Directory Traversal

Overview github.com/filebrowser/filebrowser/v2/http is a web file browser. Affected versions of this package are vulnerable to Directory Traversal via the destination parameter in the PATCH request handler resourcePatchHandler. An attacker can bypass configured access restrictions by including...

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

PT-2026-25856

Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.2 and below Description File Browser, a file managing interface, has an issue where an authenticated user with Create or Rename permissions can bypass administrator-configured deny rules. This is due to the order in...

CVE-2025-64064

Primakon Pi Portal 1.0.18 /api/v2/ppusers endpoint fails to adequately check user permissions before processing a PATCH request to modify the PPSECURITYPROFILEID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using...

CVE-2025-64064

Primakon Pi Portal 1.0.18 /api/v2/ppusers endpoint fails to adequately check user permissions before processing a PATCH request to modify the PPSECURITYPROFILEID. Because of weak access controls any low level user can use this API and change their permission to Administrator by using...

CVE-2025-64065

The Primakon Pi Portal 1.0.18 API /api/V2/ppudfvadmin endpoint, fails to perform necessary server-side validation. The administrative LoginAs or user impersonation feature is vulnerable to a access control failure. This flaw allows any authenticated low-privileged user to execute a direct PATCH...

EUVD-2023-35458

Malicious code in bioql PyPI...

EUVD-2023-27725

Malicious code in bioql PyPI...

CVE-2025-51479

Onyx Enterprise Edition 0.27.0 exposes an authorization bypass in the update_user_group function of onyx-dot-app. Remote authenticated attackers can modify arbitrary user groups by sending crafted PATCH requests to /api/manage/admin/user-group/id, bypassing curator-group assignment checks. Docume...

CVE-2025-6099

A vulnerability was found in szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. It has been declared as critical. This vulnerability affects unknown code of the file gin-blog-server/internal/manager.go of the component PATCH Request Handler. The manipulation leads to improper...

Moderate: Red Hat Security Advisory: git-lfs security update

An update for git-lfs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...

CVE-2025-6099 szluyu99 gin-vue-blog PATCH Request manager.go improper authorization

A vulnerability was found in szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410. It has been declared as critical. This vulnerability affects unknown code of the file gin-blog-server/internal/manager.go of the component PATCH Request Handler. The manipulation leads to improper...

CVE-2025-6099

The CVE-2025-6099 entry concerns szluyu99 gin-vue-blog, specifically the PATCH Request Handler in gin-blog-server/internal/manager.go. The vulnerability is described as an improper authorization flaw that can be exploited remotely. Several connected sources corroborate a remote-access risk affect...

PT-2025-25509 · Unknown · Szluyu99 Gin-Vue-Blog

Name of the Vulnerable Software and Affected Versions: szluyu99 gin-vue-blog up to 61dd11ccd296e8642a318ada3ef7b3f7776d2410 Description: A critical vulnerability was found in the PATCH Request Handler component of szluyu99 gin-vue-blog, affecting unknown code in the file...

CVE-2024-11043

A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...

Denial of Service (DoS)

Overview InvokeAI is an An implementation of Stable Diffusion which provides various new features and options to aid the image generation process Affected versions of this package are vulnerable to Denial of Service DoS through the boardname field during a PATCH request to the...

CVE-2024-11043

A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...

CVE-2024-11043

The CVE-2024-11043 DoS affects the InvokeAI project (version v5.0.2) via the /api/v1/boards/{board_id} PATCH endpoint when an excessively large board_name payload is sent, causing the UI to become unresponsive and blocking board deletion. This is triggered by crafting a large payload in the board...

Directus has an insecure object reference via PATH presets

Impact Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the POST /presets request but not in the PATCH request. When chained with...

GHSA-Q83V-HQ3J-4PQ3 Duplicate Advisory: Improper access control in Directus

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3fff-gqw3-vj86. This link is maintained to preserve external references. Original Description Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them...