CVE-2026-49361

CVE-2026-49361: Apache Fluss Netty frame-decoder memory exhaust vulnerability . Affected: Apache Fluss (incubating) versions prior to 0.9.1 (0.8.0 and 0.9.0). Root cause: Netty LengthFieldBasedFrameDecoder configured with Integer.MAX_VALUE as the maximum frame length. Impact: unauthenticated remo...

CVE-2026-44220 ciguard: discover_pipeline_files follows symlinks out of scan root

ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 to 0.8.1 , the discoverpipelinefiles function in src/ciguard/discovery.py walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory t...

MiniClaw 命令注入漏洞

MiniClaw is an AI memory and evolution tool developed by a personal developer. Versions 0.8.0 and 0.9.0 of MiniClaw contain command injection vulnerabilities. These vulnerabilities stem from the function resolveSkillScriptPath in the System Command Handler component’s src/kernel.ts file, which...

CVE-2026-34455 Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes

Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sortby query parameter directly to Eloquent's orderBy without validation, enabling SQL injection. The application us...

CVE-2026-32873

CVE-2026-32873 affects the Gleam-based web server ewe (versions 0.8.0–3.0.4). The bug in handle_trailers causes an infinite loop when encountering rejected trailers by recursively re-parsing the same header (using rest) instead of advancing past it (Buffer(header_rest, 0)). This leads to a perman...

CVE-2025-13862

The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-66452

LibreChat (versions ≤ 0.8.0) is affected by a lack of handling for JSON parsing errors in express.json(). A SyntaxError triggered by user input can be reflected in error responses, exposing input (including HTML/JavaScript) and creating an XSS risk if Content-Type isn’t strictly enforced. The iss...

CVE-2025-66452 LibreChat's lack of JSON parsing error handling can lead to XSS

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

EUVD-2025-202930

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, when a user posts a question, the iconURL parameter of the POST request can be modified by an attacker. The malicious code is then stored in the chat which can then be shared to other users. When sharing chats wit...

LibreChat 跨站脚本漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A cross-site scripting vulnerability exists in LibreChat 0.8.0 and earlier versions that stems from an unhandled JSON parsing error that could lead to a cross-site scripting attack...

CVE-2025-49039

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in mibuthu Link View link-view allows Stored XSS.This issue affects Link View: from n/a through = 0.8.0...

PT-2025-34265

Name of the Vulnerable Software and Affected Versions: Agent-Zero versions 0.8.0 through 0.8.9 Description: An issue exists in the /api/download work dir file.py component that allows attackers to execute a directory traversal. Recommendations: At the moment, there is no information about a newer...

CVE-2025-54882

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and received credentials...

PYSEC-2025-55

vLLM is an inference and serving engine for large language models LLMs. Version 0.8.0 up to but excluding 0.9.0 have a Denial of Service ReDoS that causes the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to...

Rizin 安全漏洞

Rizin is a free open source reverse engineering framework from the Rizin organization. It is used for analyzing binary files, disassembling code, debugging programs, as a forensic tool, as a scriptable command-line hex editor capable of opening disk files, and more. A security vulnerability exist...

Bare Metal Operator 安全漏洞

Bare Metal Operator is a Metal³ open source application that uses the Kubernetes API to manage bare metal hosts. A security vulnerability exists in Bare Metal Operator version 0.8.0, version 0.6.2, and versions prior to 0.5.2, which stems from improper cross-namespace key access control and could...

PT-2024-3152 · Unknown · Cornerstone

Name of the Vulnerable Software and Affected Versions: Cornerstone versions through 0.8.0 Description: The issue is related to improper neutralization of input during web page generation, which can lead to cross-site scripting attacks. This allows a remote attacker to conduct reflected XSS attack...

Apache Helix 输入验证错误漏洞

Apache Helix is a general-purpose cluster management framework from the U.S. Apache Apache Foundation. It is used to automate the management of partitioning, replication, and distributed resources hosted on a cluster of nodes. An input validation error vulnerability exists in Apache Helix UI...

WordPress plugin Comment Guestbook 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

webtest (>=0.8.0 <=0.8.3) potentially affected by CVE-2021-34082 via proctree (=0.1.1)

proctree NPM version =0.1.1 is affected by a known vulnerability. The following packages have a transitive dependency on proctree and may be impacted: - webtest =0.8.0, =0.8.3 Source cves: CVE-2021-34082 Source advisory: OSV:GHSA-CV76-RV4H-4MQC...