10 matches found
Improper Validation of Integrity Check Value
Overview Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value inadequate validation of the combined fingerprint during image downloads from simplestreams servers. An attacker can cause users to deploy malicious images by providing manipulated image file...
CVE-2025-13641
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided...
EUVD-2004-1520
Malware in sbrugna...
EUVD-2025-9734
Malicious code in bioql PyPI...
CVE-2025-45156
Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users...
CVE-2025-45156
Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users...
Sensitive Information Disclosure
mautic/core is vulnerable to Sensitive Information Disclosure. The vulnerability is due to unauthenticated arbitrary file access where the missing web server restrictions on .env files, allowing attackers to directly view sensitive configurations via a browser...
GHSA-9CWX-2883-4WFX Vite's `server.fs.deny` is bypassed when using `?import&raw`
Summary The contents of arbitrary files can be returned to the browser. Details @fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists. PoC sh $ npm create vite@latest $ cd vite-project/ $ npm...
GHSA-23C7-6444-399M Improper Input Validation in sopel-plugins.channelmgnt
Impact On some IRC servers, restrictions around the removal of the bot using the kick/kickban command could be bypassed when kicking multiple users at once. We also believe it may have been possible to remove users from other channels but due to the wonder that is IRC and following RfCs, We have ...
Clario: Bypass front server restrictions and access to forbidden files and directories through X-Rewrite-Url/X-original-url header on account.mackeeper.com
Summary Normally a client can't access /admin directory because of front nginx server which returns 403. But we can use X-Rewrite-Url or X-original-url because back server processes these headers and front server doesn't. Steps to reproduce: This request shows normal behavior curl -i -s -k -X...