Lucene search
+L

49 matches found

cnnvd
cnnvd
added 2026/03/25 12:0 a.m.9 views

pdf-image 安全漏洞

pdf-image is a Node.js tool developed by Masafumi Oyamada for converting PDFs to PNG images. Versions of pdf-image 2.0.0 and earlier contain security vulnerabilities. These vulnerabilities stem from the fact that the pdfFilePath parameter is not verified, which may lead to OS command injection...

9.8CVSS5.8AI score0.02493EPSS
Exploits4References3
osv
osv
added 2026/03/18 2:19 a.m.7 views

CVE-2026-29112 @dicebear/converter vulnerable to ncontrolled memory allocation via crafted SVG dimensions

DiceBear is an avatar library for designers and developers. Prior to version 9.4.0, the ensureSize function in @dicebear/converter read the width and height attributes from the input SVG to determine the output canvas size for rasterization PNG, JPEG, WebP, AVIF. An attacker who can supply a...

7.5CVSS5.9AI score0.00346EPSS
Exploits0References5
snyk
snyk
added 2026/03/08 8:38 a.m.1 views

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the dopnm2png function. An attacker can achieve code execution, data corruption, or application crash by providing specially crafted width or height arguments that trigger a heap-based buffer overflow duri...

5.3CVSS6.3AI score0.00126EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/01/29 2:28 p.m.4 views

CVE-2020-37012

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

9.8CVSS6.7AI score0.00755EPSS
Exploits0References3Affected Software1
cvelist
cvelist
added 2026/01/29 2:28 p.m.33 views

CVE-2020-37012 Tea LaTex 1.0 - Remote Code Execution

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

9.8CVSS0.00755EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/01/29 12:0 a.m.6 views

PT-2026-5287

Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application's tex2png API...

9.8CVSS6.7AI score0.00755EPSS
Exploits0References4
redhatcve
redhatcve
added 2026/01/09 9:3 a.m.3 views

CVE-2024-39918

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the ImageId in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in ...

4.3CVSS4.8AI score0.00523EPSS
Exploits0References1
euvd
euvd
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-2232

Malicious code in bioql PyPI...

3.1CVSS6.4AI score0.0037EPSS
Exploits0References4
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-2427

Malicious code in bioql PyPI...

4.3CVSS6.4AI score0.00523EPSS
Exploits0References6
redhatcve
redhatcve
added 2025/05/23 8:2 a.m.8 views

CVE-2024-39919

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an ALLOWLIST where the host can specify which services the user is permitted to capture screenshots of. By...

3.1CVSS3.9AI score0.0037EPSS
Exploits0
redhatcve
redhatcve
added 2025/05/23 7:42 a.m.5 views

CVE-2024-37169

@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol http or https. ...

5.3CVSS5.2AI score0.00529EPSS
Exploits0
hackerone
hackerone
added 2024/11/18 8:39 a.m.105 views

Khan Academy: XSS on using the legacy "Graphie To Png" API

The legacy "Graphie To Png" API was vulnerable to exploitation. An attacker could upload malicious graphies that included harmful SVG and JSON data. The SVG contained an onload attribute that executed arbitrary JavaScript. The JSON data modified the content of labels, causing the graphie renderer...

7.3AI score
Exploits0
veracode
veracode
added 2024/07/16 6:11 a.m.16 views

Information Disclosure

@jmondi/url-to-png is vulnerable to Information Disclosure. The vulnerability is caused due to a lack of a blocklist mechanism to restrict which URLs can be captured as screenshots. This allows an attacker to potentially capture screenshots of sensitive information from local web services...

3.1CVSS6.1AI score0.0037EPSS
Exploits0References3Affected Software1
nvd
nvd
added 2024/07/15 8:15 p.m.19 views

CVE-2024-39918

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the ImageId in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in ...

4.3CVSS0.00523EPSS
Exploits0References3
nvd
nvd
added 2024/07/15 8:15 p.m.37 views

CVE-2024-39919

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an ALLOWLIST where the host can specify which services the user is permitted to capture screenshots of. By...

3.1CVSS0.0037EPSS
Exploits0References2
osv
osv
added 2024/07/15 7:53 p.m.32 views

CVE-2024-39919 Capture screenshot of localhost web services (unauthenticated pages) in @jmondi/url-to-png

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an ALLOWLIST where the host can specify which services the user is permitted to capture screenshots of. By...

3.1CVSS6.5AI score0.0037EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2024/07/15 7:53 p.m.14 views

CVE-2024-39919 Capture screenshot of localhost web services (unauthenticated pages) in @jmondi/url-to-png

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an ALLOWLIST where the host can specify which services the user is permitted to capture screenshots of. By...

3.1CVSS6.7AI score0.0037EPSS
Exploits0References2
cvelist
cvelist
added 2024/07/15 7:53 p.m.43 views

CVE-2024-39919 Capture screenshot of localhost web services (unauthenticated pages) in @jmondi/url-to-png

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. The package includes an ALLOWLIST where the host can specify which services the user is permitted to capture screenshots of. By...

3.1CVSS0.0037EPSS
Exploits0References2
cve
cve
added 2024/07/15 7:53 p.m.52 views

CVE-2024-39919

CVE-2024-39919 affects the @jmondi/url-to-png package. The issue stems from an ALLOW_LIST that by default permits screenshots of localhost/internal services, enabling a user to capture internal web services when the package runs on a server. This could disclose internal screens or services. The v...

3.1CVSS3.6AI score0.0037EPSS
Exploits0References2
osv
osv
added 2024/07/15 7:53 p.m.12 views

CVE-2024-39918 Path Traveral in @jmondi/url-to-png

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the ImageId in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in ...

4.3CVSS6.8AI score0.00523EPSS
Exploits0References5
Rows per page
Query Builder