Lucene search
+L
GithubRecent

33426 matches found

Github Security Blog
Github Security Blog
added 2025/09/15 12:31 p.m.9 views

Chaos Controller Manager is vulnerable to OS command injection

The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...

9.8CVSS8.5AI score0.02926EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/15 12:31 p.m.12 views

Mattermost Open Redirect vulnerability

Mattermost versions 10.5.x = 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs...

6.1CVSS6.9AI score0.00161EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/15 12:31 p.m.9 views

Mattermost Missing Authorization vulnerability

Mattermost versions 10.10.x = 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instanc...

6.5CVSS6.7AI score0.00242EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/15 12:30 a.m.11 views

Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function lib/sanitize.js when...

5.3CVSS6.7AI score0.00419EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/14 6:30 p.m.17 views

Hugging Face Transformers library has Regular Expression Denial of Service

A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalizenumbers method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises fro...

5.3CVSS6.9AI score0.00349EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 9:32 p.m.13 views

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...

7.5CVSS7AI score0.00343EPSS
Exploits0References10Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/12 9:32 p.m.9 views

Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect

An open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs vi...

6.1CVSS6.7AI score0.00223EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/12 9:12 p.m.21 views

Hono has Body Limit Middleware Bypass

Summary A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. Details The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to...

5.3CVSS6.7AI score0.0042EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 9:11 p.m.13 views

httpsig-rs: HMAC verification is vulnerable to timing attack

Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...

5.9CVSS6.9AI score0.00264EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 8:2 p.m.27 views

Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...

9.8CVSS7.2AI score0.50118EPSS
Exploits14References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 6:31 p.m.17 views

Liferay Portal's selection modal is vulnerable to XSS

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.2...

5.4CVSS5.8AI score0.00197EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 12:30 p.m.11 views

Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's removelanguagecode method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from...

7.5CVSS7.2AI score0.00483EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 3:33 a.m.6 views

Liferay Portal's Organization Selector exposes organization data to remote authenticated users

The Organization Selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations...

5.3CVSS6.5AI score0.00244EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/12 3:33 a.m.8 views

Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed...

5.3CVSS7AI score0.00197EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 11:26 p.m.18 views

Neo4j Cypher MCP server is vulnerable to DNS rebinding

Impact DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spen...

7.4CVSS6.8AI score0.00206EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 9:53 p.m.14 views

SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggerin...

5.7CVSS6.7AI score0.00298EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 9:31 p.m.13 views

Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool

An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel — to gain escalated privileges in the context of the SQL query tool...

3.8CVSS7.3AI score0.00187EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 9:23 p.m.7 views

matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method

In matrix-sdk-base before 0.14.1, calling the RoomMember::normalizedpowerlevel method can cause a panic if a room member has a power level of Int::Min. Patches The issue is fixed in matrix-sdk-base 0.14.1. Workarounds The affected method isn’t used internally, so avoiding calling...

6.9CVSS6.8AI score0.00374EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 9:7 p.m.26 views

Axios is vulnerable to DoS attack through lack of data size check

Summary When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory Buffer/Blob and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength which only protect HTTP...

7.5CVSS7.4AI score0.0106EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 6:35 p.m.10 views

Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...

5.3CVSS6.5AI score0.00234EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 6:35 p.m.8 views

Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass

An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...

8.1CVSS6.5AI score0.00307EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 4:51 p.m.14 views

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods

Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create...

6.5CVSS7.2AI score0.00376EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 2:24 p.m.10 views

Prebid-universal-creative latest on npm briefly compromised

Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. Patches We unpublished the version on npm. Workarounds This has already been unpublished. See Prebid.js ...

9.3CVSS6.8AI score0.00312EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 2:22 p.m.6 views

Prebid.js NPM package briefly compromised

Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Patches 10.10.0 is solved References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack...

8.6CVSS7AI score0.00324EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/11 6:30 a.m.9 views

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Vulnerability in jsondiffpatch Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting XSS in the HtmlFormatter HtmlFormatter::nodeBegin. When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a...

4.7CVSS6AI score0.0028EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 9:56 p.m.12 views

Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Impact Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share...

7.1CVSS6.6AI score0.00326EPSS
Exploits1References5Affected Software3
Github Security Blog
Github Security Blog
added 2025/09/10 9:37 p.m.12 views

interactive-git-checkout has a Command Injection vulnerability

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Resources: Project'...

9.8CVSS7.9AI score0.01176EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 9:30 p.m.11 views

Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data

An Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entry information via the API Builder...

6.5CVSS6.4AI score0.00238EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 9:30 p.m.9 views

Liferay Portal is vulnerable to Reflected XSS attack through get_editor path

A reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML...

6.1CVSS5.6AI score0.00228EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:47 p.m.11 views

Infrahub: Deleted and expired API tokens can still authenticate

Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. Patches This issue is fixed in versions 1.3.9 and 1.4.5 Workarounds...

5.5CVSS6.9AI score0.00177EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:46 p.m.8 views

Shopware: Reflective Cross Site-Scripting (XSS) in CMS components

Impact By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: - Obtaining user session tokens. - Performing administrative actions when an...

5.5AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/10 8:44 p.m.8 views

xml2rfc is vulnerable to arbitrary file reads through prepped files

Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. Workarounds Test untrusted input with link elements with rel="attachment" before processing. References This is related ...

6.9AI score0.00278EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:43 p.m.16 views

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs information disclosure. - Gain insight into internal file...

8.8CVSS7.2AI score0.00663EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:30 p.m.10 views

PyInstaller has local privilege escalation vulnerability

Impact Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with...

7CVSS7.7AI score0.00114EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:29 p.m.10 views

Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email

At startup, Claude Code constructed a shell command that interpolated the value of git config user.email from the current workspace. If an attacker controlled the repository’s Git config e.g., via a malicious .git/config and set user.email to a crafted payload, the unescaped interpolation could...

9.8CVSS7.4AI score0.00508EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:28 p.m.6 views

Indico vulnerable to Cross-Site Scripting via LaTeX math code

Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds Only let trustworthy users create content on...

5.4CVSS7.1AI score0.00189EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 8:27 p.m.10 views

Indico may disclose unauthorized user details access via legacy API

Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds It ...

4.3CVSS6.8AI score0.00235EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 7:51 p.m.19 views

Picklescan Bypass is Possible via File Extension Mismatch

Summary Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension e.g., .bin. This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle...

9.3CVSS7.4AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 7:50 p.m.7 views

Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Summary Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check CRC. Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results...

9.8CVSS7.1AI score0.01428EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 7:48 p.m.17 views

Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation

Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input. Details The vulnerability exists in the middleware management API endpoin...

9.8CVSS9.5AI score0.10543EPSS
Exploits7References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 6:30 p.m.7 views

Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting

A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks...

6.1CVSS5.6AI score0.00209EPSS
Exploits0References5Affected Software3
Github Security Blog
Github Security Blog
added 2025/09/10 6:30 p.m.15 views

Decap CMS Cross Site Scripting (XSS) vulnerability

Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting XSS in the admin preview pane. User-controlled fields e.g., title, description, tags, and body are rendered in the preview without sufficient sanitization/escaping. An attacker with low-privilege author/contributor access can...

6.1CVSS5.8AI score0.00297EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 5:15 p.m.11 views

Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead o...

9.3CVSS8AI score0.00761EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/10 5:13 p.m.10 views

Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting XSS vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL derived from the original request target is directly embedded into an inline block without sanitization or escaping. This allows an attacker to craft ...

7.1CVSS5.8AI score0.00237EPSS
Exploits0References8Affected Software3
Github Security Blog
Github Security Blog
added 2025/09/10 5:10 p.m.17 views

Claude Code rg vulnerability does not protect against approval prompt bypass

Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will...

9.8CVSS7.1AI score0.00512EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/09 9:30 p.m.9 views

Liferay Portal exposes ERC which can lead to exploit the time response attack

Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit t...

6.9CVSS6.9AI score0.00285EPSS
Exploits0References7Affected Software3
Github Security Blog
Github Security Blog
added 2025/09/09 9:30 p.m.10 views

Liferay Portal is vulnerable to XSS attacks via its remote app title field

A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remot...

5.4CVSS5.4AI score0.002EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/09 9:30 p.m.12 views

SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor

A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /updateweightsfromtensor. The manipulation of the argument serializednamedtensors results in deserialization. The attack can be launched remotely. The exploit has been releas...

7.5CVSS7.4AI score0.00376EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/09 9:30 p.m.6 views

Liferay Portal is vulnerable to XSS attack through its search bar portlet

A reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar...

6.1CVSS5.5AI score0.00216EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/09 9:21 p.m.16 views

Monai: Unsafe use of Pickle deserialization may lead to RCE

To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature for medical applications and widespread popularity 6k+ stars, it's important to pay attention to some of the project's inherent security issues. This is because medical professionals may not...

8.8CVSS8.2AI score0.00602EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities33426