Lucene search
K
GithubRecent

33367 matches found

Github Security Blog
Github Security Blog
added 2025/12/03 9:31 p.m.9 views

alexusmai laravel-file-manager is vulnerable to Directory Traversal

alexusmai laravel-file-manager 3.3.1 and below is vulnerable to Directory Traversal. The zip/archiving functionality allows an attacker to create archives containing files and directories outside the intended scope due to improper path validation...

6.5CVSS7AI score0.00517EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 9:31 p.m.8 views

Undertow OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParseStreamSourceChannel method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows...

7.5CVSS5.5AI score0.01256EPSS
Exploits0References29Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 8:44 p.m.13 views

mcp-server-kubernetes has potential security issue in exec_in_pod tool

Summary A security issue exists in the execinpod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation sh -c without input validation, allowing shell...

8.8CVSS8.1AI score0.01309EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 7:7 p.m.11 views

React Server Components are Vulnerable to RCE

Summary @vitejs/plugin-rsc vendors react-server-dom-webpack, which contained an unauthenticated remote code execution vulnerability in versions prior to 19.0.1, 19.1.2, and 19.2.1. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r...

8.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 7:7 p.m.22 views

React Server Components are Vulnerable to RCE

Impact There is an unauthenticated remote code execution vulnerability in React Server Components. We recommend upgrading immediately. The vulnerability is present in versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 of: react-server-dom-webpack react-server-dom-parcel react-server-dom-turbopack Patche...

10CVSS7.8AI score0.99562EPSS
Exploits374References13Affected Software3
Github Security Blog
Github Security Blog
added 2025/12/03 7:7 p.m.40 views

Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages1 for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182. Fixed in: React: 19.0.1, 19.1.2, 19.2.1 Next.js:...

10CVSS7.7AI score0.99562EPSS
Exploits374References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 5:0 p.m.8 views

Step CA Has Authorization Bypass in ACME and SCEP Provisioners

Summary A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners. All operators running these provisioners should upgrade to the latest release v0.29.0 immediately. The issue was discovered and disclosed by a...

10CVSS6.6AI score0.0326EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 4:57 p.m.8 views

Rhino has high CPU usage and potential DoS when passing specific numbers to `toFixed()` function

When an application passed an attacker controlled float poing number into the toFixed function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo DToA.JSdtostr DToA.JSdtoa DToA.pow5mult where pow5mult attempts to...

7.5CVSS6.8AI score0.00235EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 4:28 p.m.8 views

Coder logs sensitive objects unsanitized

Summary Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized Details By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.goL432-L439 Workspace Agent Manifests containi...

7.8CVSS6.5AI score0.00203EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 4:27 p.m.8 views

step-ca Has Improper Authorization Check for SSH Certificate Revocation

Summary An authorized attacker can bypass authorization checks and revoke any SSH certificate issued by Step CA by using a valid revocation token. Details Step CA users can obtain SSH certificates from a few provisioners. The SSHPOP provisioner allows revocation of the SSH certificate preventing...

5CVSS6.4AI score0.00138EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 4:27 p.m.17 views

Claude Code Command Validation Bypass Allows Arbitrary Code Execution

Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on...

9.8CVSS8.1AI score0.00639EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 4:25 p.m.4 views

Withdrawn Advisory: ImageMagick has a use-after-free/double-free risk in Options::fontFamily when clearing family

Withdrawn Advisory This advisory has been withdrawn because it does not affect the ImageMagick project's NuGet packages. Original Description We believe that we have discovered a potential security vulnerability in ImageMagick’s Magick++ layer that manifests when Options::fontFamily is invoked wi...

6.1CVSS6.9AI score0.00142EPSS
Exploits0References5Affected Software18
Github Security Blog
Github Security Blog
added 2025/12/03 4:7 p.m.10 views

Docker MCP Plugin and Docker MCP Gateway have DNS Rebinding vulnerability when running in sse or streaming mode

Impact When ran in sse or streaming mode --transport, the Docker MCP Gateway is vulnerable to a DNS rebinding attack. Vulnerability allows for Browser-Based exploitation of any MCP servers that are executing within the Docker MCP Gateway. Any tools or other features exposed by MCP servers can be...

9.6CVSS6.9AI score0.00388EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 2:5 p.m.13 views

Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors

Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. Workaround If the standard CSP rules are active default in production mode, an exploit isn't possible. Credits Lwin Min Oo...

7.6CVSS6.4AI score0.00238EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/03 9:31 a.m.11 views

BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources

A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI...

5.3CVSS6.8AI score0.00218EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:31 p.m.8 views

FeehiCMS Has a Remote Code Execution via Unrestricted File Upload in Ad Management

FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes or stores in an executable location without sufficient validation, sanitization, or executi...

6.5CVSS8.8AI score0.00346EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:31 p.m.12 views

asyncmy is vulnerable to SQL injection via crafted dict keys

SQL injection vulnerability in long2ice asyncmy thru 0.2.11 allows attackers to execute arbitrary SQL commands via crafted dict keys...

9.8CVSS6.1AI score0.00373EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:11 p.m.8 views

GrapesJsBuilder File Upload allows all file uploads

Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. Impact If the media folder is not restricted from running files this can lead to a remote code execution...

8.8CVSS8.1AI score0.00368EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:10 p.m.13 views

Mautic user without privileged access to the Marketplace can install and uninstall composer packages

Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. Impact A low-privileged user of the platform can install malicious code to obtain higher privilege...

9CVSS7.3AI score0.00215EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:10 p.m.12 views

Apptainer ineffectively applies selinux and apparmor --security options

Impact In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restrictions on operations that containers can do. The --security option has always...

5.3CVSS6.7AI score0.00198EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 9:7 p.m.31 views

Singluarity ineffectively applies selinux / apparmor LSM process labels

Impact Native Mode default Singularity's default native runtime allows users to apply restrictions to container processes using the apparmor or selinux Linux Security Modules LSMs, via the --security selinux: or --security apparmor: flags. LSM labels are written to process or thread attrs/exec...

7.5CVSS7AI score0.00523EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 6:30 p.m.7 views

Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting XSS. The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface...

6.1CVSS5.9AI score0.00191EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 6:30 p.m.12 views

Django is vulnerable to SQL injection in column aliases

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. FilteredRelation is subject to SQL injection in column aliases, using a suitably crafted dictionary, with dictionary expansion, as the kwargs passed to QuerySet.annotate or QuerySet.alias on PostgreSQL. Earlier...

4.3CVSS8AI score0.00904EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 6:30 p.m.8 views

Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mv7p-34fv-4874. This link is maintained to preserve external references. Original Description A vulnerability was detected in nocobase up to 1.9.4/2.0.0-alpha.37. The affected element is an unknown function of t...

6.3CVSS6.4AI score0.00262EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 6:30 p.m.8 views

Django is vulnerable to DoS via XML serializer text extraction

An issue was discovered in 5.2 before 5.2.9, 5.1 before 5.1.15, and 4.2 before 4.2.27. Algorithmic complexity in django.core.serializers.xmlserializer.getInnerText allows a remote attacker to cause a potential denial-of-service attack triggering CPU and memory exhaustion via specially crafted XML...

7.5CVSS6.8AI score0.02143EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 5:55 p.m.16 views

gokey allows secret recovery from a seed file without the master password

In gokey versions 0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any...

7.1CVSS7.3AI score0.00145EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 5:55 p.m.8 views

arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints

Summary The arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This...

6.5CVSS7.5AI score0.00281EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 5:34 p.m.20 views

vLLM vulnerable to remote code execution via transformers_utils/get_config

Summary vllm has a critical remote code execution vector in a config class named NemotronNanoVLConfig. When vllm loads a model config that contains an automap entry, the config class resolves that mapping with getclassfromdynamicmodule... and immediately instantiates the returned class. This...

8.8CVSS8.7AI score0.00598EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 4:52 p.m.20 views

Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default

Description The Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...

8.1CVSS6.9AI score0.00463EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 4:51 p.m.24 views

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

The Model Context Protocol MCP TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled...

8.1CVSS6.9AI score0.00463EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 3:30 p.m.9 views

Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation

A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...

3.5CVSS5.2AI score0.00174EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:30 p.m.7 views

Mattermost fails to validate user permissions in Boards

Mattermost versions 10.11.x = 10.11.4, 10.5.x = 10.5.12 fail to validate the user permission when accessing the files and subscribing to the block in Boards, which allows an authenticated user to access other board files and was able to subscribe to the block from other boards that the user does...

4.3CVSS6.7AI score0.00193EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2025/12/02 9:30 a.m.11 views

Eclipse Paho Go MQTT may incorrectly encode strings if length exceeds 65535 bytes

In Eclipse Paho Go MQTT v3.1 library paho.mqtt.golang versions =1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server for example, part of an MQTT topic may leak into...

6.3CVSS6.8AI score0.00197EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:25 a.m.10 views

mdast-util-to-hast has unsanitized class attribute

Impact Multiple unprefixed classnames could be added in markdown source by using character references. This could make rendered user supplied markdown code elements appear like the rest of the page. The following markdown: markdown jsxss Would create If your page then applied .xss classes or...

6.9CVSS6.8AI score0.0026EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:25 a.m.9 views

Grav is vulnerable to Server-Side Template Injection (SSTI) via Forms

Summary Having a simple form on site can reveal the whole Grav configuration details including plugin configuration details by using the correct POST payload. Sensitive information may be contained in the configuration details. PoC Create a simple form with two fields, 'registration-number' and...

8.7CVSS6.6AI score0.00331EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:25 a.m.9 views

Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

Summary A Server-Side Template Injection SSTI vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak...

8.8CVSS7.8AI score0.0264EPSS
Exploits4References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:24 a.m.10 views

Grav vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/pages/[page]` parameter `data[header][template]` in Advanced Tab

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadertemplate parameter. The script is saved within the page's frontmatter and executed...

6.2CVSS5.1AI score0.00182EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:24 a.m.14 views

Grav is vulnerable to Cross-Site Scripting (XSS) Reflected endpoint /admin/pages/[page], parameter data[header][content][items], located in the "Blog Config" tab

Summary A Reflected Cross-Site Scripting XSS vulnerability was identified in the /admin/pages/page endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the dataheadercontentitems parameter. --- Details Vulnerable Endpoint: GET /admin/pages/page...

6.2CVSS4.8AI score0.00197EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:24 a.m.13 views

Grav vulnerable to Privilege Escalation and Authenticated Remote Code Execution via Twig Injection

Summary A user with admin panel access and permissions to create or edit pages in Grav CMS can enable Twig processing in the page frontmatter. By injecting malicious Twig expressions, the user can escalate their privileges to admin or execute arbitrary system commands via the scheduler API. This...

8.8CVSS8.4AI score0.00685EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:23 a.m.10 views

Grav Admin Plugin vulnerable to Cross-Site Scripting (XSS) Stored endpoint `/admin/config/site` parameter `data[taxonomies]`

Summary A Stored Cross-Site Scripting XSS vulnerability was identified in the /admin/config/site endpoint of the Grav application. This vulnerability allows attackers to inject malicious scripts into the datataxonomies parameter. The injected payload is stored on the server and automatically...

6.8CVSS5.2AI score0.00182EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:23 a.m.9 views

Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain...

8.8CVSS7.2AI score0.00482EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:21 a.m.10 views

Keycloak unable to restrict access to the admin console

A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...

3.7CVSS6.2AI score0.00386EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:20 a.m.19 views

Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes

A Stored Cross-Site Scripting XSS vulnerability has been identified in the Angular Template Compiler. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain...

8.5CVSS7.1AI score0.00377EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:8 a.m.10 views

Gin-vue-admin has an arbitrary file deletion vulnerability

Impact Attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder The affected code: Affected interfaces: /api/fileUploadAndDownload/removeChunk POC: You can specify the...

9.1CVSS6.9AI score0.00506EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 1:8 a.m.12 views

Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host

Summary The gateway determines the destination baseURL by prioritizing the value in the x-portkey-custom-host request header. The proxy route then appends the client-specified path to perform an external fetch. This can be maliciously used by users for SSRF CWE-918 attack Impact This vulnerabilit...

9.8CVSS6.8AI score0.00323EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:58 a.m.25 views

Keras Directory Traversal Vulnerability

Summary Keras's keras.utils.getfile function is vulnerable to directory traversal attacks despite implementing filtersafepaths. The vulnerability exists because extractarchive uses Python's tarfile.extractall method without the security-critical filter="data" parameter. A PATHMAX symlink resoluti...

8.9CVSS7.7AI score0.00593EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:46 a.m.12 views

Grav vulnerable to Denial of Service via Improper Input Handling in 'Supported' Parameter

Endpoint: admin/config/system Submenu: Languages Parameter: Supported Application: Grav v 1.7.48 --- Summary A Denial of Service DoS vulnerability was identified in the "Languages" submenu of the Grav admin configuration panel /admin/config/system. Specifically, the Supported parameter fails to...

6.9CVSS6.2AI score0.00337EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:39 a.m.9 views

Grav vulnerable to Information Disclosure via IDOR in Grav Admin Panel

Summary An IDOR Insecure Direct Object Reference vulnerability in the Grav CMS Admin Panel allows low-privilege users to access sensitive information from other accounts. Although direct account takeover is not possible, admin email addresses and other metadata can be exposed, increasing the risk...

6.5CVSS7AI score0.00258EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:38 a.m.11 views

fastify-reply-from affected by bypass of reply forwarding

Summary By crafting a malicious URL, an attacker could access routes that are not allowed, even though the reply.from is defined for specific routes in @fastify/reply-from. Details An attacker can bypass the route defined by the @fastify/reply-from package by adding a .. symbol, which, for curl...

6.9CVSS6.8AI score0.00152EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/02 12:38 a.m.14 views

Grav vulnerable to Path Traversal allowing server files backup

Summary A path traversal vulnerability has been identified in Grav CMS, versions 1.7.49.5 , allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient input sanitization in the backup...

6.8CVSS6.8AI score0.0042EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33367