59 matches found
CVE-2025-15562
The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker...
PT-2026-7884
Computrols CBAS-Web 19.0.0 contains a boolean-based blind SQL injection vulnerability in the 'id' parameter that allows authenticated attackers to manipulate database queries. Attackers can exploit the vulnerability by crafting boolean-based SQL injection payloads in the 'id' parameter of the...
📄 LibreChat MCP 0.8.2-rc2 Remote Code Execution
Proof of concept exploit for a remote code execution vulnerability in LibreChat MCP version 0.8.2-rc2 that leverages an unsanitized stdio server configuration issue...
Owlfiles 跨站脚本漏洞
Owlfiles is a file manager from Owlfiles, Inc. A cross-site scripting vulnerability exists in Owlfiles version 12.0.1, which stems from a cross-site scripting vulnerability in the path parameter in the HTTP server endpoint that could lead to the execution of arbitrary JavaScript...
GHSA-WRWG-2HG8-V723 Astro vulnerable to reflected XSS via the server islands feature
Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component templates. Details Server islands run in their own isolated context outside of the page reques...
CVE-2025-41112 Missing Authorization vulnerability in CanalDenuncia.app
A lack of authorisation vulnerability has been detected in CanalDenuncia.app. This vulnerability allows an attacker to access other users' information by sending a POST through the parameter 'web' in '/backend/api/buscarConfiguracionParametros2.php'...
EUVD-2022-1367
Malicious code in bioql PyPI...
EUVD-2022-36356
Malicious code in bioql PyPI...
CVE-2025-7390 Bypass the client certificate trust check of an opc.https server while only secure communication is allowed
A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication...
VulnCheck KEV: CVE-2025-54782
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...
CVE-2025-53514 Unexpected Input to Server Webhook endpoint Causes DoS in Mattermost Confluence Plugin
Mattermost Confluence Plugin version 1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body...
CVE-2025-5416 Keycloak-core: keycloak environment information
A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information...
CVE-2024-29882
SRS is a simple, high-efficiency, real-time video server. SRS's /api/v1/vhosts/vid-?callback= endpoint didn't filter the callback function name which led to injecting malicious javascript payloads and executing XSS Cross-Site Scripting. This vulnerability is fixed in 5.0.210 and 6.0.121...
CVE-2024-8940
Vulnerability in the Scriptcase application version 9.4.019, which involves the arbitrary upload of a file via /scriptcase/devel/lib/third/jqueryplugin/jQuery-File-Upload/server/php/ via a POST request. An attacker could upload malicious files to the server due to the application not properly...
PT-2024-39325 · Unknown · Scriptcase
Name of the Vulnerable Software and Affected Versions: Scriptcase version 9.4.019 Description: The issue involves the arbitrary upload of a file via "/scriptcase/devel/lib/third/jquery plugin/jQuery-File-Upload/server/php/" via a POST request. An attacker could upload malicious files to the serve...
PT-2024-7171 · Unknown · Soplanning
Name of the Vulnerable Software and Affected Versions: SOPlanning versions prior to 1.45 Description: A Cross-Site Scripting XSS issue exists due to the lack of proper validation of user input via the /soplanning/www/process/xajax server.php endpoint, affecting multiple parameters. This could all...
CVE-2023-49793
CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of CodeChecker store are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine o...
CVE-2023-49793
CVE-2023-49793 describes a path traversal in CodeChecker server via the massStoreRun endpoint (CodeCheckerService). ZIPs uploaded to CodeChecker store are not sanitized, allowing reading files from the server with the same permissions as the CodeChecker server. Attack requires a CodeChecker user ...
CVE-2024-3408
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution RCE due to improper input validation. The vulnerability arises from a hardcoded SECRETKEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled...
SUSE CVE-2023-32192
A vulnerability has been identified in which unauthenticated cross-site scripting XSS in the API Server's public API endpoint can be exploited, allowing an attacker to execute arbitrary JavaScript code in the victim browser...