Lucene search
K

19 matches found

OSV
OSV
added 2025/12/29 3:6 p.m.7 views

CVE-2025-68928 Frappe CRM vulnerable to authenticated XSS via website field

Frappe CRM is an open-source customer relationship management tool. Prior to version 1.56.2, authenticated users could set crafted URLs in a website field, which were not sanitized, causing cross-site scripting. Version 1.56.2 fixes the issue. No known workarounds are available...

5.4CVSS6.2AI score0.00169EPSS
Exploits0References5
Cvelist
Cvelist
added 2025/10/09 8:40 p.m.13 views

CVE-2025-61602 BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId

BigBlueButton is an open-source virtual classroom. A denial-of-service DoS vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation...

7.5CVSS0.00366EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-2315

Malicious code in bioql PyPI...

9.8CVSS6.3AI score0.20171EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-30450

Malicious code in bioql PyPI...

9.8CVSS7.4AI score0.01193EPSS
Exploits0References7
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2023-0756

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.00682EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2025/06/30 5:54 p.m.11 views

electron ASAR Integrity bypass by just modifying the content

electron's ASAR Integrity can be bypass by modifying the content. Impact This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macO...

7.8CVSS6.5AI score0.00105EPSS
Exploits0References4Affected Software1
RedhatCVE
RedhatCVE
added 2025/05/18 2:15 p.m.12 views

CVE-2025-47792

Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service...

6.1CVSS6.8AI score0.00152EPSS
Exploits0References1
NVD
NVD
added 2025/03/13 5:15 p.m.29 views

CVE-2025-27138

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which may cause the risk of unauthorized access. The vulnerability has been fixed in v2.10.6. No known...

9.8CVSS0.00542EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2025/03/10 6:56 p.m.10 views

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

8.5CVSS8.3AI score0.00246EPSS
Exploits0References5
OSV
OSV
added 2025/03/10 6:56 p.m.9 views

CVE-2025-27616 Vela Server has Insufficient Webhook Payload Data Verification

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

8.5CVSS6.3AI score0.00246EPSS
Exploits0References7
OSV
OSV
added 2025/02/13 3:20 p.m.10 views

CVE-2025-24903 libsignal-service-rs Doesn't Check Origin of Sync Messages

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user...

8.5CVSS6.6AI score0.00179EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/02/07 9:49 a.m.11 views

CVE-2025-24968

reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as penetrationtester or auditor to delete all projects in the system. This can lead to a complete system takeover by redirecting the...

8.8CVSS6.8AI score0.00604EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2025/01/13 12:0 a.m.19 views

EulerOS 2.0 SP10 : vim (EulerOS-SA-2025-1033)

According to the versions of the vim packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Vim is an open source, command line text editor. A use-after-free was found in Vim 9.1.0764. When closing a buffer visible in a window a BufWinLeave...

4.7CVSS6.6AI score0.00292EPSS
Exploits0References2
OSV
OSV
added 2024/10/25 2:22 p.m.6 views

CVE-2024-49757 Zitadel User Registration Bypass Vulnerability

The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Due to a missing security check in versions prior to 2.64.0, 2.63.5, 2.62.7, 2.61.4, 2.60.4, 2.59.5, and 2.58.7, disabling the "User Registration allowed" option only hid the...

7.5CVSS7.6AI score0.02572EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2024/02/08 10:46 p.m.4 views

CVE-2024-25107 Cross-Site Scripting in WikiDiscover

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

4.9CVSS6.2AI score0.00402EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2023/12/04 11:3 p.m.9 views

CVE-2023-49293 Cross-site Scripting in `server.transformIndexHtml` via URL payload in vite

Vite is a website frontend framework. When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts ..., it is possible to inject arbitrary HTML into the transforme...

6.1CVSS6.9AI score0.00997EPSS
Exploits1References1
OSV
OSV
added 2023/11/16 10:59 p.m.6 views

CVE-2023-48231 Use-After-Free in win_close() in vim

Vim is an open source command line text editor. When closing a window, vim may try to access already freed window structure. Exploitation beyond crashing the application has not been shown to be viable. This issue has been addressed in commit 25aabc2b which has been included in release version...

3.9CVSS6.2AI score0.00666EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2022/11/11 12:0 a.m.5 views

CVE-2022-41892 Arches vulnerable to SQL Injection

Arches is a web platform for creating, managing, & visualizing geospatial data. Versions prior to 6.1.2, 6.2.1, and 7.1.2 are vulnerable to SQL Injection. With a carefully crafted web request, it's possible to execute certain unwanted sql statements against the database. This issue is fixed in...

8.6CVSS9.5AI score0.0055EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2022/02/01 10:56 a.m.8 views

CVE-2022-23602 Nim's rst parser sandboxed mode allows include which can embed any local file

Nimforum is a lightweight alternative to Discourse written in Nim. In versions prior to 2.2.0 any forum user can create a new thread/post with an include referencing a file local to the host operating system. Nimforum will render the file if able. This can also be done silently by using NimForum'...

7.7CVSS7.9AI score0.01343EPSS
Exploits1References2
Rows per page
Query Builder