CVE-2024-39899

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. In v1.5, PrivateBin introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication toke...

EUVD-2025-205842

YOURLS is vulnerable to XSS through JSONP and Callback request parameters...

YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...

GHSA-6MP4-Q625-MXJP YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...

📄 YOURLS 1.8.2 SQL Injection

Proof of concept for a remote SQL injection vulnerability in YOURLS version 1.8.2. ============================================================================================================================================= | Title : YOURLS 1.8.2 SQL Injection & System Compromise in Administrati...

📄 YOURLS 1.8.2 CSRF / IDOR / Missing Authorization

YOURLS version 1.8.2 AJAX endpoint scanner that checks for cross site request forgery, insecure direct object reference, missing authorization, and missing input validation vulnerabilities...

📄 YOURLS 1.8.2 Cross Site Request Forgery

YOURLS version 1.8.2 suffers from a cross site request forgery vulnerability. Exploit Title: YOURLS 1.8.2 - Cross-Site Request Forgery CSRF Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/yourls/yourls/ Software Link: https://github.com/yourls/yourls/ Version: 1.8....

YOURLS 1.8.2 - Cross-Site Request Forgery (CSRF)

Exploit Title: YOURLS 1.8.2 - Cross-Site Request Forgery CSRF Date: 2025-11-25 Exploit Author: CodeSecLab Vendor Homepage: https://github.com/yourls/yourls/ Software Link: https://github.com/yourls/yourls/ Version: 1.8.2 Tested on: Windows CVE : CVE-2022-0088 Proof Of Concept CSRF PoC CSRF Proof ...

EUVD-2021-2092

Malware in sbrugna...

EUVD-2011-3781

Malware in sbrugna...

EUVD-2014-8325

Malware in sbrugna...

EUVD-2021-2041

Malware in sbrugna...

EUVD-2024-2387

Malicious code in bioql PyPI...

EUVD-2022-4837

Malicious code in bioql PyPI...

EUVD-2022-1750

Malicious code in bioql PyPI...

CVE-2021-3783

yourls is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

CVE-2021-3785

yourls is vulnerable to Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting'...

CVE-2011-3824

Your Own URL Shortener YOURLS 1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/auth.php and certain other files...

Authorization Bypass

PrivateBin is vulnerable to Authorization Bypass. The vulnerability is exists due to insufficient authorization controls in the implementation of the YOURLS server-side proxy mechanism, The vulnerability allows any user to shorten URLs pointing to the configured PrivateBin instance, bypassing the...

PrivateBin allows shortening of URLs for other domains

In v1.5 we introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can...