mitmproxy binaries embed a vulnerable python-hyper/h2 dependency

mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not...

GHSA-4GV9-MP8M-592R Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)

This vulnerability was discovered by researchers at Check Point. We are sharing this report as part of a responsible disclosure process and are happy to assist in validation and remediation if needed. Summary A privilege escalation vulnerability exists in Langflow containers where an authenticate...

Linux Distros Unpatched Vulnerability : CVE-2016-7046

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Red Hat JBoss Enterprise Application Platform EAP 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of...

CVE-2025-55745

UnoPim is an open-source Product Information Management PIM system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported...

CVE-2025-55619

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering...

CVE-2025-55619

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering...

CVE-2025-55745

CVE-2025-55745 affects UnoPim (Laravel-based PIM). Versions 0.3.0 and earlier are vulnerable to CSV/Formula Injection in Quick Export, allowing malicious content in exported CSVs to be interpreted as formulas, potentially enabling remote code execution (including reverse shells). Remediation: upg...

CVE-2025-55619

Summary: CVE-2025-55619 affects the Reolink Android app (version 4.54.0.4.20250526). The root cause is a hardcoded encryption key and IV, which attackers can leverage to decrypt access tokens and web session tokens stored in the app via reverse engineering. This vulnerability has a high impact (C...

CVE-2025-55619

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering...

PT-2025-34444 · Microsoft +1 · Office Excel +1

Name of the Vulnerable Software and Affected Versions: UnoPim versions prior to 0.3.1 Description: UnoPim is an open-source Product Information Management PIM system built on the Laravel framework. Versions 0.3.0 and prior are susceptible to CSV injection, also known as formula injection, in the...

Linux Distros Unpatched Vulnerability : CVE-2023-30847

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the reverse proxy handler tries to processes a certain type of invalid HTTP request, it tries to...

Linux Distros Unpatched Vulnerability : CVE-2024-23334

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a web server and configuring static routes, it is necessar...

Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source

Impact A stored Cross-Site Scripting XSS vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject...

Cross-site Scripting (XSS)

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Cross-site Scripting XSS via the HTML form element on the Form Trigger node. An authenticated attacker can execute arbitrary JavaScript code in the context of authenticated users by injecting...

Exploit for CVE-2025-49113

CVE-2025-49113 – Roundcube 1.6.10 Authenticated Remote Code Ex...

Exploit for CVE-2024-28397

CVE-2024-28397 RCE Script Default reverse shell payload and o...

kernel: mm/hugetlb: unshare page tables during VMA split, not before

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, splitvma triggers hugetlb page table unsharing through vmops-maysplit. This happens before the VMA lock and rmap locks are taken - which is too early, it...

Linux Distros Unpatched Vulnerability : CVE-2025-46727

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query strings and...

Linux Distros Unpatched Vulnerability : CVE-2021-33197

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy from net/http/httputil result in a situation where an attacker is able to dro...

Skyvern 0.1.85 Server-Side Template Injection

Proof of concept exploit that leverages a server-side template injection flaw in Skyvern versions up to 0.1.85 to launch a reverse shell...