Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/16 9:18 p.m.11 views

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:18 p.m.7 views

Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion

Summary The documents and files module in Admidio does not verify whether the current user has permission to delete folders or files. The folderdelete and filedelete action handlers in modules/documents-files.php only perform a VIEW authorization check getFolderForDownload / getFileForDownload...

9.1CVSS5.9AI score0.00323EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:17 p.m.31 views

Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint

Summary The SSO metadata fetch endpoint at modules/sso/fetchmetadata.php accepts an arbitrary URL via $GET'url', validates it only with PHP's FILTERVALIDATEURL, and passes it directly to filegetcontents. FILTERVALIDATEURL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An...

6.8CVSS5.9AI score0.00428EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:17 p.m.8 views

Admidio is Missing CSRF Protection on Role Membership Date Changes

Summary The savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and removeformermembership against the CSRF token but omits savemembership from that...

5.7CVSS5.9AI score0.00149EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:17 p.m.8 views

Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Summary The delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...

5.7CVSS6AI score0.0013EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:16 p.m.9 views

File Upload(RCE) Vulnerability in admidio

Summary A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file...

8.8CVSS6.2AI score0.00982EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:49 p.m.7 views

Loop with Unreachable Exit Condition ('Infinite Loop') in ewe

Summary ewe's handletrailers function contains a bug where rejected trailer headers forbidden or undeclared cause an infinite loop. The function recurses with the original unparsed buffer instead of advancing past the rejected header, re-parsing the same header forever. Each malicious request...

7.5CVSS6.1AI score0.00599EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:49 p.m.6 views

Permissive List of Allowed Inputs in ewe

Summary ewe's chunked transfer encoding trailer handling merges declared trailer fields into req.headers after body parsing, but the denylist only blocks 9 header names. Security-sensitive headers like authorization, cookie, and x-forwarded-for can be injected or overwritten by a malicious client...

5.3CVSS5.8AI score0.00386EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:48 p.m.8 views

lz4_flex's decompression can leak information from uninitialized memory or reused output buffer

Summary Decompressing invalid LZ4 data can leak data from uninitialized memory, or can leak content from previous decompression operations when reusing an output buffer. Details The LZ4 block format defines a "match copy operation" which duplicates previously written data or data from the...

8.2CVSS6AI score0.00608EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:47 p.m.8 views

Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration

Summary Kargo's built-in http and http-download promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for requests to internal and private endpoints. However, this also permits...

5.1CVSS6AI score0.00328EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:47 p.m.7 views

Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Impact Due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Patch Removing the inter-ns...

9.8CVSS5.8AI score0.00501EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:47 p.m.7 views

Romeo is vulnerable to Archive Slip due to missing checks in sanitization

Summary The sanitizeArchivePath function in webserver/api/v1/decoder.go lines 80-88 is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory. Vulnerable Code...

8.3CVSS6AI score0.00434EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:46 p.m.12 views

Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

The sanitizeArchivePath function in pkg/extract/extract.go lines 248–254 is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI...

9.8CVSS5.9AI score0.00655EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:45 p.m.7 views

Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Impact Due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod out of it. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Patch Removing the inter-ns NetworkPolicy...

10CVSS5.8AI score0.00386EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:45 p.m.8 views

Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Impact Due to a mis-written NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. In the specific case of...

9.9CVSS5.8AI score0.00284EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/16 8:45 p.m.26 views

File Browser has an Access Rule Bypass via Path Traversal in Copy/Rename Destination Parameter

Description The resourcePatchHandler in http/resource.go validates the destination path against configured access rules before the path is cleaned/normalized. The rules engine rules/rules.go uses literal string prefix matching strings.HasPrefix or regex matching against the raw path. The actual...

6.5CVSS5.8AI score0.00387EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:44 p.m.12 views

SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API

Summary SiYuan Note v3.6.0 and likely prior versions contains an authorization bypass vulnerability in the /api/search/fullTextSearchBlock endpoint. When the method parameter is set to 2, the endpoint passes user-supplied input directly as a raw SQL statement to the underlying SQLite database...

9.8CVSS6.3AI score0.00541EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:44 p.m.11 views

File Browser Signup Grants Admin When Default Permissions Include Admin

Summary Any unauthenticated visitor can register a full administrator account when self-registration signup = true is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings - including Perm.Admin - to the new user without any...

10CVSS6AI score0.00677EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:43 p.m.9 views

SiYuan Vulnerable to Remote Code Execution via Malicious Bazaar Package — Marketplace XSS

Remote Code Execution via Malicious Bazaar Package — Marketplace XSS Summary SiYuan's Bazaar community marketplace renders plugin/theme/template metadata and README content without sanitization. A malicious package author can achieve RCE on any user who browses the Bazaar by: 1. Package metadata...

6.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:43 p.m.9 views

File Browser TUS Negative Upload-Length Fires Post-Upload Hooks Prematurely

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

8.1CVSS6.7AI score0.01903EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:41 p.m.8 views

OpenClaw session transcript files were created without forced user-only permissions

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output. Affected Packages / Versions - Package: openclaw...

8.4CVSS5.8AI score0.0012EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:41 p.m.15 views

OpneClaw accepts unsanitized iMessage attachment paths which allowed SCP remote-path command injection

Summary openclaw versions :. In affected releases, the remote host was normalized but the remote attachment path was not validated for shell metacharacters before being passed to the SCP remote operand. A sender-controlled iMessage attachment filename containing shell metacharacters could therefo...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:40 p.m.8 views

OpenClaw Telegram webhook request bodies were read before secret validation, enabling unauthenticated resource exhaustion

Summary openclaw versions = 2026.3.12 read and buffered Telegram webhook request bodies before validating x-telegram-bot-api-secret-token. This let unauthenticated callers force up to the configured webhook body limit of pre-auth body I/O and JSON parse work per request. Affected Packages /...

8.7CVSS5.8AI score0.00531EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:40 p.m.7 views

OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval

Summary openclaw versions = 2026.3.12 allowed bootstrap setup codes to be replayed before approval, which could widen the scopes on a pending device pairing request. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.3.12 - Fixed version: 2026.3.13 Details The...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 8:40 p.m.6 views

OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs

Summary openclaw versions /..., so the resulting error strings could leak bot tokens into logs, console output, or any downstream error surface that rendered the exception text. This issue is in scope under OpenClaw's trust model because the leaked secret is an OpenClaw-operated integration...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:47 p.m.9 views

SiYuan Vulnerable to Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface

Remote Code Execution via Stored XSS in Notebook Name - Mobile Interface Summary SiYuan's mobile file tree MobileFiles.ts renders notebook names via innerHTML without HTML escaping when processing renamenotebook WebSocket events. The desktop version Files.ts properly uses escapeHtml for the same...

9CVSS6.6AI score0.00796EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:47 p.m.6 views

SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes

Summary POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them...

6.8CVSS5.8AI score0.00431EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:47 p.m.10 views

SiYuan importSY/importZipMd: path traversal via multipart filename enables arbitrary file write

Summary POST /api/import/importSY and POST /api/import/importZipMd write uploaded archives to a path derived from the multipart filename field without sanitization, allowing an admin to write files to arbitrary locations outside the temp directory - including system paths that enable RCE. Details...

9.1CVSS6AI score0.00434EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:46 p.m.8 views

SiYuan Vulnerable to Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure

Cross-Origin WebSocket Hijacking via Authentication Bypass — Unauthenticated Information Disclosure Summary SiYuan's WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep...

7.5CVSS5.8AI score0.00361EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:46 p.m.9 views

SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets

Summary POST /api/file/globalCopyFiles reads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace an...

6.8CVSS5.9AI score0.00411EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:46 p.m.10 views

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Impact An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter e.g. ;charset=utf-8 to the Content-Type header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under t...

8.3CVSS5.4AI score0.00272EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:44 p.m.10 views

Azure Blob Storage for Craft CMS Potential Sensitive Information Disclosure vulnerability

Unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadContainerData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Because Azure can return sensitive data in error...

8.7CVSS5.8AI score0.00348EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:44 p.m.8 views

Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

Summary A low-privilege user or an unauthenticated user who has been sent a shared URL can escalate their privileges to admin by abusing UsersController-actionImpersonateWithToken. Affected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue. Details This vulnerability allows any...

9.8CVSS5.8AI score0.0773EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:32 p.m.6 views

GoBGP vulnerable to a denial of service via the NEXT_HOP path attribute

An issue in GoBGP gobgpd v.4.2.0 allows a remote attacker to cause a denial of service via the NEXTHOP path attribute...

7.5CVSS5.9AI score0.00333EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:14 p.m.10 views

Google Cloud Storage for Craft CMS has an Information Disclosure Vulnerability

Unauthenticated users can view a list of buckets the plugin has access to. The DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.1 of the plugin to...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:13 p.m.8 views

Amazon S3 for Craft CMS has an Information Disclosure vulnerability

Unauthenticated users can view a list of buckets the plugin has access to. The BucketsController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin is allowed to see. Users should update to version 2.2.5 of the plugin to...

6.9CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:13 p.m.13 views

Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController. You need Craft contro...

8.6CVSS5.8AI score0.00515EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:12 p.m.8 views

Craft CMS vulnerable to behavior injection RCE via EntryTypesController

The fix for GHSA-7jx7-3846-m7w7 commit 395c64f0b80b507be1c862a2ec942eaacb353748 only patched src/services/Fields.php, but the same vulnerable pattern exists in EntryTypesController::actionApplyOverrideSettings. In src/controllers/EntryTypesController.php lines 381-387: php $settingsStr =...

8.6CVSS5.8AI score0.00499EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:11 p.m.7 views

Craft CMS has a Path Traversal Vulnerability in AssetsController

The AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before Assets::prepareAssetName is applied on save. This allows an authenticated user with replaceFiles permission to delete arbitrary files within the same filesystem root by...

5.3CVSS5.9AI score0.00291EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 6:11 p.m.11 views

RCE via SSTI for users with permissions to access the Craft CMS Webhooks plugin

The Webhooks plugin renders user-supplied template content through Twig’s renderString function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP...

8.5CVSS6AI score0.00382EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:43 p.m.6 views

SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers

Summary Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 no /Users/zwique/Downloads/SandboxJS found. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:41 p.m.8 views

Stored XSS in Memray-generated HTML reports via unescaped command-line metadata

Summary Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript...

6.1CVSS5.9AI score0.00302EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:39 p.m.28 views

XSS in @leanprover/unicode-input-component

Impact Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. Patches The issue has been resolved in 0.2.0. Workarounds Replace the...

5.7AI score0.00327EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:37 p.m.7 views

StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

Summary The REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token can request rank=owner and receive owner account records, including IDs, usernames, display...

2.7CVSS5.9AI score0.00375EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:36 p.m.11 views

Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers

Summary In Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances...

8.1CVSS5.9AI score0.00282EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:35 p.m.6 views

Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`

Summary In Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.getserverslist. Those objects are mutated in-place during background polling and can contain a uri field with embedded HTTP Basic credentials for downstream Glances servers, using t...

9.1CVSS5.8AI score0.00472EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:34 p.m.8 views

Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Summary Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain...

5.9CVSS5.9AI score0.0016EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:34 p.m.6 views

Glances has a SQL Injection in DuckDB Export via Unparameterized DDL Statements

Summary The GHSA-x46r fix commit 39161f0 addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and psycopg.sql composable objects. However, the DuckDB export module glances/exports/glancesduckdb/init.py was not included in this fix...

9.1CVSS5.9AI score0.00325EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:32 p.m.7 views

Glances's Default CORS Configuration Allows Cross-Origin Credential Theft

Summary The Glances REST API web server ships with a default CORS configuration that sets alloworigins="" combined with allowcredentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin...

8.1CVSS5.8AI score0.00339EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:26 p.m.7 views

Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials

Summary The GHSA-gh4x fix commit 5d3de60 addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing asdictsecure redaction. However, the /api/v4/args and /api/v4/args/item endpoints were not addressed by this fix. These endpoints return the complete...

7.5CVSS5.8AI score0.00499EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities33225