goshs has an empty-username SFTP password authentication bypass

Summary goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated network...

EUVD-2025-209373

A cross-site scripting XSS vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

EUVD-2025-7132

Malicious code in bioql PyPI...

TOTOLINK Wi-Fi 6 Router Series 安全漏洞

TOTOLINK Wi-Fi 6 Router Series is a series of wireless routers from China's Gion Electronics TOTOLINK. A security vulnerability exists in the TOTOLINK Wi-Fi 6 Router Series X2000R-Gh-V2.0.0 version, which stems from an improperly set default password and could lead to the remote execution of...

GHSA-P46V-F2X8-QP98 pREST has a Systemic SQL Injection Vulnerability

Summary pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access to Postgres database tables. During an independent review of the project, Doyensec engineers found that...

GHSA-F77Q-R5QM-W4M8 sp1-recursion-gnark-ffi has insufficient range checks of BabyBear arithmetic

The Gnark recursion circuit constrains arithmetic over BabyBear when the native field of the ZKP circuit is the BN254 scalar field. Proper implementation of this logic requires range checking Bn254 values to be less than the BabyBear modulus. In versions 1.2.0, functions like InvF and InvE used...

sp1-recursion-gnark-ffi has insufficient range checks of BabyBear arithmetic

The Gnark recursion circuit constrains arithmetic over BabyBear when the native field of the ZKP circuit is the BN254 scalar field. Proper implementation of this logic requires range checking Bn254 values to be less than the BabyBear modulus. In versions 1.2.0, functions like InvF and InvE used...

CVE-2024-42988

Lack of access control in ChallengeSolves /api/v1/challenges//solves of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is fixed in v3.7.3+...

CVE-2024-42988

Lack of access control in ChallengeSolves /api/v1/challenges//solves of CTFd v2.0.0 - v3.7.2 allows authenticated users to retrieve a list of users who have solved the challenge, regardless of the Account Visibility settings. The issue is fixed in v3.7.3+...

CVE-2024-8608 Stored XSS in Oceanic Software's ValeApp

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Oceanic Software ValeApp allows Stored XSS. This issue affects ValeApp: before v2.0.0...

CVE-2024-44930

Serilog before v2.1.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests...

CVE-2024-42482 fish-shop/syntax-check Improper Neutralization of Delimiters

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the pattern input specifically the command separator ; and command substitution characters and mean that arbitrary command injection is possible by modification of the input...

CVE-2024-42482 fish-shop/syntax-check Improper Neutralization of Delimiters

fish-shop/syntax-check is a GitHub action for syntax checking fish shell files. Improper neutralization of delimiters in the pattern input specifically the command separator ; and command substitution characters and mean that arbitrary command injection is possible by modification of the input...

CVE-2024-40400

CVE-2024-40400 is an arbitrary file upload vulnerability in Automad v2.0.0’s image upload function. The underlying issue allows an attacker to upload a crafted file and execute arbitrary code on the server. CVSSv3.1 base metrics indicate network access, low attack complexity, and required privile...

CVE-2024-40400

An arbitrary file upload vulnerability in the image upload function of Automad v2.0.0 allows attackers to execute arbitrary code via a crafted file...

CVE-2024-35222

CVE-2024-35222 affects Tauri; remote origin iFrames can bypass origin checks to access IPC endpoints when not explicitly allowed (v1: before 1.6.7; v2: before 2.0.0-beta.19). Vulnerability enables an attacker-controlled iframe to invoke Tauri commands (e.g., delete project, transfer credits) via ...

CVE-2023-49473

Shenzhen JF6000 Cloud Media Collaboration Processing Platform firmware version V1.2.0 and software version V2.0.0 build 6245 is vulnerable to Incorrect Access Control...

CVE-2024-25168

SQL injection vulnerability in snow snow v.2.0.0 allows a remote attacker to execute arbitrary code via the dataScope parameter of the system/role/list interface...

CVE-2024-25164

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...

Path traversal

iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality...