Astra Linux - уязвимость в linux-5.10, linux-5.15

In the Linux kernel, the following vulnerabilities have been resolved: IB/hfi1: Fixed bugs related to non-PAGESIZE-end multi-iovec user SDMA requests. The processing of hfi1 user SDMA requests contains two bugs that can cause data corruption for user SDMA requests with multiple payload iovecs. In...

EUVD-2026-26157

modsql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands e.g., COPY TO PROGRAM...

CVE-2026-42167

modsql in ProFTPD before 1.3.9a allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands e.g., COPY TO PROGRAM...

CVE-2025-36411

IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts...

CVE-2021-22954

A cross-site request forgery vulnerability exists in Concrete CMS...

EUVD-2025-35612

Improper authorization in the temporary access workflow of Devolutions Server 2025.2.12.0 and earlier allows an authenticated basic user to self-approve or approve the temporary access requests of other users and gain unauthorized access to vaults and entries via crafted API requests...

EUVD-2003-0550

Malware in sbrugna...

EUVD-2011-1948

Malware in sbrugna...

EUVD-2016-5827

Malware in sbrugna...

EUVD-2021-30603

Malicious code in bioql PyPI...

DEBIAN-CVE-2025-38516

In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a...

E-Commerce Site Cross-Site Request Forgery Vulnerability

E-Commerce Site is an e-commerce site. E-Commerce Site suffers from a cross-site request forgery vulnerability that stems from the WEB application not adequately verifying that a request is coming from a trusted user. No details of the vulnerability are available at this time...

CVE-2022-3764

The plugin does not filter the "deleteentries" parameter from user requests, leading to an SQL Injection vulnerability...

CVE-2024-7764

Vanna-ai v0.6.2 is vulnerable to SQL Injection due to insufficient protection against injecting additional SQL commands from user requests. The vulnerability occurs when the generatesql function calls extractsql with the LLM response. An attacker can include a semi-colon between a search data fie...

CVE-2025-29927 Authorization Bypass in Next.js Middleware

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to ...

CVE-2024-7764 SQL Injection in vanna-ai/vanna

Vanna-ai v0.6.2 is vulnerable to SQL Injection due to insufficient protection against injecting additional SQL commands from user requests. The vulnerability occurs when the generatesql function calls extractsql with the LLM response. An attacker can include a semi-colon between a search data fie...

CVE-2022-36099

XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the...

Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...

CVE-2024-45031

Apache Syncope is affected by a Stored XSS vulnerability (CVE-2024-45031) due to incomplete HTML sanitization when editing objects in the Syncope Console and Enduser interfaces. This can allow injection of XSS payloads that trigger for other users during normal usage and could lead to session hij...

CVE-2024-45031 Apache Syncope: Stored XSS in Console and Enduser

When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser whe...