CVE-2026-35464

pyLoad is a free and open-source download manager written in Python. The fix for CVE-2026-33509 added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the...

CVE-2026-5066

A potential out-of-bounds write/read exists in the TLS socket connect path of the network sockets subsystem subsys/net/lib/sockets/socketstls.c. When the TLS session cache is enabled, tlssessionstore and tlssessionrestore memcpy the caller-supplied address into a fixed-size buffer using the...

Malicious Package

Overview knot-rack-session-store is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

EUVD-2026-24203

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...

GHSA-4744-96P5-MP2J pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)

Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...

PT-2025-53613

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.5.1 Description SiYuan Note application uses a hardcoded cryptographic secret for its session store, making session encryption ineffective. The AccessAuthCode, stored in the session cookie, can be decrypted by an...

EUVD-2013-3309

Malware in sbrugna...

EUVD-2021-1475

Malware in sbrugna...

EUVD-2022-1831

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2019-25025

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering...

CVE-2025-58067 Basecamp's Google Sign-In for Rails allowed redirects to protocol-relative URI

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceedto" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library ...

CVE-2020-5205

In Pow Hex package before 1.0.16, the use of Plug.Session in Pow.Plug.Session is susceptible to session fixation attacks if a persistent session store is used for Plug.Session, such as Redis or a database. Cookie store, which is used in most Phoenix apps, doesn't have this vulnerability...

SUSE CVE-2025-32441

Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the...

authentik 授权问题漏洞

authentik is an open source identity provisioning application from authentik open source. An authorization issue vulnerability exists in authentik versions prior to 2024.12.4 and 2025.2.3, which stems from a session deletion issue in the database session store that could cause a session to remain...

Deserialization of Untrusted Data

Overview kedro is a Kedro helps you build production-ready data and analytics pipelines Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper validation in the ShelveStore class in the kedro.framework.session.shelvestore module. This vulnerability...

Splunk Enterprise 安全漏洞

Splunk Enterprise is a suite of data collection and analytics software from Splunk, Inc. in the United States. A security vulnerability exists in Splunk Enterprise versions 9.2.x prior to 9.2.3 and 9.1.x prior to 9.1.6, which stems from an insecure session store configuration that could allow a...

CKAN < 2.9.9 Multiples Vulnerabilities

According to its self-reported version number, the CKAN application running on the remote host is prior to 2.9.9 or 2.10.x prior to 2.10.1. It is, therefore, affected by multiples vulnerabilities : - An Arbitrary File Write in resourcecreate and packageupdate actions, using the ResourceUploader...

Remote code execution

CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in resourcecreate and packageupdate actions, using the ResourceUploader object. Also...

CVE-2023-32321 CKAN remote code execution and private information access via crafted resource ids

CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in resourcecreate and packageupdate actions, using the ResourceUploader object. Also...

Debian: Security Advisory (DLA-301-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...