Flowise: Parameter Override Bypass Remote Command Execution

Summary Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODEOPTIONS environment variable injection. This allows for the execution of arbitrary syste...

GHSA-CVRR-QHGW-2MM6 Flowise: Parameter Override Bypass Remote Command Execution

Summary Flowise is vulnerable to a critical unauthenticated remote command execution RCE vulnerability. It can be exploited via a parameter override bypass using the FILE-STORAGE:: keyword combined with a NODEOPTIONS environment variable injection. This allows for the execution of arbitrary syste...

EUVD-2025-208202

In multiple functions of MediaProvider.java, there is a possible way to bypass the WRITEEXTERNALSTORAGE permission due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

Path Traversal

esm.sh is vulnerable to Path Traversal. The vulnerability is due to improper validation of the X-Zone-Id HTTP header when constructing filesystem paths, which allows an attacker to use ../ sequences to write files outside the intended storage directory and access arbitrary locations on the system...

PT-2025-43468

Name of the Vulnerable Software and Affected Versions MediaProvider.java affected versions not specified Description A flaw exists in multiple functions within MediaProvider.java that may allow bypassing the WRITE EXTERNAL STORAGE permission due to a missing permission check. Successful...

EUVD-2014-7976

Malware in sbrugna...

EUVD-2025-26595

Malicious code in bioql PyPI...

EUVD-2025-26819

Malicious code in bioql PyPI...

CVE-2025-22439

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2025-22439

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2025-22439

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2025-22439

In onLastAccessedStackLoaded of ActionHandler.java , there is a possible way to bypass storage restrictions across apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

CVE-2021-39697

In checkFileUriDestination of DownloadProvider.java, there is a possible way to bypass external storage private directories protection due to a missing permission check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for...

CVE-2016-0848

Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target, as demonstrated by obtaining Signature or...