CVE-2025-8964

A vulnerability was identified in code-projects Hostel Management System 1.0. This affects an unknown part of the file hostelmanage.exe of the component Login. The manipulation leads to improper authentication. It is possible to launch the attack on the local host. The exploit has been disclosed ...

CVE-2025-8964

CVE-2025-8964 affects code-projects’ Hostel Management System 1.0, specifically the Login component via the hostel_manage.exe file. The vulnerability is described as improper authentication, enabling a local-host attack. The PT-2025-33299 entry confirms the issue and states the exploit has been p...

Server-Side Request Forgery (SSRF)

webfinger.js is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restriction on localhost access because the lookup function fails to block requests to local or internal network services, allowing attackers to craft requests targeting internal resources...

Improper Access Control

github.com/moby/moby is vulnerable to improper access control. The vulnerability is due to failure to recreate firewall rules blocking external access to containers after a firewalld reload, which allows an attacker to remotely access containers with ports published to localhost...

CVE-2025-8733

CVE-2025-8733 entry is withdrawn/not an active vulnerability per NVD: the CNA withdrew it and analysis showed the referenced stack-trace files do not exist in GNU Bison; other connected records describe related discussions but do not establish an exploitable issue for this CVE.

CVE-2025-54590

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590

CVE-2025-54590 affects webfinger.js (TypeScript WebFinger client). In versions 2.8.0 and earlier, the lookup function did not block localhost access (only basic localhost checks), enabling blind SSRF via crafted host/port/path in user addresses. Affected environments include browser and Node.js. ...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

CVE-2025-54590 webfinger.js is vulnerable to Blind SSRF attacks through localhost

webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in...

webfinger.js 代码问题漏洞

webfinger.js is a client-side library for querying WebFinger records by the individual developer Nick Jennings. A code issue vulnerability exists in webfinger.js version 2.8.0 and earlier, which stems from not blocking localhost access and could lead to a blind SSRF attack...

(Pwn2Own) QNAP QHora-322 IPv6 Incorrectly Specified Destination in a Communication Channel Network Spoofing Vulnerability

This vulnerability allows network-adjacent attackers to redirect localhost traffic on affected installations of QNAP QHora-322 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /etc/hosts file. The issue results from the router issuing DNS...

webfinger.js Blind SSRF Vulnerability

Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec https://www.w3.org/TR/activitypub/security-considerations, on the security considerations section at B.3, access to Localhost services should be prevented while running in...

GHSA-8XQ3-W9FX-74RV webfinger.js Blind SSRF Vulnerability

Description The lookup function takes a user address for checking accounts as a feature, however, as per the ActivityPub spec https://www.w3.org/TR/activitypub/security-considerations, on the security considerations section at B.3, access to Localhost services should be prevented while running in...

PT-2025-31675 · Unknown · Webfinger.Js

Name of the Vulnerable Software and Affected Versions: webfinger.js versions 2.8.0 and below Description: webfinger.js is a TypeScript-based WebFinger client used in browser and Node.js environments. The lookup function does not prevent access to localhost services, only checking for hosts that...

Vulmap

This is an online local vulnerability scanner project called Vulmap. It is an open-source tool that can be used for defensive and offensive purposes. The tool scans the localhost to gather installed software information and checks for vulnerabilities using the Vulmon API. If vulnerabilities exist...

EUVD-2025-22140

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shellexec function of PHP...

CVE-2025-36846

CVE-2025-36846 affects Eveo URVE Web Manager 27.02.2025. The issue is an OS Command Injection in the /_internal/pc/vpro.php endpoint, where an input parameter is passed directly to PHP shell_exec(), enabling arbitrary command execution. CVSS 3.1 base score 9.8 (CRITICAL) with network access, no p...

CVE-2025-36846

An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shellexec function of PHP...