Lucene search
K
GithubRecent

33190 matches found

Github Security Blog
Github Security Blog
added 2026/03/24 7:10 p.m.14 views

fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing

Summary fido2-lib v3.x depends on cbor-x 1.6.0, which optionally pulls in cbor-extract C++ native addon. cbor-extract = 2.2.0 has a heap buffer over-read in extractStrings — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead. The crash triggers during...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 5:53 p.m.24 views

Trivy ecosystem supply chain was briefly compromised

Summary On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. On March 22...

9.4CVSS6.2AI score0.60368EPSS
Exploits2References16Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/24 5:28 p.m.7 views

Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions

Summary An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either source or destination section. Details Root-cause analysis 1. actionMoveToSection...

7.1CVSS5.9AI score0.00288EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 5:27 p.m.11 views

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

Summary A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: 1...

5.3CVSS5.8AI score0.00215EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:59 p.m.7 views

Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL

Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...

6.9CVSS5.8AI score0.00355EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:57 p.m.7 views

Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations

Summary Guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions regenerate-yaml, apply-yaml-changes without authentication. Details ConfigSyncController extends BaseUpdaterController, and the base updater is anonymously accessible for...

6.9CVSS6AI score0.00308EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:53 p.m.8 views

Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)

Summary A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes or a preview redirect without enforcing a per-asset view authorization check, leading to potenti...

7.1CVSS5.9AI score0.00353EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:50 p.m.9 views

Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior

Summary A Remote Code Execution RCE vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access. The existing patches add cleanseConfig to...

8.6CVSS5.9AI score0.0102EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:49 p.m.11 views

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:35 p.m.7 views

GoDoxy has a Path Traversal Vulnerability in its File API

Summary The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath = "config" a relative path. No sanitization or validation is applied beyond checking that...

6.5CVSS5.9AI score0.00502EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:34 p.m.18 views

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...

5.3CVSS5.8AI score0.00255EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:33 p.m.8 views

Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...

6.1CVSS5.9AI score0.00226EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 4:4 p.m.5 views

sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows

Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...

7.8CVSS6.2AI score0.00304EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 3:30 p.m.9 views

ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads

ConcreteCMS v9.4.7 contains a Denial of Service DoS vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'filegetcontents', which loads...

6.5CVSS5.8AI score0.00288EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 9:30 a.m.6 views

Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol

Incorrect Authorization CWE-863 vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue"...

4.3CVSS5.8AI score0.0047EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/24 6:31 a.m.20 views

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...

5.9AI score0.00441EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/24 3:31 a.m.5 views

Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from...

8.6CVSS5.8AI score0.0122EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:48 p.m.8 views

H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:44 p.m.8 views

H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service

Summary The setChunkedCookie and deleteChunkedCookie functions in h3 trust the chunk count parsed from a user-controlled cookie value chunkedN without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header e.g., Cookie: h3=chunked999999 to a...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:43 p.m.11 views

Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. | Field | Details | | :--- | :--- | |...

6.8CVSS5.9AI score0.00383EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:40 p.m.7 views

Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions

Impact If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users i.e., per-machine scope, the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by...

7.3CVSS5.8AI score0.00132EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:18 p.m.9 views

Rails Active Storage has possible glob injection in its DiskService

Impact Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage director...

9.1CVSS5.8AI score0.00646EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:17 p.m.7 views

Rails Active Storage has possible Path Traversal in DiskService

Impact Active Storage's DiskServicepathfor does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences e.g. ../ is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are...

9.8CVSS5.4AI score0.00567EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:15 p.m.6 views

Rails Active Support has a possible DoS vulnerability in its number helpers

Impact Active Support number helpers accept strings containing scientific notation e.g. 1e10000, which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,...

8.7CVSS5.2AI score0.0061EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:8 p.m.9 views

Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests

Impact When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header e.g. bytes=0- could cause the server to allocate memory proportional to the file size,...

8.7CVSS5.3AI score0.0061EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:54 p.m.8 views

Rails Active Storage has possible content type bypass via metadata in direct uploads

Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...

5.3CVSS5.4AI score0.0039EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:53 p.m.6 views

Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...

6.1CVSS6.1AI score0.00327EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:52 p.m.12 views

Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. Releases The fixed releases are available at the normal locations. Credit This issue was responsibly reported by Hackerone...

6.9CVSS5AI score0.00498EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:51 p.m.11 views

Rails has a possible XSS vulnerability in its Action View tag helpers

Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Application...

2.3CVSS5.3AI score0.00516EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:45 p.m.13 views

Rails has a possible XSS vulnerability in its Action Pack debug exceptions

Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled config.considerallrequestslocal = true, whi...

5.3CVSS5.4AI score0.00401EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:43 p.m.5 views

Indico discloses local files resulting in Remote Code Execution through LaTeX injection

!NOTE If server-side LaTeX rendering is not in use ie XELATEXPATH was not set in indico.conf, this vulnerability does not apply. Impact Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX...

8.8CVSS6AI score0.00782EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:39 p.m.6 views

Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information

Security Advisory — My Page Profile Update Improper Authorization Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...

8.1CVSS5.9AI score0.00305EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:38 p.m.13 views

Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature

Security Advisory — Page Content Retrieval Improper Authorization Summary An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...

7.5CVSS5.7AI score0.00268EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:36 p.m.6 views

Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin

Security Advisory — Page Management Plugin SSRF Summary A Server-Side Request Forgery SSRF issue exists in the external page migration feature of the Page Management Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the...

6.8CVSS5.8AI score0.00347EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:36 p.m.7 views

Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin

Security Advisory — Form Plugin Stored XSS Summary A Stored Cross-site Scripting XSS issue exists in the file field of the Form Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the file field of the Form Plugin, Stored...

8.2CVSS5.9AI score0.00197EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:35 p.m.11 views

Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View

Security Advisory — Cabinet Plugin DOM-based XSS Summary A DOM-based Cross-Site Scripting XSS issue exists in the Cabinet Plugin list view. Affected Versions - 1.x series: = 1.35.0, = 2.35.0, = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the Cabinet Plugin list view, DOM-based...

8.7CVSS5.9AI score0.00327EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:33 p.m.7 views

Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin

Security Advisory — Code Study Plugin Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the Code Study Plugin, an authenticated user could...

8.8CVSS6.6AI score0.00463EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:30 p.m.8 views

New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check

Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...

6.5CVSS5.8AI score0.00274EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:28 p.m.11 views

MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL

Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion...

9.8CVSS5.9AI score0.00413EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:25 p.m.12 views

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData signing function. This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling...

5.5CVSS5.9AI score0.00253EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 8:23 p.m.10 views

cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

Summary - The cbor2 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension cbor2. The C extension correctly uses Python's C-API for...

7.5CVSS7.2AI score0.00417EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 7:56 p.m.19 views

New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure

Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...

4.9CVSS5.7AI score0.00289EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 p.m.5 views

DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component internal/troubleshooting/actioner/actioner.go processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting...

8.8CVSS6.3AI score0.02502EPSS
Exploits2References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 4:0 p.m.8 views

GitHub expands application security coverage with AI‑powered detections

AI is accelerating software development and expanding the range of languages and frameworks used in modern repositories. Security teams are increasingly responsible for protecting code written across many ecosystems, not just the core enterprise languages traditionally covered by static analysis...

6AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/23 3:30 p.m.6 views

Harbor allows the use of the default password for web UI login

Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI...

9.4CVSS5.8AI score0.00498EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 3:30 p.m.5 views

HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...

6.3CVSS5.5AI score0.00181EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 12:30 p.m.3 views

Keycloak's identity-first login flow exposes user information

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration...

3.7CVSS5.3AI score0.00318EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 12:30 p.m.10 views

esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages

XML External Entity XXE vulnerability in esaml and its forks allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using...

6.3CVSS5.8AI score0.00281EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 9:30 a.m.5 views

Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access UMA resourceset endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control chec...

4.3CVSS5.8AI score0.00203EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/23 6:30 a.m.7 views

jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect...

9.3CVSS5.9AI score0.00476EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities33190