18 matches found
CVE-2026-49328 Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF
Server-Side Request Forgery SSRF in the UrlImageConverter component of Apache Fesod Incubating fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to...
PT-2026-45399
Name of the Vulnerable Software and Affected Versions Apache Fesod Incubating fesod-sheet versions prior to 2.0.2-incubating Description Server-Side Request Forgery SSRF in the UrlImageConverter component allows attackers to trigger outbound network requests to internal or restricted resources by...
Cross-site Request Forgery (CSRF)
Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...
Insecure Default Initialization of Resource
Overview engramx is a The context spine for AI coding agents. 9 built-in providers + mcpConfig plugin contract wrap any MCP server in 10 lines, generic MCP-client aggregator stdio, pre-mortem mistake-guard, bi-temporal mistake memory, Anthropic Auto-Memory bridge, SSE stre Affected versions of th...
Permissive List of Allowed Inputs
Overview express-xss-sanitizer is an Express 4.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. Affected versions of this package are vulnerable to Permissive List of Allowed Inputs through the...
K000159707: NPM vulnerability CVE-2025-59145
Security Advisory Description color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added...
Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-2.0.1.tgz
Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in multer-2.0.1.tgz Vulnerability Details CVEID:CVE-2025-7338 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability that is present starting in version 1.4.4-lts....
CVE-2025-59145 [email protected] contains malware after npm account takeover
color-name is a JSON with CSS color names. On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrenc...
PT-2025-14932 · Joomsky · Joomsky Js Job Manager
Name of the Vulnerable Software and Affected Versions: JoomSky JS Job Manager versions n/a through 2.0.2 Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion' vulnerability. This allows PHP Loca...
Security Bulletin: Vulnerability in Perl affects IBM watsonx.data
Summary For CVE-2020-10878, if a user submits a specially-crafted regular expression and it is used in a regex by watsonx.data, this may cause an instruction injection. Currently, IBM watsonx.data is not vulnerable to the vulnerabilities described in CVE-2020-10543, CVE-2020-12723 and...
PT-2024-22139
Name of the Vulnerable Software and Affected Versions TOMP Bare Server versions prior to 2.0.2 Description A vulnerability in TOMP Bare Server relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to...
PT-2024-10571 · Go4Rayyan · Scumblr
Name of the Vulnerable Software and Affected Versions: go4rayyan Scumblr versions up to 2.0.1a Description: A problematic issue has been found in the component Task Handler, leading to cross site scripting. The manipulation can be launched remotely. It is estimated that some unknown functionality...
Command Injection
Overview git-commit-info is a Get the info of an specific commit hash Affected versions of this package are vulnerable to Command Injection such that the package-exported method gitCommitInfo fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a...
UBUNTU-CVE-2022-39394
Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the wasmtimetrapcode does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to...
UBUNTU-CVE-2022-39393
Wasmtime is a standalone runtime for WebAssembly. Prior to versions 2.0.2 and 1.0.2, there is a bug in Wasmtime's implementation of its pooling instance allocator where when a linear memory is reused for another instance the initial heap snapshot of the prior instance can be visible, erroneously ...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data using YAML.load if the response is a YAML type. This is exploitable only if the attacker is in control of an opensearch server and convinces the victim to connect to it. Details Serialization is a proce...
Open Redirect
Overview koa-remove-trailing-slashes is a Koa middleware that makes sure all requests does not have trailing slashes Affected versions of this package are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint such as...
Command Injection
Overview image-tiler is a package that creates zoom tile pyramids from a large image. There are other packages very similar to this one, but none did exactly what I needed, so I made mine. Affected versions of this package are vulnerable to Command Injection. PoC var tile =...