12 matches found
ChurchCRM - API Authentication Bypass via URL Injection
ChurchCRM 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public id: CVE-2026-39339 info: name:...
CVE-2026-41885
CVE-2026-41885 affects i18next-locize-backend prior to version 9.0.2. The issue arises when the backend interpolates values (lng, ns, projectId, version) directly into URL templates (loadPath/privatePath/addPath/updatePath/getLanguagesPath) without encoding or validation, enabling user-controlled...
EUVD-2026-28438
Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3.0.5 interpolate the lng and ns values directly into the configured loadPath / addPath URL templat...
PT-2026-35775
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description Insufficient sanitization of the PIP INDEX URL and UV INDEX URL environment variables in host execution contexts allows attackers to redirect Python package-index traffic. This can lead to the...
EUVD-2025-25273
Malicious code in bioql PyPI...
CVE-2020-27627
JetBrains TeamCity before 2020.1.2 was vulnerable to URL injection...
The vulnerability of the xdg-utils lies in the lack of measures to sanitize input data, allowing an attacker to execute arbitrary code within the application context.
The vulnerability of the xdg-utils package is related to the lack of measures for cleaning input data. Exploiting this vulnerability allows a remote attacker to execute arbitrary code within the application, by injecting commands into the URL...
Unspecified Vulnerability in Comtech Telecommunications Stampede FX-1010
Comtech Telecommunications Stampede FX-1010 is a data center product from Comtech Telecommunications. A security vulnerability exists in the Comtech Telecommunications Stampede FX-1010 version 7.4.3. An attacker can exploit the vulnerability by navigating to the Fetch URL page and injecting shell...
picketlink: URL injection via xinclude parameter
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...
picketlink: URL injection via xinclude parameter
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...
CVE-2017-17534
uiutil.c in Mensis 0.0.080507 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, a different vulnerability than CVE-2017-17521...
IBM Emptoris Strategic Supply Management Platform and Emptoris Program Management Cross-Site Scripting Vulnerability
IBM Emptoris Strategic Supply Management Platform is a strategic supply management solution from IBM that helps organizations maximize cost savings, improve supplier performance and reduce risk. A cross-site scripting vulnerability exists in IBM Emptoris Strategic Supply Management Platform and...