Astra Linux - уязвимость в python-tornado

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server’s event loop for an extended period, due to the use of the HTTPHeaders.add method. This method accumulates values using string...

CVE-2026-33326

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

CVE-2026-33326 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

UBUNTU-CVE-2025-67725

Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using string concatenation...

PT-2025-50883

Name of the Vulnerable Software and Affected Versions Tornado versions 6.5.2 and below Description Tornado, a Python web framework and asynchronous networking library, has an issue where the reason phrase supplied to functions like RequestHandler.set status and tornado.web.HTTPError is used witho...

CVE-2025-31954

HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see...

EUVD-2025-15725

Malicious code in bioql PyPI...

CVE-2025-26621

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

CVE-2025-26621 OpenCTI vulnerable to Denial of Service through web hook

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

CVE-2025-26621

OpenCTI vulnerability CVE-2025-26621: Prior to version 6.5.2, users with the capability to manage customizations can edit a webhook that executes JavaScript code. This can be abused to trigger a denial-of-service via prototype pollution, rendering the Node.js server running the OpenCTI frontend u...

CVE-2025-26621 OpenCTI vulnerable to Denial of Service through web hook

OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability manage customizations can edit webhook that will execute javascript code. This can be abused to cause a denial of service attack by prototype...

PT-2025-22013 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: OpenCTI versions prior to 6.5.2 Description: The issue affects an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.5.2, any user with the capability to manage customizations can edit a...

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.

...

CVE-2025-24566

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tomáš Groulík Intro Tour Tutorial DeepPresentation dp-intro-tours allows Reflected XSS.This issue affects Intro Tour Tutorial DeepPresentation: from n/a through = 6.5.2...

PT-2024-35467 · Unknown · Wp-Affiliate-Platform

Name of the Vulnerable Software and Affected Versions: wp-affiliate-platform versions prior to 6.5.2 Description: The issue concerns a lack of CSRF check when deleting affiliates, which could allow attackers to make a logged-in user change or delete them via a CSRF attack. Recommendations: For...

Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WordPress Core

WordPress 6.5.2 was released yesterday, on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page...

PT-2023-3489 · Qt Company +8 · Qt +8

Name of the Vulnerable Software and Affected Versions: Qt versions prior to 5.15.15 Qt versions 6.x prior to 6.2.9 Qt versions 6.3.x through 6.5.x prior to 6.5.2 Description: The issue is related to errors in the certificate authentication procedure, which can allow a remote attacker to bypass...

Elliptic package input validation error vulnerability

Elliptic package is a JavaScript-based elliptic curve cryptographic library. A security vulnerability exists in Elliptic package version 6.5.2 Node.js. An attacker can exploit the vulnerability to elevate privileges...

Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation Exploit

Druva inSync client for Windows exposes a network service on TCP port 6064 on the local network interface. inSync versions 6.5.2 and prior do not validate user-supplied program paths in RPC type 5 messages, allowing execution of arbitrary commands as SYSTEM. This Metasploit module has been tested...

Elastic Stack 6.5.2 security update

Elasticsearch information disclosure ESA-2018-19 Elasticsearch Security versions 6.5.0 and 6.5.1 contain an XXE flaw in Machine Learning’s findfilestructure API. If a policy allowing external network access has been added to Elasticsearch’s Java Security Manager then an attacker could send a...