28 matches found
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the ssx and jsx endpoints when a leading slash is used. An attacker can access sensitive configuration files by crafting a URL that traverses directories. Note: This issue is due to...
PT-2026-42215
Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 18.1.0-rc-1 XWiki Platform versions prior to 17.10.3 XWiki Platform versions prior to 17.4.9 XWiki Platform versions prior to 16.10.17 Description Path Traversal allows unauthorized access to read configuration...
CVE-2025-69196
A flaw was found in FastMCP, a framework for building MCP applications. The server does not correctly process the resource parameter provided by the client during authorization and token requests. This can lead to security tokens being issued for an unintended base URL Uniform Resource Locator...
CVE-2025-69196
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...
CVE-2025-69196 FastMCP OAuth Proxy token reuse across MCP servers
FastMCP is the standard framework for building MCP applications. Prior to version 2.14.2, the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for the MCP server, the token is issued for...
FastMCP OAuth Proxy token reuse across MCP servers
While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the baseurl passed to...
PT-2026-25775
While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the base url passed to...
CVE-2025-15055
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-15055
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-15055
CVE-2025-15055 : WordPress SlimStat Analytics plugin is vulnerable to unauthenticated Stored Cross-Site Scripting via the notes and resource parameters in versions up to 5.3.4. The flaw arises from insufficient input sanitization and output escaping, enabling an attacker to inject script that exe...
CVE-2025-15055 SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
PT-2026-1766
Name of the Vulnerable Software and Affected Versions SlimStat Analytics plugin for WordPress versions prior to 5.3.5 Description The SlimStat Analytics plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to inadequate input sanitization and output escaping in the...
PT-2025-52436
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes...
EUVD-2022-3514
Malicious code in bioql PyPI...
EUVD-2025-25791
Malicious code in bioql PyPI...
Relative Path Traversal
Overview Affected versions of this package are vulnerable to Relative Path Traversal via the resource parameter in the jsx and sx endpoints. An attacker can access and read sensitive configuration files by crafting URLs with "../" sequence that traverse directories. Remediation Upgrade...
CVE-2025-9172
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
CVE-2025-9172
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
CVE-2025-9172 Vibes <= 2.2.0 - Unauthenticated SQL Injection via `resource` Parameter
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
CVE-2025-9172 Vibes <= 2.2.0 - Unauthenticated SQL Injection via `resource` Parameter
The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the ‘resource’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...