34 matches found
CVE-2026-3198 Improper Access Control in mlflow/mlflow
MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...
Improper Validation of Specified Type of Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Type of Input in the API request handlers due to insufficient validation of user-supplied input. An attacker can cause the plugin process to crash by sending a specially crafted HTTP request to the PR...
PT-2026-42395
Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions prior to 3.10.0 Description When basic authentication is enabled, the 'SearchModelVersions' REST API endpoint and the 'mlflowSearchModelVersions' GraphQL query lack proper per-model authorization checks. This allows any...
CVE-2026-35468
CVE-2026-35468 affects the Rust implementation nimiq/core-rs-albatross. Before version 1.3.0, two peer-facing consensus request handlers assume the history index is always available and call blockchain.history_store.history_index().unwrap() directly. HistoryStoreProxy::history_index() returns Non...
EUVD-2006-2430
Malware in sbrugna...
The vulnerability of the chmod() method in the Apache Doris backend storage and frontend request handler, related to synchronization errors when using shared resources, allows attackers to compromise the integrity of the protected information.
The vulnerability of the chmod method in the Apache Doris backend and frontend request handlers is related to synchronization errors when using shared resources. Exploiting this vulnerability could allow an attacker to compromise the integrity of the protected information...
The vulnerability of the RequestHandlers.js LoginAuth function in the software for router configuration by MilesightVPN allows a hacker to bypass the authentication process.
The vulnerability of the RequestHandlers.js LoginAuth function in the MilesightVPN software’s router configuration relates to the lack of protective measures for the SQL query structure. Exploiting this vulnerability allows a malicious actor to bypass the authentication process remotely...
CVE-2023-22844
An authentication bypass vulnerability exists in the requestHandlers.js verifyToken functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to authentication bypass. An attacker can send a network request to trigger this vulnerability...
Duplicate Advisory: ecnepsnai/web vulnerable to Uncontrolled Resource Consumption
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5gjg-jgh4-gppm. This link is maintained to preserve external references. Original Description Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if t...
CVE-2021-4236
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
CVE-2021-4236
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
Authentication flaw
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
CVE-2021-4236 Panic or authentication bypass in github.com/ecnepsnai/web
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
GO-2022-0385
The AuthenticateMethod authentication hook is not called for WebSocket connections, allowing unauthenticated access. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable...
CVE-2019-1010268
Ladon since 0.6.1 since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059 is affected by: XML External Entity XXE. The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance:...
Exploit for Out-of-bounds Write in Google Android
inspector-gadget Go Go Gadget Exploit! ..--"...
GO-2021-0107 Panic or authentication bypass in github.com/ecnepsnai/web
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not...
Debian DLA-2359-1 : xorg-server security update
Several issues have been found in xorg-server, the X server from xorg. Basically all issues are out-of-bounds access or integer underflows in different request handlers. One CVE is about a leak of uninitialize heap memory to clients. For Debian 9 stretch, these problems have been fixed in version...
Improper Restriction of XML External Entity Reference in ladon
Ladon since 0.6.1 since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059 is affected by: XML External Entity XXE. The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance:...
GHSA-VG35-VC9F-Q7X2 Improper Restriction of XML External Entity Reference in ladon
Ladon since 0.6.1 since ebef0aae48af78c159b6fce81bc6f5e7e0ddb059 is affected by: XML External Entity XXE. The impact is: Information Disclosure, reading files and reaching internal network endpoints. The component is: SOAP request handlers. For instance:...