stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment

Impact A single configuration flag could disable plugin signature enforcement. If an operator unintentionally carried that setting into an environment where plugin paths are writable by less-trusted users, unsigned plugin code could be loaded. Patches Patched in 0.9.0a2. Disabling plugin signatur...

PT-2026-38297

Name of the Vulnerable Software and Affected Versions Scramble versions 0.13.2 through 0.13.21 Description When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation. This can le...

Vitess users with backup storage access can gain unauthorized access to production deployment environments

...

GHSA-8G8J-R87H-P36X Vitess users with backup storage access can gain unauthorized access to production deployment environments

Impact Any user with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production...

CVE-2025-64746 Directus has Improper Permission Handling on Deleted Fields

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This...

EUVD-2025-17809

Malicious code in bioql PyPI...

EUVD-2024-3054

Malicious code in bioql PyPI...

Rancher 安全漏洞

Rancher is an open source container management platform from Rancher Open Source in the United States, built for organizations that deploy containers in production environments. A security vulnerability exists in Rancher that stems from a lack of server-side authentication, which could lead to...

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

Understanding the risks and impact of deploying dev-mode in production environments...

CVE-2025-36852

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...

CVE-2024-48918

RDS Light is a simplified version of the Reflective Dialogue System RDS, a self-reflecting AI framework. Versions prior to 1.1.0 contain a vulnerability that involves a lack of input validation within the RDS AI framework, specifically within the user input handling code in the main module main.p...

CVE-2020-5218

Affected versions of Sylius give attackers the ability to switch channels via the channelcode GET parameter in production environments. This was meant to be enabled only when kernel.debug is set to true. However, if no syliuschannel.debug is set explicitly in the configuration, the default value...

CVE-2025-23042 Gradio Blocked Path ACL Bypass Vulnerability

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List ACL for file paths can be bypassed by altering the letter case of a blocked file or directory path. This...

CVE-2024-48918

RDS Light (pre-1.1.0) contains a validation gap in the user input handling code (main.py) of the Reflective Dialogue System (RDS) AI framework. The vulnerability allows injection and potential memory tampering through unvalidated inputs, with impact on confidentiality, integrity, and availability...

CVE-2024-48918 Lack of Input Validation in RDS Light - Potential for Injection Attacks and Memory Tampering

RDS Light is a simplified version of the Reflective Dialogue System RDS, a self-reflecting AI framework. Versions prior to 1.1.0 contain a vulnerability that involves a lack of input validation within the RDS AI framework, specifically within the user input handling code in the main module main.p...

CVE-2024-47871 Insecure communication between the FRP client and server in Gradio

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves insecure communication between the FRP Fast Reverse Proxy client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and rea...

CVE-2024-43791

RequestStore provides per-request global storage for Rack. The files published as part of requeststore 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not...

CVE-2024-43791 RequestStore has Incorrect Default Permissions

RequestStore provides per-request global storage for Rack. The files published as part of requeststore 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not...

request_store has Incorrect Default Permissions

Impact The files published as part of requeststore 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of thi...

CVE-2024-24749 Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.5 and 2.24.3, if GeoServer is deployed in the Windows operating system using an Apache Tomcat web application server, it is possible to bypass existing input validation in the GeoWebCach...