python: cpython: Python: Arbitrary code execution via command injection in webbrowser.open() API

A flaw was found in the Python webbrowser.open API. If a specially crafted URL containing "%action" is processed, an attacker could bypass a previous mitigation for CVE-2026-4519. This bypass allows for command injection into the underlying shell, potentially leading to arbitrary code execution...

CVE-2026-31956

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to version 4.4.1, any authenticated user can manually construct a URL to preview campaigns/regions, and export saved reports belonging to other users. Exploitation of th...

python: Python: Command-line option injection in webbrowser.open() via crafted URLs

A flaw was found in Python. The webbrowser.open API, used to launch web browsers, does not properly sanitize input. This allows a remote attacker to craft a malicious URL containing leading dashes. When such a URL is opened, certain web browsers may interpret these dashes as command-line options,...

CVE-2026-25765

A flaw was found in Faraday, an HTTP client library. The buildexclusiveurl method, which combines a base URL with a user-supplied path, incorrectly processes protocol-relative URLs e.g., //evil.com/path. This allows a remote attacker to supply a specially crafted URL, leading to Server-Side Reque...

EUVD-2018-20682

Malware in sbrugna...

EUVD-2017-10141

Malware in sbrugna...

EUVD-2022-2491

Malicious code in bioql PyPI...

EUVD-2024-2787

Malicious code in bioql PyPI...

EUVD-2024-2676

Malicious code in bioql PyPI...

EUVD-2022-5736

Malicious code in bioql PyPI...

CVE-2021-21679

Jenkins Azure AD Plugin 179.vf6841393099e and earlier allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins...

CVE-2025-30164

The CVE-2025-30164 issue in Icinga Web 2 is an open redirect vulnerability affecting versions before 2.11.5 and 2.12.13, where an authenticated (or easily authenticated) user could be redirected to an arbitrary location via a crafted URL. The root cause is the backend’s redirect logic allowing ar...

CVE-2025-24398

Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 both inclusive allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins...

CVE-2025-24398

The CVE-2025-24398 entry corresponds to a CSRF bypass vulnerability in the Jenkins Bitbucket Server Integration Plugin. Affected versions 2.1.0–4.1.3 implement an overly permissive extension point that can disable CSRF protection for arbitrary URLs, enabling attackers to craft links that bypass C...

CVE-2024-41732

SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read ...

CVE-2024-33536

An issue was discovered in Zimbra Collaboration ZCS 9.0 and 10.0. The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. By uploading...

BIT-AIRFLOW-2023-40712 Apache Airflow: Secrets can be unmasked in the "Rendered Template"

Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly...

Denial Of Service (DoS)

nuxt-api-party is vulnerable to Denial of Service DoS. The vulnerability could be exploited via crafting a malicious URL and setting high retry attempts, which allows an attacker to trigger a recursive error handling loop, crashing the server and potentially disrupting service for legitimate user...

LinkedIn: CSRF that makes any linkedin user follow attacker controlled accounts by simply clicking https://www.linkedin.com/comm/mynetwork/discovery-see-all/*

A CSRF vulnerability was identified that could potentially cause a LinkedIn user to follow an attacker-controlled account without additional confirmation by clicking a specially crafted URL...

GHSA-545F-PGP7-FWJF Log value insertion in craftercms

An anonymous user can craft a URL with text that ends up in the log viewer as is. The text can then include textual messages to mislead the administrator...