CVE-2025-23044

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

EUVD-2022-46984

Malicious code in bioql PyPI...

CVE-2025-27413 PwnDoc Arbitrary File Write to RCE using Path Traversal in template update from backup templates.json

PwnDoc is a penetration test reporting application. Prior to version 1.2.0, the backup restore functionality allows an administrator to import raw data into the database, including Path Traversal ../ sequences. This is problematic for the template update functionality as it uses the path from the...

CVE-2025-23044 Cross-Site Request Forgery (CSRF) allows creating admin account with POST request

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

CVE-2021-31590

PwnDoc all versions until 0.4.0 2021-08-23 has incorrect JSON Webtoken handling, leading to incorrect access control. With a valid JSON Webtoken that is used for authentication and authorization, a user can keep his admin privileges even if he is downgraded to the "user" privilege. Even after a...