13 matches found
EUVD-2026-37764
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding...
EUVD-2026-34001
AIOHTTP is Vulnerable to Deserialization of Untrusted Data...
CVE-2026-34993
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using CookieJar.load with untrusted input may allow arbitrary code execution. Most applications using this function will be doing so with the user's own data, so this is unlikely to affect man...
Possible arbitrary path traversal and file access via yard server
Impact A path traversal vulnerability was discovered in YARD = 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions. The original patch in GHSA-xfhh-rx56-rxcr wa...
CVE-2026-31898
jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inje...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output via the AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, or AcroFormRadioButton.appearanceState functions. An attacker can execute arbitrary...
Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
Impact The prosemirrortohtml gem is vulnerable to Cross-Site Scripting XSS attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Who is impacted: - Any application using...
EUVD-2023-0633
Malicious code in bioql PyPI...
EUVD-2023-1881
Malicious code in bioql PyPI...
CVE-2021-43800
Wiki.js is a wiki app built on Node.js. Prior to version 2.5.254, directory traversal outside of Wiki.js context is possible when a storage module with local asset cache fetching is enabled on a Windows host. A malicious user can potentially read any file on the file system by crafting a special...
BIT-NODE-MIN-2023-23936 CRLF Injection in Nodejs ‘undici’ via host
Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to...
Improper handling of email input
Impact An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: [email protected], Before signing in, claim your money!. This was previously sent to...
PT-2021-24350 · Tinymce · Tinymce
Name of the Vulnerable Software and Affected Versions: TinyMCE versions prior to 5.9.0 Description: A stored cross-site scripting vulnerability affects TinyMCE, allowing an unauthenticated and remote attacker to insert crafted HTML into the editor. This results in arbitrary JavaScript execution i...