126 matches found
CVE-2025-48370
CVE-2025-48370 affects the auth-js library (Supabase Auth). Before 2.69.1, functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require UUIDs for user-controlled inputs, enabling potential URL path traversal and invocation of the wrong API function. The issue ta...
auth-js 路径遍历漏洞
auth-js is a Supabase Auth isomorphic Javascript library open-sourced by Supabase. A path traversal vulnerability exists in versions of auth-js prior to 2.69.1, which stems from an unvalidated user-supplied UUID and could lead to URL path traversal...
CVE-2024-34354
CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...
CVE-2024-24213
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pgmeta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically,...
CVE-2024-5885
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery SSRF vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain acces...
MAL-2024-9871 Malicious code in supabase-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1b78f378246a539beb5412842ab5c310cac8566237afbc3ecb3535f85ca74b5b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in supabase-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1b78f378246a539beb5412842ab5c310cac8566237afbc3ecb3535f85ca74b5b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2024-5885
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery SSRF vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain acces...
CVE-2024-5885 Server-Side Request Forgery (SSRF) in stangirard/quivr
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery SSRF vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain acces...
CVE-2024-5885 Server-Side Request Forgery (SSRF) in stangirard/quivr
stangirard/quivr version 0.0.236 contains a Server-Side Request Forgery SSRF vulnerability. The application does not provide sufficient controls when crawling a website, allowing an attacker to access applications on the local network. This vulnerability could allow a malicious user to gain acces...
CVE-2024-5885
CVE-2024-5885 concerns the Quivr project: stangirard/quivr v0.0.236 contains a Server-Side Request Forgery (SSRF) vulnerability. The issue arises from insufficient controls when the crawler accesses external websites, enabling an attacker to reach internal/local-network resources, including inter...
CVE-2024-34354
CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...
CVE-2024-34354 CMSaasStarter: JWT Token Not Verified on Server Session
CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...
CVE-2024-34354 CMSaasStarter: JWT Token Not Verified on Server Session
CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...
CVE-2024-34354
CMSaaSStarter JWT token not verified on server session affects forks prior to commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6. Affected software: CMSaaSStarter templates, built with SvelteKit/Tailwind/Supabase. Root cause: user JWT token not validated on the server session. Remediation: apply pat...
CVE-2024-34354 CMSaasStarter: JWT Token Not Verified on Server Session
CMSaaSStarter is a SaaS template/boilerplate built with SvelteKit, Tailwind, and Supabase. Any forks of the CMSaaSStarter template before commit 7904d416d2c72ec75f42fbf51e9e64fa74062ee6 are impacted. The issue is the user JWT Token is not verified on server session. You should take the patch...
BIT-POSTGRESQL-2024-24213
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pgmeta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically,...
CVE-2024-24213
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pgmeta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically,...
CVE-2024-24213
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pgmeta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically,...
Sql injection
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pgmeta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically,...