CVE-2020-36894

Eibiz i-Media Server Digital Signage 3.8.0 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin users through AMF-encoded object manipulation. Attackers can send crafted serialized objects to the /messagebroker/amf endpoint to create administrative...

CVE-2020-36894

CVE-2020-36894 affects Eibiz i-Media Server Digital Signage 3.8.0. The vulnerability is an authentication bypass in which crafted AMF-encoded objects manipulated at /messagebroker/amf allow unauthenticated attackers to create administrator users, bypassing security controls. Multiple connected so...

EUVD-2021-1022

Malware in sbrugna...

EUVD-2021-0620

Malware in sbrugna...

EUVD-2022-1163

Malicious code in bioql PyPI...

EUVD-2025-7159

Malicious code in bioql PyPI...

EUVD-2022-0919

Malicious code in bioql PyPI...

Metasploit Wrap-Up 08/01/2025

ESC support in Metasploit This week, we're excited to announce that Metasploit users can now detect certificate templates vulnerable to ESC9, ESC10, and ESC16 using the existing ldapescvulnerabletemplate module. In addition, users can now exploit these vulnerable templates with the brand new...

PT-2025-99: Deserialization of untrusted data in FreeScout

The vulnerability was identified in FreeScout, version 1.8.182. The discovered vulnerability allows an attacker to deserialize untrusted data, manipulate objects and impair system functionality. Vulnerability status: Confirmed by vendor Date of vulnerability remediation: 19.07.2025 Recommendation...

CVE-2025-48881 Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Valtimo is a platform for Business Process Automation. In versions starting from 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE, all objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If...

Prototype Pollution

Docarray is vulnerable to prototype pollution. The vulnerability is due to lack of input sanitization in the getitem function of torchdataset.py in the Web API component, allows an attacker to remotely manipulate object prototypes...

CVE-2022-41714

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the 'proto' property to be edited...

Prototype Pollution

tarteaucitron.js is vulnerable to prototype pollution. The vulnerability is due to improper input validation in the addOrUpdate function within the file tarteaucitron.js, which allowed manipulation of JavaScript object prototypes...

CVE-2025-29922

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

CVE-2025-0889

Prior to 25.2, a local authenticated attacker can elevate privileges on a system with Privilege Management for Windows installed, via the manipulation of COM objects under certain circumstances where an EPM policy allows for automatic privilege elevation of a user process...

Design/Logic Flaw

User-defined OXMF templates could be used to access a limited part of the internal OX App Suite Java API. The existing switch to disable the feature by default was not effective in this case. Unauthorized users could discover and modify application state, including objects related to other users...

Mozilla: [Hubs] - Broken access control in placing objects in hubs room

A broken access control vulnerability allowed an attacker to bypass object creation and movement restrictions in Mozilla Hubs. By using specific commands in the chat feature, the attacker could place objects in a room even if the admin user had disabled these actions. The vulnerability did not...

CVE-2023-0842

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the proto property to be edited...

CVE-2023-0842

CVE-2023-0842 affects xml2js: version 0.4.23 allows prototype pollution by editing proto via unchecked JSON keys. Affected component: xml2js (Node.js). Impact (as stated): attacker could edit/add object properties through prototype pollution. Remediation: upgrade to newer xml2js releases; referen...

Remote code execution

If an object prototype was corrupted by an attacker, they would have been able to set undesired attributes on a JavaScript object, leading to privileged code execution. This vulnerability affects Firefox 102, Firefox ESR 91.11, Thunderbird 102, and Thunderbird 91.11...