10 matches found
SUSE-SU-2026:2647-1 Security update for nodejs22
This update for nodejs22 fixes the following issues Update to 22.23.0: - CVE-2026-6733: undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery bsc1268479. - CVE-2026-9496: pacote: excessive CPU consumption in addGitSha when processing a...
EUVD-2026-29114
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms password change at /profile, candidate deletion at /candidates/delete/, feedback submission at /feedback/add/, interview scheduling at /interviews/add are vulnerable to CSRF. An attacker who can...
CVE-2026-35180 WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...
CVE-2026-34394
WWBN AVideo (versions 26.0 and prior) is affected by a CSRF vulnerability in the admin/plugin configuration endpoint (admin/save.json.php). The endpoint processes requests without CSRF token validation (no isGlobalTokenValid/verifyToken check), and the app uses SameSite=None cookies, enabling cro...
CVE-2026-30888 Discourse has moderator privilege escalation via arbitrary post_id in suspend/silence endpoint
Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 allow a moderator to edit site policy documents ToS, guidelines, privacy policy that they are explicitly prohibited from modifying. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 conta...
CVE-2025-34412
...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the templates/preview process. An attacker can execute arbitrary JavaScript code in the context of an authenticated user's browser by crafting a malicious HTML page that submits a POST request without...
PT-2025-3144 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 11.5.42 ELTS TYPO3 versions prior to 12.4.25 LTS TYPO3 versions prior to 13.4.3 LTS Description: A vulnerability has been identified in the backend user interface functionality involving deep links, which is susceptibl...
Microsoft Edge Elevation of Privilege Vulnerability (CNVD-2020-16648)
Microsoft Edge is a web browser from the American company Microsoft that comes with systems after Windows 10. An elevation of privilege vulnerability exists in Microsoft Edge that stems from the program failing to properly enforce cross-site policies. An attacker could exploit the vulnerability t...
Design/Logic Flaw
Incomplete blacklist vulnerability in browser/download/downloadexe.cc in Google Chrome before 3.0.195.32 allows remote attackers to force the download of certain dangerous files via a "Content-Disposition: attachment" designation, as demonstrated by 1 .mht and 2 .mhtml files, which are...