15243 matches found
Jenkins AppSpider Plugin 安全漏洞
The Jenkins AppSpider Plugin is an open-source Jenkins application security scanning integration plugin. The Jenkins AppSpider Plugin versions 1.0.17 and earlier contain security vulnerabilities. These vulnerabilities stem from the lack of permission checks in the method responsible for form...
Linux Distros Unpatched Vulnerability : CVE-2026-48959
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward compares length $offset the digit...
CVE-2026-45298 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that...
CVE-2026-44898
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, rendertocul builds a table-of-contents tree from a list of level, id, text tuples. Both the id value used as href="" and the text value used as the visible link label are inserted into tags via a plain Python format...
PT-2026-43295
Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description Improper validation of user-supplied input leads to a local file inclusion, which allows an attacker to include files on the local server. Recommendations At the...
GHSA-GGXF-37HM-9WQF instagrapi: Unsafe signup challenge path handling in instagrapi
instagrapi versions before 2.6.9 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intende...
aiograpi: Unsafe signup challenge path handling
aiograpi versions before 0.9.10 accepted server-supplied signup challenge paths and used them to build request URLs before validating that the paths were relative Instagram API paths. A malicious or tampered challenge payload could cause challenge handling requests to be sent outside the intended...
PT-2026-42858
Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.7 Description The dashboard allows users with the RoleMember role to access notification routes that should be restricted to administrators. Specifically, the endpoints "POST /api/v1/notification" an...
Division by zero
Overview Magick.NET-Q16-HDRI-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package...
Division by zero
Overview Magick.NET-Q16-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
Division by zero
Overview Affected versions of this package are vulnerable to Division by zero in the processing of a user-supplied binomial kernel. An attacker can cause a crash or denial of service by providing a specially crafted large kernel that triggers a division by zero. Remediation A fix was pushed into...
nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
Impact A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. Ed25519PublicKey::delinearize in keys/src/multisig/mod.rs called .unwrap on curve point decompression, which panics when a public key is constructed from 32 bytes that do not represent a valid point...
CVE-2026-9136
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-9136 Unauthorized ShadowAttribute modification in MISP via client-supplied identifier
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
CVE-2026-9136
CVE-2026-9136 affects the ShadowAttribute proposal creation workflow in MISP. An add action accepted client-supplied ShadowAttribute data without stripping the id field, allowing an authenticated user to supply the identifier of an existing ShadowAttribute and cause an update instead of creating ...
CVE-2026-9136 Unauthorized ShadowAttribute modification in MISP via client-supplied identifier
A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update...
Astra Linux – Vulnerability in python-setuptools
A vulnerability exists in the packageindex module of pypa/setuptools versions up to 69.1.1, allowing for remote code execution through its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are vulnerable t...
CVE-2026-6394
The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...
CVE-2026-6394
CVE-2026-6394 affects Nexa Blocks ≤ 1.1.1 (WordPress Gutenberg/FSE plugin). The import_demo() function accepts a user-supplied URL in demo_json_file via POST and forwards it to wp_remote_get() without URL validation or internal-network restrictions, enabling unauthenticated SSRF to arbitrary dest...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the Glide process. An attacker can cause the server to initiate HTTP requests to internal network addresses, potentially exposing sensitive internal resources, by supplying specially crafted URLs tha...