Lucene search
K

126621 matches found

Github Security Blog
Github Security Blog
added 2026/04/01 10:17 p.m.4 views

Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Summary A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. Impact Arbitrary file write path traversal from untrusted wheel content. Impacts users/CI/CD systems installing malicious o...

7.1CVSS6AI score0.00468EPSS
Exploits1References6Affected Software1
Snyk
Snyk
added 2026/04/01 9:14 p.m.4 views

UNIX Symbolic Link (Symlink) Following

Overview onnx is an Open Neural Network Exchange Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following in the resolveexternaldatalocation function. An attacker can access arbitrary files outside the intended directory by supplying a symlink within the model...

6.7CVSS6AI score0.00248EPSS
Exploits1References3
OSV
OSV
added 2026/04/01 9:14 p.m.3 views

GHSA-P433-9WV8-28XJ ONNX: External Data Symlink Traversal

Summary - Issue: Symlink traversal in external data loading allows reading files outside the model directory. - Affected code: onnx/onnx/checker.cc: resolveexternaldatalocation used via Python onnx.externaldatahelper.loadexternaldataformodel. - Impact: Arbitrary file read confidentiality breach...

5.5CVSS5.8AI score0.00248EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/01 9:14 p.m.5 views

ONNX: External Data Symlink Traversal

Summary - Issue: Symlink traversal in external data loading allows reading files outside the model directory. - Affected code: onnx/onnx/checker.cc: resolveexternaldatalocation used via Python onnx.externaldatahelper.loadexternaldataformodel. - Impact: Arbitrary file read confidentiality breach...

5.5CVSS5.8AI score0.00248EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/04/01 9:8 p.m.3 views

GHSA-JQRJ-CHH6-8H78 AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Summary The UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricte...

6.1CVSS6AI score0.0022EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/01 9:8 p.m.1 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the handling of the ip parameter in the UserLocation plugin's testIP.php process. An attacker can execute arbitrary JavaScript in the...

6.1CVSS5.8AI score0.0022EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/01 9:8 p.m.6 views

AVideo: Reflected XSS via Unescaped ip Parameter in User_Location testIP.php

Summary The UserLocation plugin's testIP.php page reflects the ip request parameter directly into an HTML input element without applying htmlspecialchars or any other output encoding. This allows an attacker to inject arbitrary HTML and JavaScript via a crafted URL. Although the page is restricte...

6.1CVSS6AI score0.0022EPSS
Exploits1References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 9:3 p.m.3 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

7.2CVSS5.9AI score0.00498EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:59 p.m.5 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 ...

9.8CVSS5.9AI score0.00355EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:58 p.m.2 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

7.2CVSS5.9AI score0.00498EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:56 p.m.4 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a privilege escalation vulnerability (CVE-2025-14915)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a privilege escalation vulnerability with the restConnector-1.0 or restConnector-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the...

7.2CVSS5.9AI score0.00498EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/04/01 8:54 p.m.4 views

GHSA-HQXF-MHFW-RC44 AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

6.5CVSS6AI score0.00201EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/01 8:54 p.m.12 views

AVideo: CSRF on Plugin Enable/Disable Endpoint Allows Disabling Security Plugins

Summary The AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugins database table is explicitly listed in ignoreTableSecurityCheck,...

6.5CVSS6AI score0.00201EPSS
Exploits1References5Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:53 p.m.4 views

Security Bulletin:IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is affected by a vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or...

9.8CVSS5.9AI score0.00355EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:51 p.m.3 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a vulnerability that could provide weaker than expected security (CVE-2025-14917)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a security vulnerability that could provide weaker than expected security when administering security settings with the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0,...

9.8CVSS5.9AI score0.00355EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:50 p.m.4 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Enterprise Application Runtimes, is affected by a server-side request forgery vulnerability with the samlWeb-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes secti...

5.4CVSS5.9AI score0.00284EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/04/01 8:48 p.m.4 views

GHSA-C4XJ-X7P8-3X7Q AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

Summary The AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin...

6.5CVSS6AI score0.00157EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/01 8:48 p.m.1 views

Cross-site Request Forgery (CSRF)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the...

7.1CVSS5.9AI score0.00157EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/01 8:48 p.m.5 views

AVideo: CSRF on emailAllUsers.json.php Enables Mass Phishing Email to All Users

Summary The AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token. Because AVideo sets SameSite=None on session cookies, a cross-origin...

6.5CVSS6AI score0.00157EPSS
Exploits1References4Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/04/01 8:47 p.m.4 views

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability (CVE-2026-1561)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is affected by a server-side request forgery vulnerability with the samlWeb-2.0 feature enabled. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section...

5.4CVSS5.9AI score0.00284EPSS
Exploits0Affected Software1
Rows per page
Query Builder