CVE-2025-40904

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remo...

CVE-2025-58747

CVE-2025-58747 affects Dify up to version 1.9.1, where the MCP OAuth flow passes the remote server’s authorization_url directly to window.open without validation, enabling arbitrary JavaScript execution (XSS) when a victim connects to a malicious MCP server. Affected component: MCP OAuth in Dify....

Linux Distros Unpatched Vulnerability : CVE-2018-10859

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - git-annex is vulnerable to an Information Exposure when decrypting files. A malicious server for a special remote could trick git-annex into decrypting a file...

CVE-2024-50338

Git Credential Manager GCM is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the...

GHSA-86C2-4X57-WC8G Git Credential Manager carriage-return character in remote URL allows malicious repository to leak credentials

Description The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the use of the NUL \0 character and newlines to form part of the keys^1 or values. When Git reads from...

CVE-2024-50338 Carriage-return character in remote URL allows malicious repository to leak credentials in Git Credential Manager

Git Credential Manager GCM is a secure Git credential helper built on .NET that runs on Windows, macOS, and Linux. The Git credential protocol is text-based over standard input/output, and consists of a series of lines of key-value pairs in the format key=value. Git's documentation restricts the...

PT-2025-2873 · Unknown +1 · Git For Windows +2

Name of the Vulnerable Software and Affected Versions: Git Credential Manager versions prior to 2.6.1 Git for Windows versions prior to 2.47.1.2 Description: The issue arises from a mismatch in newline character treatment between Git and Git Credential Manager GCM. GCM considers LF, CRLF, and CR ...

GHSA-9FPW-C9X7-CV3J Mattermost allows remote actor to set arbitrary RemoteId values for synced users

Mattermost versions 9.9.x = 9.9.0 and 9.5.x = 9.5.6 fail to validate the source of sync messages and only allow the correct remote IDs, which allows a malicious remote to set arbitrary RemoteId values for synced users and therefore claim that a user was synced from another remote...

GHSA-JQ3G-XQPX-37X3 Mattermost failed to properly validate synced reactions

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts...

CVE-2024-29977

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts...

CVE-2024-41144 Malicious remote can create/update/delete arbitrary posts in arbitrary channels

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels...

CVE-2024-39832 Permanently local data deletion by malicious remote

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled...

CVE-2024-39832 Permanently local data deletion by malicious remote

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to properly safeguard an error handling which allows a malicious remote to permanently delete local data by abusing dangerous error handling, when share channels were enabled...

CVE-2024-36492 Existing local user overwritten by malicious remote

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user...

CVE-2024-36492 Existing local user overwritten by malicious remote

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6, 9.7.x = 9.7.5, 9.8.x = 9.8.1 fail to disallow the modification of local users when syncing users in shared channels. which allows a malicious remote to overwrite an existing local user...

CVE-2024-29977 Malicious remote can create arbitrary reactions on arbitrary posts

Mattermost versions 9.9.x = 9.9.0, 9.5.x = 9.5.6 fail to properly validate synced reactions, when shared channels are enabled, which allows a malicious remote to create arbitrary reactions on arbitrary posts...

The vulnerability of the Python library for interacting with git repositories like gitpython, related to improper input validation, allows a malicious actor to inject a malicious remote URL address into the cloning command.

The vulnerability of the Python library for interacting with git repositories called gitpython is related to external git calls that lack proper parameter sanitization. Exploiting this vulnerability allows a malicious actor to inject a malicious remote URL address as part of a cloning command...

RHEL 6 : rsync (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - rsync: daemon does not check for fnamecmp filenames allowing for access restriction bypass CVE-2017-17434...

Oracle Linux 9 : galera / and / mariadb (ELSA-2023-5684)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-5684 advisory. galera 26.4.14-1.0.1 - Rebase to 26.4.14 26.4.13-1.0.1 - Rebase to 26.4.13 26.4.12-1.0.1 - Rebase to 26.4.12 mariadb 3:10.5.22-1 - Rebase to 10.5.22...

EulerOS Virtualization 3.0.6.0 : rsync (EulerOS-SA-2023-2204)

According to the versions of the rsync packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories...