CVE-2025-47285 Vyper's `concat()` builtin may elide side-effects for zero-length arguments

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, concat may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions...

CVE-2025-47285 Vyper's `concat()` builtin may elide side-effects for zero-length arguments

Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, concat may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions...

Spotipy 安全漏洞

Spotipy is spotipy-dev individual developer's lightweight Python library for the Spotify Web API. Spotipy suffers from a security vulnerability that stems from pullrequesttarget executing untrusted code in GitHub Actions, which could lead to credential disclosure and repository takeover...

OZI-publish 安全漏洞

OZI-publish is an OZI Project open source project. A security vulnerability exists in OZI-publish versions 1.13.2 through 1.13.5, which stems from untrusted data flowing into the PR creation logic and could lead to the execution of arbitrary code...

CVE-2025-4035

A flaw was found in libsoup. When handling cookies, libsoup clients mistakenly allow cookies to be set for public suffix domains if the domain contains at least two components and includes an uppercase character. This bypasses public suffix protections and could allow a malicious website to set...

CVE-2024-8156

A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input github.head.ref is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version...

CVE-2024-8156 Command Injection in significant-gravitas/autogpt

A command injection vulnerability exists in the workflow-checker.yml workflow of significant-gravitas/autogpt. The untrusted user input github.head.ref is used insecurely, allowing an attacker to inject arbitrary commands. This vulnerability affects versions up to and including the latest version...

AutoGPT 安全漏洞

AutoGPT is a tool from AutoGPT Open Source. It is used to enable everyone to use and build accessible AI. AutoGPT suffers from a security vulnerability that stems from the presence of command injection in the workflow-checker.yml workflow, which allows an attacker to inject arbitrary commands by...

Malicious code in dependabot-pull-request-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f89f292c4aeef9adcdb74b756e9f23059ca61f0327bfb78956c32e30c9bf3c7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-2038 Malicious code in dependabot-pull-request-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f89f292c4aeef9adcdb74b756e9f23059ca61f0327bfb78956c32e30c9bf3c7c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2023-32732

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyo...

CVE-2024-36050

Nix through 2.22.1 mishandles certain usage of hash caches, which makes it easier for attackers to replace current source code with attacker-controlled source code by luring a maintainer into accepting a malicious pull request...

PT-2025-23053 · Apache · Apache Inlong

Name of the Vulnerable Software and Affected Versions: Apache InLong versions 1.13.0 through 2.1.0 Description: The issue affects Apache InLong, allowing attackers to bypass its security mechanisms and enabling arbitrary file reading due to a deserialization of untrusted data vulnerability...

Use After Free

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free through the V8 engine. Remediation A fix was pushed into the master branch but not yet...

Malicious code in emergency-pull-request-probot-app (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...

MAL-2025-652 Malicious code in emergency-pull-request-probot-app (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...

CVE-2024-11717

Tokens in CTFd used for account activation and password resetting can be used interchangeably for these operations. When used, they are sent to the server as a GET parameter and they are not single use, which means, that during token expiration time an on-path attacker might reuse such a token to...

CVE-2024-11716

While assignment of a user to a team bracket in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releas...

CVE-2024-11716

CVE-2024-11716 (CTFd) : A logic flaw in CTFd allows an authenticated user to reset their bracket after registration and join another team while a competition is ongoing. Affected releases: 3.7.0—3.7.4. The issue was addressed in 3.7.5 via pull request 2636. Practical impact: potentially enables b...

Malicious code in set-pr-description-action (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f56192a6739bfa4e2f9794840d334d8216ea18d4086cf066b6eeded90d8bbfb9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...