Malicious code in loading-session (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 640bfe1e0b6627e78ec34ef2d97df0d5d29d912446883f284c15935cc8f6f996 Package advertises itself via a verbatim copy of pino's README, docs/, and index.d.ts TypeScript types and documentation are pino's, but index.js doe...

CVE-2026-42600

Summary of the vulnerability (CVE-2026-42600) : MinIO’s ReadMultiple internode storage-REST endpoint is vulnerable to path traversal when processing a msgpack-encoded ReadMultipleReq body. An attacker holding the cluster root JWT can craft a request to POST /minio/storage/{drivePath}/v63/rmpl wit...

CVE-2026-42600 MinIO: Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint

MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a caller holding the cluster root JWT to read files from outside the configure...

CVE-2026-30832

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the --lfs-endpoint parameter during repository import. An attacker can cause the server to send HTTP requests to internal or private IP addresses, potentially accessing sensitive internal services or...

Gladinet CentreStack/Triofox Access Ticket Forge

This module forges access tickets for the Gladinet CentreStack/Triofox /storage/filesvr.dn endpoint. The vulnerability exists because the application uses hardcoded cryptographic keys in GladCtrl64.dll to encrypt/decrypt access tickets. The access ticket is an encrypted string that contains: -...

Gladinet CentreStack/Triofox Path Traversal

This module exploits a path traversal vulnerability CVE-2025-11371 in Gladinet CentreStack and Triofox that allows an unauthenticated attacker to read arbitrary files from the server's file system. The vulnerability exists in the /storage/t.dn endpoint which does not properly sanitize the s...

CVE-2025-13813

A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rat...

CVE-2025-13813 moxi159753 Mogu Blog v2 Storage Management Endpoint storage authorization

A vulnerability was identified in moxi159753 Mogu Blog v2 up to 5.2. This issue affects some unknown processing of the file /storage/ of the component Storage Management Endpoint. The manipulation leads to missing authorization. The attack can be initiated remotely. The attack's complexity is rat...

CVE-2025-13813

CVE-2025-13813 affects the moxi159753 Mogu Blog v2 family up to version 5.2. The issue resides in the Storage Management Endpoint’s handling of the file "/storage/", where missing authorization allows remote exploitation. Documented impact includes unauthorized access with high attack complexity ...

Mogu blog 安全漏洞

Mogu blog 蘑菇博客 is a micro-architecture based front-end and back-end shared blogging system by individual developers in Streamlet, China. A security vulnerability exists in Mogu blog v2 5.2 and earlier versions, which originates from a lack of authorization checking in the file /storage/ in the...

GHSA-RC54-2G2C-G36G OpenBao and Vault Leak []byte Fields in Audit Logs

Impact OpenBao's audit log did not appropriately redact fields when relevant subsystems sent byte response parameters rather than strings. This includes, but is not limited to: - sys/raw with use of encoding=base64, all data would be emitted unredacted to the audit log. - Transit, when performing...

CVE-2025-8965 linlinjava litemall Endpoint AdminStorageController.java create unrestricted upload

A vulnerability has been found in linlinjava litemall up to 1.8.0. This vulnerability affects the function create of the file litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java of the component Endpoint. The manipulation of the argument File leads to...

PT-2025-7076 · Unknown · Label Studio

Name of the Vulnerable Software and Affected Versions: Label Studio versions prior to 1.16.0 Description: Label Studio's S3 storage integration feature contains a Server-Side Request Forgery SSRF vulnerability in its endpoint configuration. When creating an S3 storage connection, the application...

PYSEC-2024-298

OpenCTI is an open-source cyber threat intelligence platform. Before 6.3.0, general users can access information that can only be accessed by users with access privileges to admin and support information SETTINGSSUPPORT. This is due to inadequate access control for support information...

CVE-2024-24936

In JetBrains TeamCity before 2023.11.2 access control at the S3 Artifact Storage plugin endpoint was missed...

PT-2022-26320 · Unknown · Simple Cold Storage Management System

Name of the Vulnerable Software and Affected Versions: Simple Cold Storage Management System version 1.0 Description: The issue is related to SQL Injection via the /csms/classes/Master.php?f=delete storage endpoint. This allows for potential unauthorized access and manipulation of data. No...

CVE-2022-42249

Simple Cold Storage Management System v1.0 is vulnerable to SQL injection via /csms/admin/storages/viewstorage.php?id=...