33396 matches found
Admidio Vulnerable to Authenticated SQL Injection in Member Assignment Functionality
Summary An authenticated SQL injection vulnerability exists in the member assignment data retrieval functionality of Admidio. Any authenticated user with permissions to assign members to a role such as an administrator can exploit this vulnerability to execute arbitrary SQL commands. This can lea...
Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization
Summary An unsafe deserialization vulnerability in Scapy Internally, this triggers: python main.py SESSION = pickle.loadgzip.opensessionname, "rb" Since no validation or restriction is performed on the deserialized object, any code embedded via reduce will be executed immediately. This makes it...
Borrowck Scarifices exposes uninitialized memory in any_as_u8_slice
The safe function anyasu8slice can create byte slices that reference uninitialized memory when used with types containing padding bytes. The function uses slice::fromrawparts to create a &u8 covering the entire size of a type, including padding bytes. According to Rust's documentation, fromrawpar...
Top security researcher shares their bug bounty process
As we wrap Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight another top performing security researcher who participates in the GitHub Security Bug Bounty Program, Andr e Storfjord Kristiansen! GitHub is dedicated to maintaining the security and reliability of the...
Hugging Face Smolagents XPath injection vulnerability in the search_item_ctrl_f function
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the searchitemctrlf function located in src/smolagents/visionwebbrowser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitizatio...
Hono Improper Authorization vulnerability
Improper Authorization in Hono JWT Audience Validation Hono’s JWT authentication middleware did not validate the aud Audience claim by default. As a result, applications using the middleware without an explicit audience check could accept tokens intended for other audiences, leading to potential...
Direct Ring Buffer has uninitialized memory exposure in create_ring_buffer
The safe function createringbuffer allocates a buffer using Vec::withcapacity followed by setlen, creating a Box containing uninitialized memory. This leads to undefined behavior when functions like writeslices create typed slices e.g., &mut bool over the uninitialized memory, violating Rust's...
orx-pinned-vec has undefined behavior in index_of_ptr with empty slices
The safe function indexofptr causes undefined behavior when called with an empty slice. The issue occurs in the line ptr.addslice.len - 1 which underflows when slice.len is 0, creating a pointer with a massive offset. According to Rust's safety rules, creating such a pointer causes immediate...
Nautobot Single Source of Truth (SSoT) has an unauthenticated ServiceNow configuration URL
The servicenow config URL is using a generic django View with no authentication. URL: /plugins/ssot/servicenow/config/ Impact What kind of vulnerability is it? Who is impacted? An Unauthenticated attacker could access this page to view the Service Now public instance name e.g...
code16 Sharp vulnerable to Cross Site Scripting (XSS)
code16 Sharp v9.6.6 is vulnerable to Cross Site Scripting XSS src/Form/Fields/SharpFormUploadField.php...
Liferay Portal reflected cross-site scripting (XSS) vulnerability in the google_gaget
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0 through 2025.Q3.2, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13,...
NeuVector is shipping cryptographic material into its binary
Impact NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data. In the patched version, NeuVector leverages the Kubernetes secre...
NeuVector telemetry sender is vulnerable to MITM and DoS
Impact This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server at https://upgrades.neuvector-upgrade-responder.livestock.rancher.io. In affected...
NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow
Impact A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTERRPCPORT and CLUSTERLANPORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the...
uv has differential in tar extraction with PAX headers
Impact In versions 0.9.4 and earlier of uv, tar archives containing PAX headers with file size overrides were not handled properly. As a result, an attacker could contrive a source distribution as a tar archive that would extract differently when installed via uv versus other Python package...
ProcessWire CMS vulnerable to resource-exhaustion Denial of Service
ProcessWire CMS 3.0.246 allows a low-privileged user with lang-edit to upload a crafted ZIP to Language Support that is auto-extracted without limits prior to validation, enabling resource-exhaustion Denial of Service...
Liferay Portal fails to verify messages from the cluster network is trusted
Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Lifer...
Cosmos EVM Vulnerability
Patches Patched in versions v0.3.1, v0.4.2, and in the v0.5.0 release. More information will be disclosed at a later point to ensure chains have time to safely upgrade. Workarounds No workarounds for chains that make use of static or dynamic precompiles. Upgrading is strongly recommended. Testing...
Shopware Customer Orders can be canceled, even if refunds are disabled
Refunds in general can be enabled through the administration setting core.cart.enableOrderRefunds in the cart panel.Which visually shows and hides the button. However, using a custom crafted request, a customer can still cancel his own orders.As this is not checked inside the route and also not i...
Shopware exposes sensitive user information via CSV export mapping
Impact Malicious actors can exploit this finding to export sensitive customer information from a Shopware application, including password hashes and password reset tokens. In SaaS deployments, this primarily affects customer accounts. In on-premise deployments, however, it also includes the hashe...
Shopware vulnerable to Server-Side Request Forgery (SSRF) – order invoice
Impact This vulnerability allows malicious actors to force the application server to send HTTP requests to both external and internal servers. In certain cases, this may lead to access to internal resources such as databases, file systems, or other services that are not supposed to be directly...
Shopware vulnerable to path traversal via Plugin upload
Impact Malicious actors can exploit this vulnerability to write files within arbitrary directories on the filesystem of the Shopware web container. This could allow them to gain persistent shell access by uploading a PHP-shell file to an accessible folder. It is important to note that this...
Shopware vulnerable to MediaVisibilityRestrictionSubscriber bypass when reading media entities by aggregating fields individually
In Shopware core and platform versions before 6.6.10.7 and 6.7.3.1, media visibility restrictions applied by MediaVisibilityRestrictionSubscriber are not enforced for aggregation API requests. Authorization filters are only injected during standard entity reads; aggregation queries can be...
astral-tokio-tar Vulnerable to PAX Header Desynchronization
Summary Versions of astral-tokio-tar prior to 0.5.6 contain a boundary parsing vulnerability that allows attackers to smuggle additional archive entries by exploiting inconsistent PAX/ustar header handling. When processing archives with PAX-extended headers containing size overrides, the parser...
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Summary: A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation...
Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description
Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. Patches Users should upgrade to Taguette 1.5.0. References -...
Taguette password reset link poisoning
Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim. Patches Users should upgrade to Taguette 1.5.0. References -...
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
Summary In some Notification types e.g., Webhook, Telegram, the send function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection SSTI vulnerability that can be exploited to read arbitrary files from the server. Details The root cause is how Uptime Kuma...
vite allows server.fs.deny bypass via backslash on Windows
Summary Files denied by server.fs.deny were sent if the URL ended with \ when the dev server is running on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - running the de...
NetBird VPN does not remove the default password of an admin account
NetBird VPN when installed using vendor's provided script failed to remove or change default password of an admin account created by ZITADEL. This issue affects instances installed using vendor's provided script. This issue may affect instances created with Docker if the default password was not...
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
Summary The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug Which in this version of node is an alias for console.log. This is exposing sensitive information in log files including, but not limited to: - Gocardless...
rollbar vulnerable to prototype pollution
Impact Prototype pollution potential with the utility function rollbar/src/utility.set. No impact when using the published public interface. If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to...
Citizen vulnerable to stored XSS in sticky header button messages
Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. Details In the copyButtonAttributes function in stickyHeader.js, when copying the button labels, the innerHTML of the new...
TastyIgniter vulnerable to Cross-Site Scripting
Cross-Site Scripting XSS vulnerability exists in TastyIgniter 3.7.7, affecting the /admin/mediamanager component. Attackers can upload a malicious SVG file containing JavaScript code. When an administrator previews the file, the code executes in their browser context, allowing the attacker to...
Apache Syncope allows malicious administrators to inject Groovy code
Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machine...
Apache Geode: CSRF attacks through GET requests to the Management and Monitoring REST API that can execute gfsh commands on the target system
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user. This...
Cargo Mediawiki Extension vulnerable to Cross-site Scripting
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in The Wikimedia Foundation Mediawiki - Cargo Extension allows Stored XSS. This issue affects Mediawiki - Cargo Extension befor 3.8.3...
MCMS vulnerable SQL injection via the content_title parameter
A SQL injection vulnerability in the contenttitle parameter of the /cms/content/list endpoint in MCMS 5.5.0 through 6.0.1 allows remote attackers to execute arbitrary SQL queries via unsanitized input in the FreeMarker template rendering...
ThingsBoard vulnerable to stored cross-site scripting (XSS) vulnerability in the dashboard's Image Upload Gallery feature
ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...
Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7944-7c6r-55vv. This link is maintained to preserve external references. Original Description Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supaba...
Keras framework vulnerable to deserialization of untrusted data
Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being...
pyquokka is Vulnerable to Remote Code Execution by Pickle Deserialization via FlightServer
Description In the FlightServer class of the pyquokka framework, the doaction method directly uses pickle.loads to deserialize action bodies received from Flight clients without any sanitization or validation, which results in a remote code execution vulnerability. The vulnerable code is located...
ibexa/fieldtype-richtext has an XSS vulnerability via acronym custom tag in Rich Text
Impact This security advisory resolves an XSS vulnerability in acronym custom tag in Rich Text, in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically means Editor or Administrator role,...
Ash has authorization bypass when bypass policy condition evaluates to true
Summary Bypass policies incorrectly authorize requests when their condition evaluates to true but their authorization checks fail and no other policies apply. Impact Resources with bypass policies can be accessed without proper authorization when: - Bypass condition evaluates to true - Bypass...
ibexa/admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically mean...
ezsystems/ezplatform-admin-ui has an XSS vulnerability in Cancel/Reschedule future publication modal
Impact This security advisory resolves an XSS vulnerability in image asset names, content language names and future publishing in the back office of the DXP. Back office access and varying levels of editing and management permissions are required to exploit this vulnerability. This typically mean...
ibexa/user login enumerates user accounts
Impact In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error messages are sufficiently ambigious. Patches See "Patched versions". Workarounds None. Resources...
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
Vulnerability Description --- Vulnerability Overview - When the client sends an arbitrary URL array and impl: "naive" to the tRPC endpoint tools.search.crawlPages, the server issues outbound HTTP requests directly to those URLs. There is no defensive logic that restricts or validates requests to...
Keycloak error_description injection on error pages that can trigger phishing attacks
Keycloak’s account console accepts arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages e.g., fake support phone numbers or...
OpenBao has potential Denial of Service vulnerability when processing malicious unauthenticated JSON requests
Summary JSON objects after decoding might use more memory than their serialized version. It is possible to tune a JSON to maximize the factor between serialized memory usage and deserialized memory usage similar to a zip bomb. While reproducing the issue, we could reach a factor of about 35. This...