Lucene search
+L

191 matches found

Debian CVE
Debian CVE
added 2025/11/10 12:0 a.m.7 views

CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...

6.5CVSS7.2AI score0.00285EPSS
Exploits1
Vulnrichment
Vulnrichment
added 2025/11/10 12:0 a.m.2 views

CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...

6.2AI score0.00285EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/11/10 12:0 a.m.3 views

PT-2025-46190

Name of the Vulnerable Software and Affected Versions BusyBox versions through 1.3.7 Description The software accepts raw CR 0x0D/LF 0x0A and other C0 control bytes within the HTTP request-target path/query. This allows an attacker to split the request line and inject controlled headers...

6.5CVSS6.5AI score0.00285EPSS
Exploits1References67
AlpineLinux
AlpineLinux
added 2025/11/10 12:0 a.m.5 views

CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...

6.5CVSS6.9AI score0.00285EPSS
Exploits1References4
Cvelist
Cvelist
added 2025/11/10 12:0 a.m.15 views

CVE-2025-60876

BusyBox wget thru 1.3.7 accepted raw CR 0x0D/LF 0x0A and other C0 control bytes in the HTTP request-target path/query, allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw spac...

0.00285EPSS
Exploits1References3
CVE
CVE
added 2025/11/10 12:0 a.m.125 views

CVE-2025-60876

CVE-2025-60876 affects BusyBox wget up to 1.3.7. The issue stems from accepting raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target, allowing the request-line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape, a raw s...

6.5CVSS6.5AI score0.00285EPSS
Exploits1References4Affected Software1
Filippo.io
Filippo.io
added 2025/10/10 2:33 p.m.7 views

A Retrospective Survey of 2024/2025 Open Source Supply Chain Compromises

Lack of memory safety is such a predominant cause of security issues that we have a responsibility as professional software engineering to robustly mitigate it in security-sensitive use cases—by using memory safe languages. Similarly, I have the growing impression that software supply chain...

6.3AI score
Exploits0
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-28133

Malicious code in bioql PyPI...

9.1CVSS8.8AI score0.0052EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.22 views

EUVD-2025-31664

Malicious code in bioql PyPI...

10CVSS6.6AI score0.00342EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-20825

Malicious code in bioql PyPI...

9.1CVSS6.5AI score0.00305EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/10/02 8:39 p.m.14 views

CVE-2025-61584

serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the...

10CVSS7.2AI score0.00342EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/09/30 12:12 a.m.3 views

CVE-2025-61584 serverless-dns is vulnerable to Command Injection through pr.yml GitHub Action Workflow

serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the...

10CVSS7AI score0.00342EPSS
Exploits0References2
OSV
OSV
added 2025/09/30 12:12 a.m.9 views

CVE-2025-61584 serverless-dns is vulnerable to Command Injection through pr.yml GitHub Action Workflow

serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the...

10CVSS7.3AI score0.00342EPSS
Exploits0References4
OSV
OSV
added 2025/09/10 5:13 p.m.5 views

GHSA-W765-JM6W-4HHJ Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting XSS vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL derived from the original request target is directly embedded into an inline block without sanitization or escaping. This allows an attacker to craft ...

7.1CVSS5.9AI score0.00237EPSS
Exploits0References8
Tenable Nessus
Tenable Nessus
added 2025/08/30 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2025-47928

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on...

9.1CVSS7.2AI score0.0052EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/08/06 12:0 a.m.4 views

react-native-bottom-tabs 安全漏洞

react-native-bottom-tabs is the native bottom tabs of a Callstack Incubator open source. A security vulnerability exists in react-native-bottom-tabs version 0.9.2 and earlier, which stems from the improper use of the pullrequesttarget event trigger in the GitHub Actions workflow, and could lead t...

9.1CVSS7.4AI score0.00463EPSS
Exploits0References4
OSV
OSV
added 2025/07/10 9:31 p.m.5 views

CVE-2025-53637 Meshtastic allows Command Injection in GitHub Action

Meshtastic is an open source mesh networking solution. The mainmatrix.yml GitHub Action is triggered by the pullrequesttarget event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part,...

4.1CVSS7.5AI score0.00328EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/07/09 2:27 p.m.11 views

CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS0.00305EPSS
Exploits0References2
CNNVD
CNNVD
added 2025/07/09 12:0 a.m.3 views

Folo 安全漏洞

Folo is an information aggregation tool open-sourced by RSSNext. Folo has a security vulnerability that stems from the use of pullrequesttarget in the GitHub Actions workflow, which could lead to elevation of privilege...

9.1CVSS6.4AI score0.00305EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/06/19 2:50 a.m.4 views

CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

9.1CVSS9.4AI score0.00339EPSS
Exploits0References3
Rows per page
Query Builder