GHSA-WWQH-7JM5-GJ7W free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

Summary free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" enabling traffic-routing feature negotiation and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls...

free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

Summary free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" enabling traffic-routing feature negotiation and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls...

CVE-2026-5159

The CVE-2026-5159 entry documents a Stored Cross-Site Scripting flaw in the Royal Addons for Elementor plugin (WordPress). Affected component: the Instagram Feed widget, specifically the instagram_follow_text setting. Root cause: insufficient input sanitization and output escaping in all versions...

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

GHSA-XQ7H-VWJP-5VRH @grackle-ai/powerline Runs Without Authentication by Default

Impact When --token is not provided and GRACKLEPOWERLINETOKEN is not set, the PowerLine gRPC server runs with zero authentication. A warning is logged "NO AUTH development only" but nothing prevents deployment in this state. Any client that can reach the PowerLine port can spawn agent sessions,...

Cross-site Scripting (XSS)

Overview changedetection.io is a Website change detection and monitoring service Affected versions of this package are vulnerable to Cross-site Scripting XSS via the taguuid parameter in the /rss/tag/ endpoint, which is reflected in the HTTP response without proper escaping. An attacker can execu...

GHSA-P6PV-Q7RC-G4H9 Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...

CVE-2025-42616

CVE-2025-42616 concerns Vulnerability-Lookup prior to 2.18.0 where certain endpoints could change state (e.g., database entries, user data, configurations) via HTTP GET requests without CSRF protection. This allowed CSRF-style abuse under an authenticated session, potentially enabling privilege e...

CVE-2025-13319

Digi On-Prem Manager API is affected by an authenticated SQL injection vulnerability (CVE-2025-13319). An attacker with valid API tokens can inject SQL via crafted input; the API is not enabled by default. CVSS 3.1 base score 8.8 (HIGH) with impact to confidentiality, integrity, and availability....

CVE-2025-11539

Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then load...

EUVD-2024-54901

Malicious code in bioql PyPI...

CVE-2024-50641

An authentication bypass vulnerability in PandoraNext-TokensTool v0.6.8 and before. An attacker can exploit this vulnerability to access API without any token...

CVE-2025-50904

There is an authentication bypass vulnerability in WinterChenS my-site thru commit 6c79286 2025-06-11. An attacker can exploit this vulnerability to access /admin/ API without any token...

PT-2025-34068 · Jobx · Jobx

Name of the Vulnerable Software and Affected Versions: jobx versions up to 1.0.1-RELEASE Description: An authentication bypass issue exists in jobx up to version 1.0.1-RELEASE. An attacker can exploit this issue to access sensitive API endpoints without any token through the preHandle function...

CVE-2025-50904

CVE-2025-50904 describes an authentication bypass in WinterChenS my-site via commit 6c79286 (2025-06-11). An attacker can access the /admin/ API without a token, with CVSS v3.1 score 9.8 (CRITICAL; AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Affected software is WinterChenS my-site, through the specifi...

PT-2025-34134 · Winterchens · My-Site

Name of the Vulnerable Software and Affected Versions: WinterChenS my-site versions through commit 6c79286 2025-06-11 Description: An authentication bypass allows unauthorized access to the /admin/ API without a token. Recommendations: Versions prior to commit 6c79286 2025-06-11 should be updated...

CVE-2024-1221

This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This CVE only affects Linux and macOS PaperCut NG/MF...

PT-2023-2843 · Zimbra · Zimbra Collaboration Suite

Name of the Vulnerable Software and Affected Versions: Zimbra Collaboration Suite versions 8.8.15 through 9.0 Description: An open redirect issue exists in the /preauth Servlet, allowing an attacker to redirect a user to any URL if URL sanitization is bypassed in incoming requests. To exploit thi...

GHSA-449W-C77C-VMF6 Lack of authentication mechanism in Jenkins Git Plugin webhook

Git Plugin provides a webhook endpoint at /git/notifyCommit that can be used to notify Jenkins of changes to an SCM repository. For its most basic functionality, this endpoint receives a repository URL, and Jenkins will schedule polling for all jobs configured with the specified repository. In Gi...

PT-2022-5837 · Jenkins · Jenkins Git Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Git Plugin versions 4.11.3 and earlier Description: The webhook endpoint in Jenkins Git Plugin provides unauthenticated attackers with information about the existence of jobs configured to use an attacker-specified Git repository. Thi...