PT-2026-42671

Impact A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls get epoch chunks which iterates backwards through macro blocks using Policy::macro block before. When it reaches the genesis block number, macro block before...

Netmaker does not verify JWT signatures for host tokens

Netmaker by Gravitl is an open-source WireGuard-based networking platform for creating and managing virtual overlay networks. The VerifyHostToken function in logic/jwts.go does not validate the JWT signature when verifying host tokens. After calling jwt.ParseWithClaims, the function only checks...

CVE-2026-30993

Slah CMS v1.5.0 and below was discovered to contain a remote code execution RCE vulnerability in the session function at config.php. This vulnerability is exploitable via a crafted input...

PT-2025-49569

Name of the Vulnerable Software and Affected Versions HummerRisk versions through 1.5.0 Description HummerRisk is affected by an issue stemming from a vulnerable Snakeyaml component, potentially allowing attackers to achieve Remote Code Execution RCE and gain control of the server. Recommendation...

CVE-2025-63721

CVE-2025-63721 affects HummerRisk through v1.5.0, where a vulnerable SnakeYAML component enables remote code execution via the /rule/add API by attackers with normal user privileges. Documented across NVD/Red Hat/ENISA/CVE lists, with PoC reported and guidance to update beyond 1.5.0. No exploit d...

EUVD-2021-28516

Malicious code in bioql PyPI...

GHSA-PR72-8FXW-XX22 Default Credentials in nginx-defender Configuration Files

Impact This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials defaultpassword: "changemeplease", GFSECURITYADMINPASSWORD=admin123. If users deploy nginx-defender without changing these...

CVE-2024-38533

ZKsync Era is a layer 2 rollup that uses zero-knowledge proofs to scale Ethereum. There is possible invalid stack access due to the addresses used to access the stack not properly being converted to cells. This issue has been patched in version 1.5.0...

CVE-2024-31452

OpenFGA CVE-2024-31452 affects OpenFGA v1.5.0+ with an authorization bypass when calling Check or ListObjects APIs. The root cause relates to exclusion or intersection models (e.g., a but not b, or a and b). The issue is fixed in v1.5.3; remediation is to upgrade to v1.5.3 (or later) to mitigate....

GHSA-PMC7-HMMW-G96Q Bagisto vulnerable to Insecure Direct Object Reference (IDOR)

Insecure Direct Object Reference IDOR in Bagisto v.1.5.0 allows an attacker to obtain sensitive information via the invoice ID parameter...

BIT-ARGO-CD-2020-8826

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...

GHSA-23PX-MW2P-46QM Cosmos-SDK Cosmovisor component may be vulnerable to denial of service

Component: Cosmovisor Criticality: Medium Affected Versions: Cosmovisor v1.0.0 distributed with Cosmos-SDK 0.46 Affected Users: Validators and Node operators utilizing unsupported versions of Cosmovisor Impact: DOS, potential RCE on node depending on configuration An issue has been identified on...

Cross site scripting vulnerability with discussion titles

Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or...

Design/Logic Flaw

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title inpu...

CVE-2022-41938

CVE-2022-41938 (Flarum): XSS in Flarum occurs because the page title system could convert titles into HTML DOM nodes, allowing attacker-controlled HTML markup via a discussion title input. Affected versions: 1.5.0–1.6.1. Impact is browser-based XSS on the discussion page when opened. Remediation:...

CVE-2022-41443

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php...

CVE-2022-41443

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php...

Design/Logic Flaw

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php...

CVE-2022-41443

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php...

CVE-2022-41443

CVE-2022-41443 affects phpIPAM 1.5.0, where the vulnerability exists in the component /admin/subnets/ripe-query.php. The root cause is header injection due to inadequate input validation, enabling attackers to inject/modify HTTP headers. The NVD entry lists a high-severity impact (C/H, I/H, A/H) ...