19 matches found
CVE-2025-68928 Frappe CRM vulnerable to authenticated XSS via website field
Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available...
CVE-2025-61602 BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId
BigBlueButton is an open-source virtual classroom. A denial-of-service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation...
EUVD-2024-2315
Malicious code in bioql PyPI...
EUVD-2024-30450
Malicious code in bioql PyPI...
EUVD-2023-0756
Malicious code in bioql PyPI...
electron ASAR Integrity bypass by just modifying the content
electron's ASAR Integrity can be bypass by modifying the content. Impact This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macO...
CVE-2025-47792
Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service...
CVE-2025-27138
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in v2.10.6. No known...
CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...
CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification
Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...
CVE-2025-24903 libsignal-service-rs Doesn't Check Origin of Sync Messages
libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user...
CVE-2025-24968
reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as penetrationtester or auditor to delete all projects in the system. This can lead to a complete system takeover by redirecting the...
EulerOS 2.0 SP10 : vim (EulerOS-SA-2025-1033)
According to the versions of the vim packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Vim is an open source, command line text editor. A use-after-free was found in Vim 9.1.0764. When closing a buffer visible in a window a BufWinLeave...
CVE-2024-49757 Zitadel User Registration Bypass Vulnerability
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the...
CVE-2024-25107 Cross-Site Scripting in WikiDiscover
WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...
CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite
Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...
CVE-2023-48231 Use-After-Free in win_close() in vim
Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit 25aabc2b which has been included in release version...
CVE-2022-41892 Arches vulnerable to SQL Injection
Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in...
CVE-2022-23602 Nim's rst parser sandboxed mode allows include which can embed any local file
Nimforum is a lightweight alternative to Discourse written in Nim. In versions prior to 2.2.0 any forum user can create a new thread/post with an include referencing a file local to the host operating system. Nimforum will render the file if able. This can also be done silently by using NimForum'...