EUVD-2025-14756

Malicious code in bioql PyPI...

EUVD-2024-53587

Malicious code in bioql PyPI...

EUVD-2023-42908

Malicious code in bioql PyPI...

EUVD-2025-14295

Malicious code in bioql PyPI...

EUVD-2024-34309

Malicious code in bioql PyPI...

EUVD-2022-43161

Malicious code in bioql PyPI...

Account takeover due to missing oauth audience verification in google sign in

Description The web application integrates Google OAuth for user authentication. Upon successful Google sign-in and user consent, the application receives a token from Google. This token is used by the web application to fetch user profile information such as email and name and complete the login...

Privilege Escalation

Graylog is vulnerable to Privilege Escalation. The vulnerability is due to insufficient permission checks due to a flaw in the Graylog REST API that allows authenticated users to create and use API tokens for other users, such as the local Administrator, if they know the target user's ID...

CVE-2022-1936

Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP...

CVE-2022-2533

An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions...

CVE-2022-46258

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed a repository-scoped token with read/write access to modify Action Workflow files without a Workflow scope. The Create or Update file contents API should enforce workflow scope. This vulnerability...

CVE-2025-46743

CVE-2025-46743 describes an issue where an authenticated user’s token could be reused by another source after logout but before the token expired. Connected sources reference Schweitzer Engineering Laboratories (SEL) products (e.g., SEL-5033 RTAC Software, SEL-5702 PMU, SEL-5035 Diagram Builder) ...

GHSA-56P6-QW3C-FQ2G Suspended Directus user can continue to use session token to access API

Summary Since the user status is not checked when verifying a session token a suspended user can use the token generated in session auth mode to access the API despite their status. Details There is a check missing in verifySessionJWT to verify that a user is actually still active and allowed to...

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Overview Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere due to the improper validation of target registry domains during the token exchange process. An attacker can extract and misuse authentication tokens by directin...

CVE-2024-57433

macrozheng mall-tiny 1.0.1 is vulnerable to Incorrect Access Control via the logout function. After a user logs out, their token is still available and fetches information in the logged-in state...

forgejo -- multiple vulnerabilities

Problem Description: It was possible to use a token sent via email for secondary email validation to reset the password instead. In other words, a token sent for a given action registration, password reset or secondary email validation could be used to perform a different action. It is no longer...

GitLab 安全漏洞

GitLab is an open source, end-to-end software development platform from GitLab, Inc. with built-in version control, issue tracking, code review, and CI/CD continuous integration and continuous delivery features. A security vulnerability exists in GitLab that stems from the use of the victim's...

CVE-2024-38276 moodle: CSRF risks due to misuse of confirm_sesskey

Incorrect CSRF token checks resulted in multiple CSRF risks...

Clinic Queuing System Security Vulnerability

Clinic Queuing System is a clinic queuing system by the individual developer Carlo Montero. A security vulnerability exists in Clinic Queuing System version 1.0, which stems from an authorization bypass due to misuse of the parameter formToken...

VulnCheck KEV: CVE-2021-37580

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0...