1518 matches found
Directory Traversal
360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...
Directory Traversal
11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
The fix for CVE-2026-45367 added RegexTimeout protection to the matches function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In org.hl7.fhir.dstu2, replaceMatches was updated while matches at line 2462 still calls the raw String.matchessw without any...
Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution
Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution
A command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes...
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets the...
actix-http has HTTP/1.1 CL.TE Request Smuggling
A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length...
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such...
WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
The Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and...
Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client
In a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the token argument set to an empty string. If the application had any users in...
Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation
The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an authenticated us...
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a userid field, and all resource endpoints perform queries by ID without verifyin...
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data user credentials, session...
Vikunja has Path Traversal in CLI Restore
Path Traversal Zip Slip and Denial of Service DoS vulnerability discovered in the Vikunja CLI's restore functionality...
AWS SDK for .NET V4 adopted defense in depth enhancement for region parameter value
This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. A defense-in-depth enhancement has been implemented in the AWS SD...
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections AllowIPs, API IP whitelist, “localhost-only” checks. All IP-based access control becomes ineffective...
@accordproject/template-engine contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
@accordproject/concerto-analysis contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
@actbase/react-native-kakao-channel contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
The GoCardless components in Actualbudget in are logging responses to STDOUT in a parsed format using console.logand console.debug Which in this version of node is an alias for console.log. This is exposing sensitive information in log files including, but not limited to: - Gocardless bearer...
Apache ActiveMQ NMS AMQP Client has a Deserialization of Untrusted Data vulnerability
A Deserialization of Untrusted Data vulnerability exists in the Apache ActiveMQ NMS AMQP Client. This issue affects all versions of Apache ActiveMQ NMS AMQP up to and including 2.3.0, when establishing connections to untrusted AMQP servers. Malicious servers could exploit unbounded deserializatio...
Duplicate
This advisory duplicates another...
Sparkle Signing Checks Bypass
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s EdDSA signing checks...
wasmvm: Malicious smart contract can crash the chain
CWA-2025-001 Severity Medium Moderate + Likely^1 Affected versions: - wasmvm = 2.2.0, = 2.1.0, = 2.0.0, 2.0.6 - wasmvm 1.5.8 Patched versions: - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to crash the chain. The underlying bug that causes this is presen...
CWA-2024-006: wasmd non-deterministic module_query_safe query
Component: wasmd Criticality: Medium ACMv1: I:Moderate; L:Likely Patched versions: wasmd 0.53.0 See CWA-2024-006 for more details...
Gas mispricing in cosmwasm-vm
Component: wasmvm Criticality: Medium ACMv1: I:Moderate; L:Likely Patched versions: wasmvm 1.5.3, 2.0.2, 2.1.1...
Aimeos denial of service vulnerability in SaaS and marketplace setups
All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack...
ADOdb SQL injection vulnerability
The ADOdb Library for PHP prior to version 5.20.11 is prone to SQL Injection vulnerability in multiple drivers...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' in gogs.io/gogs...
Improper Authorization in Gogs
Impact Expired PAM accounts and accounts with expired passwords are continued to be seen as valid. Installations use PAM as authentication sources are affected. Patches Expired PAM accounts and accounts with expired passwords are no longer being seen as valid. Users should upgrade to 0.12.5 or th...
Duplicate advisory: swift-nio-http2 vulnerable to denial of service via ALTSVC or ORIGIN frames
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgfx-g6rc-8cjv. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack caused by a network peer sending ALTSVC o...
Improper Control of Generation of Code ('Code Injection') in @asyncapi/modelina
Impact Anyone who is using the default presets and/or does not handle the functionality themself. Patches It has not been patched yet. Workarounds Fully custom presets that change the entire rendering process which can then escape the user input. For more information Even though that I changed al...
RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be. Small values of int in the functions above will return a smaller subset of...
SQL Injection
adodb-php contains a SQLi vulnerability...
SQL Injection
adodb-php contains a SQLi vulnerability...
Directory Traversal
22lixian is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path e.g. /etc/cron.d/evil or ../ traversal escaped the downloads directory, giving an arbitrary...
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
org.hl7.fhir.utilities.XsltUtilities exposes two parallel families of XSLT transform helpers. The transform... overloads obtain their TransformerFactory from the project's hardened helper XMLUtil.newXXEProtectedTransformerFactory which sets ACCESSEXTERNALDTD="" and ACCESSEXTERNALSTYLESHEET="". Th...
NIOExtras: NIOHTTPRequestDecompressor ratio limit bypass via inflated Content-Length
When NIOHTTPRequestDecompressor is configured with .ratioN, the decompression limit is enforced using the Content-Length header value from the incoming request rather than the actual number of compressed bytes received. Since Content-Length is attacker-controlled, a malicious client can supply an...
AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle
This report covers the client-triggered DoQ forwarding path in: - dnsproxy v0.81.2 adguard/dnsproxy:v0.81.2 - AdGuard Home v0.107.74 adguard/adguardhome:latest, image version label v0.107.74 The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ listener...
CC-Tweaked has an SSRF Protection Bypass with NAT64
CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required. The vulnerability exists because the Next.js middlewar...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command
The container system dns create --localhost command accepts a domainName argument and passes it unsanitized into the pf anchor file /etc/pf.anchors/com.apple.container as a comment in a rule line. A domain name containing a newline character breaks out of the comment context and injects an...
nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields
In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...
Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers
Any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowing any session to overwrite the password hash; the inactive password auth...