70 matches found
PT-2026-37346
The Item history widget in Zabbix 7.0+ or the Plain text widget in Zabbix 6.0 can execute injected JavaScript when HTML display is enabled. This can allow an attacker to perform unauthorized actions depending on which user opens a dashboard containing these widgets. The malicious JavaScript would...
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Summary Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, , and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be...
Malicious code in corstoken (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0d343f604565676254c8b24e997c84396038593cf5259c15d044ec3c5ab3350 The package corstoken was found to contain malicious code. Source: ghsa-malware d7d7cc0fd416fdcbdfe3517bbfd1ffec7e67ce88349fb17ddd2b22e408f740ed Any...
EUVD-2025-206233
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will...
CVE-2025-64425 Coolify has host header injection in forgot password
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions up to and including v4.0.0-beta.434, an attacker can initiate a password reset for a victim, and modify the host header of the request to a malicious value. The victim will...
Contrast has insecure LUKS2 persistent storage partitions may be opened and used
Summary A malicious host may provide a crafted LUKS2 volume to a Contrast pod VM that uses the secure persistent volume feature. The guest will open the volume and write secret data using a volume key known to the attacker. LUKS2 volume metadata is a not authenticated and b supports null...
EUVD-2020-18479
Malware in sbrugna...
EUVD-2020-7220
Malware in sbrugna...
EUVD-2018-17178
Malware in sbrugna...
EUVD-2020-2484
Malware in sbrugna...
EUVD-2019-10705
Malware in sbrugna...
EUVD-2020-18478
Malware in sbrugna...
EUVD-2020-7259
Malware in sbrugna...
EUVD-2022-5496
Malicious code in bioql PyPI...
Kata Containers coco-tdx malicious host can circumvent initdata verification
...
CVE-2025-58354 Kata Containers coco-tdx malicious host can circumvent initdata verification
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines VMs that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, ...
Kata Containers 代码问题漏洞
Kata Containers is an open source lightweight virtual machine builder from the Kata Containers community. A code issue vulnerability exists in Kata Containers 3.20.0 and prior versions, which stems from a malicious host that can bypass initdata authentication, potentially allowing an attacker to...
dstack 安全漏洞
dstack is a TEE deployment tool from the Dstack TEE open source. A security vulnerability exists in versions prior to dstack 0.5.4, which stems from the possibility that a malicious host could provide specially crafted LUKS2 data volumes, leading to the disclosure of Wireguard keys and other secr...
CVE-2023-22612
An issue was discovered in IhisiSmm in Insyde InsydeH2O with kernel 5.0 through 5.5. A malicious host OS can invoke an Insyde SMI handler with malformed arguments, resulting in memory corruption in SMM...
CVE-2019-20150
In TreasuryXpress 19191105, a logged-in user can discover saved credentials, even though the UI hides them. Using functionality within the application and a malicious host, it is possible to force the application to expose saved SSH/SFTP credentials. This can be done by using the application's...