3054 matches found
Creation of Temporary File With Insecure Permissions
Overview llama-index-core is an Interface between LLMs and your data Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions via the getcachedir function, which uses a predictable and hardcoded directory path /tmp/llamaindex without proper security...
CVE-2025-7647
The llama-index-core package, up to version 0.12.44, contains a vulnerability in the getcachedir function where a predictable, hardcoded directory path /tmp/llamaindex is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal...
CVE-2025-10745
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5 and base64encode and...
CVE-2025-10752
The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter base64 encoded app name without any randomness in the OAuth flow. This makes it possible f...
PT-2025-39733
Name of the Vulnerable Software and Affected Versions llama-index-core versions through 0.12.44 Description The software has an issue in the get cache dir function due to the use of a predictable, hardcoded directory path /tmp/llama index on Linux systems without sufficient security measures. Thi...
CVE-2025-10745 Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass
The Banhammer – Monitor Site Traffic, Block Bad Users and Bots plugin for WordPress is vulnerable to Blocking Bypass in all versions up to, and including, 3.4.8. This is due to a site-wide “secret key” being deterministically generated from a constant character set using md5 and base64encode and...
CVE-2025-10745
CVE-2025-10745 affects Banhammer – Monitor Site Traffic, Block Bad Users and Bots (WordPress) up to version 3.4.8. Root cause: a deterministically generated secret key (using md5 and base64_encode) stored in banhammer_secret_key enables unauthenticated bypass by appending a GET parameter banhamme...
CVE-2025-10752 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter base64 encoded app name without any randomness in the OAuth flow. This makes it possible f...
CVE-2025-10752 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Cross-Site Request Forgery
The OAuth Single Sign On – SSO OAuth Client plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.26.12. This is due to using a predictable state parameter base64 encoded app name without any randomness in the OAuth flow. This makes it possible f...
CVE-2025-10752
CVE-2025-10752 affects the OAuth Single Sign On – SSO (OAuth Client) WordPress plugin. The issue is a Cross‑Site Request Forgery (CSRF) in the OAuth flow caused by a predictable state parameter (base64-encoded app name) that is used during authorization requests. This enables unauthenticated atta...
CVE-2025-48869
Horilla is a free and open source Human Resource Management System HRMS. Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive...
CVE-2025-55069
A predictable seed in pseudo-random number generator vulnerability has been discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software implements a predictable seed for its pseudo-random number generator, which compromises the security of the...
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. js ignore , header // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory...
DEBIAN-CVE-2025-59343
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
CVE-2025-48869
Horilla is a free and open source Human Resource Management System HRMS. Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive...
CVE-2025-59343 tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
CVE-2025-59343 tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
CVE-2025-59343 tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves...
CVE-2025-48869 Horilla Unauthorized Access to Candidate Resume Files Due to Broken Access Control
Horilla is a free and open source Human Resource Management System HRMS. Unauthenticated users can access uploaded resume files in Horilla 1.3.0 by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, allowing attackers to retrieve sensitive...
tar-fs 安全漏洞
tar-fs is a tar-stream filesystem bundle from the individual developer Mathias Buus. A security vulnerability exists in tar-fs versions prior to 3.1.1, 2.1.3, and 1.16.5, which stems from the possibility of bypassing symbolic link validation when the destination directory is predictable...