CVE-2021-27215

An issue was discovered in genua genugate before 9.0 Z p19, 9.1.x through 9.6.x before 9.6 p7, and 10.x before 10.1 p4. The Web Interfaces Admin, Userweb, Sidechannel can use different methods to perform the authentication of a user. A specific authentication method during login does not check th...

CVE-2021-33024

Philips Vue PACS versions 12.2.x.x and prior transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval...

CVE-2022-35111

SWFTools commit 772e55a2 was discovered to contain a stack overflow via sanitizer::StackDepotNode::hashsanitizer::StackTrace const& at /sanitizercommon/sanitizerstackdepot.cpp...

CVE-2022-35097

SWFTools commit 772e55a2 was discovered to contain a segmentation violation via FoFiTrueType::writeTTF at /xpdf/FoFiTrueType.cc...

CVE-2022-35246

A NoSQL-Injection information disclosure vulnerability vulnerability exists in Rocket.Chat...

CVE-2017-18685

An issue was discovered on Samsung mobile devices with KK4.4, L5.0/5.1, and M6.0 software. The InputMethod application can cause a system crash via a malformed serializable object in an Intent. The Samsung ID is SVE-2016-7123 February 2017...

CVE-2019-20085

TVT NVMS-1000 devices allow GET /.. Directory Traversal...

CVE-2020-12834

eQ-3 Homematic Central Control Unit CCU2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup or factory...

CVE-2024-34581

The W3C XML Signature Syntax and Processing XMLDsig specification, starting with 1.0, was originally published with a "RetrievalMethod is a URI ... that may be used to obtain key and/or certificate information" statement and no accompanying information about SSRF risks, and this may have...

CVE-2024-41264

An issue discovered in casdoor v1.636.0 allows attackers to obtain sensitive information via the ssh.InsecureIgnoreHostKey method...

CVE-2023-50738

A new feature to prevent Firmware downgrades was recently added to some Lexmark products. A method to override this downgrade protection has been identified...

CVE-2021-41135

The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includ...

CVE-2021-22166

An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method...

CVE-2025-40695

Stored Cross Site Scripting in Online Fire Reporting System v1.2 by PHPGurukul, that consists in a stored authenticated XSS due to the lack of propper validation of user inputs 'remark', 'status' and 'takeaction' parameters via POST at the endpoint '/ofrs/admin/request-details.php'. This...

CVE-2022-23123

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the getdirparams method. The issue results from the lack of proper validation of...

CVE-2023-29008

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery CSRF protection to its users. The protection is...

CVE-2018-21268

The traceroute aka node-traceroute package through 1.0.0 for Node.js allows remote command injection via the host parameter. This occurs because the Child.exec method, which is considered to be not entirely safe, is used. In particular, an OS command can be placed after a newline character...

CVE-2021-41120

sylius/paypal-plugin is a paypal plugin for the Sylius development platform. In affected versions the URL to the payment page done after checkout was created with autoincremented payment id /pay-with-paypal/id and therefore it was easy to predict. The problem is that the Credit card form has...

CVE-2019-20520

ERPNext 11.1.47 allows reflected XSS via the PATHINFO to the api/method/ URI...

CVE-2025-70974

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an...