before 1.6.0.2 allows attackers to make "cross-site ajax requests" via unknown vectors...

CVE-2008-7220

PrototypeJS (prototype.js) prior to 1.6.0.2 has an unspecified vulnerability that could permit a remote attacker to perform cross-site Ajax requests via unknown vectors. The issue is referenced in multiple sources, including IBM security notices for IBM Cloud Pak System variants (recommending upg...