Fides Webserver API Rate Limiting Vulnerability in Proxied Environments

Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a...

PT-2025-36460

CVE ID: CVE-2025-0003 Published: 2025-03-05T00:00:00.000Z Severity: HIGH 8.8/10 Description SQL injection vulnerability in the reporting module of Business Analytics Suite v4.5.0 allows authenticated users to execute arbitrary SQL commands. Root Cause Improper neutralization of special elements i...

GHSA-WP3J-XQ48-XPJW podman kube play symlink traversal vulnerability

Impact The podman kube play command can overwrite host files when the kube file contains a ConfigMap or Secret volume mount and the volume already contains a symlink to a host file. This allows a malicious container to write to arbitrary files on the host BUT the attacker only controls the target...

Linux Distros Unpatched Vulnerability : CVE-2019-20633

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GNU patch through 2.7.6 contains a freeplinepend Double Free vulnerability in the function anotherhunk in pch.c that can cause a denial of service via a crafted...

Linux Distros Unpatched Vulnerability : CVE-2022-41915

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling...

Eventlet affected by HTTP request smuggling in unparsed trailers

Impact The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to: - Bypass front-end security controls - Launch targeted attacks against active site users - Poison web caches Patches Problem has...

Linux Distros Unpatched Vulnerability : CVE-2025-29785

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - quic-go is an implementation of the QUIC protocol in Go. The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to...

Linux Distros Unpatched Vulnerability : CVE-2024-22189

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - quic-go is an implementation of the QUIC protocol in Go. Prior to version 0.42.0, an attacker can cause its peer to run out of memory sending a large number of...

WordPress SiteSEO plugin <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Broken Regex Expression vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Broken Regex Expression vulnerability discovered by stealthcopter in WordPress Plugin SiteSEO versions = 1.2.7...

CVE-2025-57755 claude-code-router CORS. misconfiguration

claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing CORS configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could...

@musistudio/claude-code-router has improper CORS configuration

Impact Due to improper Cross-Origin Resource Sharing CORS configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could exploit this misconfiguration to steal credentials, abuse accounts, exhaust quotas, or access sensitive data...

Linux Distros Unpatched Vulnerability : CVE-2024-34083

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - aiosmptd is a reimplementation of the Python stdlib smtpd.py based on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept extra unencrypted comman...

GHSA-GGJM-F3G4-RWMM n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files

Impact A symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links symlinks. An attacker with the ability to create symlinks—such as by using the...

Linux Distros Unpatched Vulnerability : CVE-2022-24823

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains a...

Linux Distros Unpatched Vulnerability : CVE-2022-26499

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An SSRF issue was discovered in Asterisk through 19.x. When using STIR/SHAKEN, it's possible to send arbitrary requests such as GET to interfaces such as...

Linux Distros Unpatched Vulnerability : CVE-2023-25136

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenSSH server sshd 9.1 introduced a double-free vulnerability during options.kexalgorithms handling. This is fixed in OpenSSH 9.2. The double free can be...

Linux Distros Unpatched Vulnerability : CVE-2021-21274

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Synapse is a Matrix reference homeserver written in python pypi package matrix-synapse. Matrix is an ecosystem for open federated Instant Messaging and VoIP. In...

WordPress Injection Guard plugin < 1.2.8 - Reflected XSS via $_SERVER['REQUEST_URI'] vulnerability

Reflected XSS via $SERVER'REQUESTURI' vulnerability discovered by Bob Matyas in WordPress Plugin Injection Guard versions 1.2.8...

CVE-2025-55194 Part-DB Persistent Denial of Service via Uncaught Exception from Misleading File Extension in Avatar Upload

Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension e.g., .jpg.txt, resulting in a persistent 500 Internal Server Error when attempting to view or edit that...

PyPDF's Manipulated FlateDecode streams can exhaust RAM

Impact An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. Patches This has been...