338 matches found
CVE-2026-58170
Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization agent/src/live/mandate/commit.py. A proposal identifier containing path traversal sequences causes the application to load an...
CVE-2026-58170 Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates
Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization agent/src/live/mandate/commit.py. A proposal identifier containing path traversal sequences causes the application to load an...
CVE-2026-58170 Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates
Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization agent/src/live/mandate/commit.py. A proposal identifier containing path traversal sequences causes the application to load an...
CVE-2026-58170
CVE-2026-58170 affects Vibe-Trading
CVE-2026-58170 Vibe-Trading < 0.1.10 - Path Traversal in Proposal Identifier Allows Forging Live Trading Mandates
Vibe-Trading before 0.1.10 builds the proposal file path by joining a caller-supplied proposal identifier onto the broker proposals directory without sanitization agent/src/live/mandate/commit.py. A proposal identifier containing path traversal sequences causes the application to load an...
PT-2026-53921
Name of the Vulnerable Software and Affected Versions Vibe-Trading versions prior to 0.1.10 Description The application constructs the proposal file path by joining a caller-supplied proposal identifier to the broker proposals directory without proper sanitization in the...
CVE-2026-9136
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
MINI-RFP7-FH6H-C3XJ
Bulletin has no description...
CVE-2019-25739
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...
CVE-2019-25739 GigToDo Freelance Marketplace Script 1.3 Persistent XSS
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...
CVE-2019-25739
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...
CVE-2019-25739
GigToDo 1.3 is affected by a persistent cross-site scripting vulnerability accessible through the create_proposal endpoint, enabling authenticated attackers to inject JavaScript/HTML in the proposal description. When stored proposals are viewed by admins or other users, the payload can execute, p...
EUVD-2019-20175
GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the createproposal endpoint that execute when administrators or other...
GigToDo 跨站脚本漏洞
GigToDo is a freelance service trading platform system developed by GigToDo Inc. Version 1.3 of GigToDo has a cross-site scripting vulnerability. This vulnerability stems from injecting malicious JavaScript and HTML code through the proposal description field, potentially allowing authenticated...
PT-2026-46209
Name of the Vulnerable Software and Affected Versions GigToDo version 1.3 Description A persistent cross-site scripting issue allows authenticated attackers to inject malicious HTML and JavaScript code. This occurs via the proposal description field through the 'create proposal' endpoint. The...
CVE-2026-9136
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-9136 Unauthorized ShadowAttribute modification in MISP via client-supplied identifier
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-9136 Unauthorized ShadowAttribute modification in MISP via client-supplied identifier
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15
In the Linux kernel, the following vulnerability has been resolved: net/smc: Check ipareaoffset and ipv6prefixescnt when receiving a proposal message. When receiving a proposal message from the server, the fields ipareaoffset and ipv6prefixescnt in the proposal message come from the remote client...
PT-2026-42247
Name of the Vulnerable Software and Affected Versions MISP versions prior to 2.5.38 Description An issue exists in the ShadowAttribute proposal creation workflow where the add action accepts user-controlled request data without removing the id field before saving the record. Since the underlying...