246 matches found
SourceCodester Sales and Inventory System 安全漏洞
The SourceCodester Sales and Inventory System is an open-source sales and inventory management system developed by SourceCodester. Version 1.0 of the SourceCodester Sales and Inventory System contains a security vulnerability. This vulnerability stems from improper cleaning of the parameter limit...
Lychee 跨站脚本漏洞
Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.3 had a cross-site scripting vulnerability; this vulnerability occurred due to the lack of HTML cleaning when storing pho...
WordPress plugin WP Lightbox 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There wa...
OpenProject SQL注入漏洞
OpenProject is an open-source web-based project management software. Versions of OpenProject prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1 have a SQL injection vulnerability. This vulnerability arises from custom field names not being properly cleaned in SQL queries, which can allow SQL injection...
GHSA-9F3R-2VGW-M8XP File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter
Description The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine rules/rules.go uses literal string prefix matching strings.HasPrefix or regex matching against the raw path. The actual...
PT-2026-25856
Name of the Vulnerable Software and Affected Versions File Browser versions 2.61.2 and below Description File Browser, a file managing interface, has an issue where an authenticated user with Create or Rename permissions can bypass administrator-configured deny rules. This is due to the order in...
glances SQL注入漏洞
Glances is a system monitoring tool developed by Nicolas Hennion. Versions of Glances prior to 4.5.1 contained an SQL injection vulnerability. This vulnerability stemmed from the TimescaleDB export module using uncleaned data to construct SQL queries, which could lead to SQL injection attacks...
stabilizer 安全漏洞
Stabilizer is a performance evaluation tool developed by Charlie Curtsinger. Stabilizer has a security vulnerability, which stems from the direct transmission of uncleaned user input to os.system, potentially allowing remote attackers to execute arbitrary system commands...
NocoDB 跨站脚本漏洞
NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.3 had a cross-site scripting vulnerability. This vulnerability occurred when rich text cell content was...
Manyfold 操作系统命令注入漏洞
Manyfold is a self-hosted web application developed by Manyfold OpenSource. Versions of Manyfold prior to 0.133.0 contained an operating system command injection vulnerability. This vulnerability stemmed from uncleaned filenames, which could lead to remote code execution...
Binardat 10G08-0800GSM 跨站脚本漏洞
Binardat 10G08-0800GSM is a high-performance switch from the Chinese company Binardat. The Binardat 10G08-0800GSM Network Switch V300SP10260209 and earlier versions have a cross-site scripting vulnerability. This vulnerability stems from uncleaned user input reflected in the web interface, which...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.0.0-RC1 to 4.16.17, and 5.0.0-RC1 to 5.8.21 of Craft CMS have security vulnerabilities. These vulnerabilities stem from the assembleLayoutFromPost function not properly cleaning user configuration data, which...
Craft CMS 跨站脚本漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions 5.0.0-RC1 to 5.8.21 of Craft CMS have a cross-site scripting vulnerability. This vulnerability stems from uncleaned entry type names, which may lead to storage-based cross-site scripting attacks...
SCEditor 跨站脚本漏洞
SCEditor is a visual editor developed by Sam Personal Developer. Versions of SCEditor prior to 3.2.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient cleanup of configuration options passed to sceditor.create, which could lead to cross-site scripting...
Navidrome 安全漏洞
Navidrome is an open-source web-based music collection server and streaming service developed by Navidrome. It allows users to listen to their music collections from any browser or mobile device. Versions of Navidrome prior to 0.60.0 contained security vulnerabilities; these vulnerabilities stemm...
gradle-completion security vulnerability
Gradle-completion is a autocompletion tool developed by Gradle as open source. Versions of Gradle-completion 9.3.0 and earlier have security vulnerabilities. These vulnerabilities stem from insufficient cleanup of Gradle task names and descriptions, which may lead to command injection and arbitra...
Group Office Cross-Site Script Vulnerabilities
Group Office is a modular office suite developed by the Dutch company Group Office. Versions of Group Office prior to 6.8.148, as well as versions 25.0.1 through 25.0.79, contained a cross-site scripting vulnerability. This vulnerability stemmed from the application storing uncleaned file names i...
CVE-2025-1719
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory...
SiYuan cross-site scripting vulnerabilities
SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan itself. Versions of SiYuan prior to 3.5.4 contained a cross-site scripting vulnerability. This vulnerability stemmed from the /api/icon/getDynamicIcon endpoint’s improper handling of uncleaned SVG inputs, which...
Progress LoadMaster 安全漏洞
Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...