EUVD-2024-52225

Malicious code in bioql PyPI...

EUVD-2022-24728

Malicious code in bioql PyPI...

EUVD-2025-9700

Malicious code in bioql PyPI...

BIT-NIFI-2020-1942

In Apache NiFi 0.0.1 to 1.11.0, the flow fingerprint factory generated flow fingerprints which included sensitive property descriptor values. In the event a node attempted to join a cluster and the cluster flow was not inheritable, the flow fingerprint of both the cluster and local flow was...

XWiki leaks password hashes and other accessible password properties

Impact Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In...

Mass Assignment

Description Mass assignment is a vulnerability that occurs when an application automatically binds user-provided data e.g., from JSON via req.query to internal object properties or database fields without proper filtering. This can allow attackers to manipulate sensitive fields they shouldn’t hav...

CVE-2022-1413

Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 causes potentially sensitive integration properties to be disclosed in the web interface...

Prototype Pollution

expand-object is vulnerable to Prototype Pollution. The vulnerability is due to improper input validation in the expand function in index.js, which expands strings into objects without filtering out sensitive properties like proto, and allows attackers to manipulate object prototypes, potentially...

CVE-2025-30677

Apache Pulsar IO Kafka connectors (Source, Sink, and Kafka Connect Adaptor Sink) log sensitive configuration properties in plain text in application logs. Affected components: Pulsar IO’s Apache Kafka connectors across versions before 3.0.11, 3.3.6, and 4.0.4. Consequence: potential exposure of K...

CVE-2025-3197

Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like proto...

expand-object Vulnerable to Prototype Pollution via the expand() Function

Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like proto...

CVE-2025-3197

Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like proto...

CVE-2025-3197

CVE-2025-3197 concerns the expand-object library. Reports across multiple sources confirm a Prototype Pollution flaw in the expand() function (index.js) that turns a string into an object without filtering keys like proto . Affected: expand-object versions 0.0.0 and later. Potential impact descri...

PT-2025-14841 · Unknown · Expand-Object

Name of the Vulnerable Software and Affected Versions: expand-object versions 0.0.0 and later Description: The issue concerns a Prototype Pollution flaw in the expand function located in index.js. This function is used to expand a given string into an object, but it does not check the provided ke...

PT-2025-6524 · Progress Telerik · Kendoreact

Name of the Vulnerable Software and Affected Versions: Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0 Description: An attacker can introduce or modify properties within the global prototype chain, which can result in denial of service or command injection. Recommendations: For...

CVE-2025-24359

ASTEVAL is an evaluator of Python expressions and statements. Prior to version 1.0.6, if an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library. The vulnerability is...

CVE-2022-23720 PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file

PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID...

IcedTea System property information leak via public static

IcedTea 1.7.x before 1.7.6, 1.8.x before 1.8.3, and 1.9.x before 1.9.2, as based on OpenJDK 6, declares multiple sensitive variables as public, which allows remote attackers to obtain sensitive information including 1 user.name, 2 user.home, and 3 java.home system properties, and other sensitive...