4072 matches found
Cross-site Scripting (XSS) - Stored in bigprof-software/online-rental-property-manager
✍️ Description Stored xss in profile state field There is a Stored XSS on the user profile edit page which occurs due to improper sanitization of the State name field as tested on the latest release. 🕵️♂️ Proof of Concept Steps to Reproduce: 1. Create a user account. 2. Login into the user...
Cross-site Scripting (XSS) - Stored in projectsend/projectsend
💥 BUG CSRF bug to delete file 💥 SUMMURY during batch delete file there is no csrf token present 💥 STEP TO REPRODUCE 1. vulnerable url is http://localhost/projectsend2/manage-files.php?action=delete&batch=27&batch=31&page=1 .\ Here in this url change file-id to delete and open the url and see file...
Cross-site Scripting (XSS) - Stored in projectsend/projectsend
💥 BUG Stored xss during file upload 💥 STEP TO REPRODUCE check this 1 minute video to reproduce the bug https://drive.google.com/file/d/17TkVQxAOuXxSnlaPh4smvbJndcW-JQla/view?usp=sharing 💥 IMPACT Lower level user can make xss attack against admin. So, using this xss bug lower level user can execut...
Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system
💥 BUG Stored xss via client address in invoice 💥 TESTED VERSION latest version as of 01/07/21 💥 STEP TO REPRODUCE 1. From admin account goto http://localhost/online-invoice2/app/admin/pageViewMembers.php and add a new user called user-B with read-write permission in invoice/client module .\ 2...
Cross-site Scripting (XSS) - Stored in combodo/itop
💥 BUG stored xss via contact lastname 💥 STEP TO REPRODUCE Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1bR9ili6jKxX3UQ2dQUQTqNL0e4LsMDtk/view?usp=sharing 💥 Impact I see there is many different type of role base user . So, user who has permission to create contact can...
Improper Access Control in dani-garcia/vaultwarden
✍️ Description Vaultwarden allows users to share files and texts securely with anyone. This feature enables the user to control the number of accesses to a file or text and also the expiration date. A person, to retrieve one of these files, needs to access the share link in a browser. This link...
in polonel/trudesk
💥 BUG Stored xss via file upload 💥 IMPACT Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here. 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto...
in hascheksolutions/pictshare
BUG ========== sha1 comparision bypass DETAILS ============= There is vulnerable code which can bypass file sha1 hash checking bypass function sha1Exists$sha1 $handle = fopenROOT.DS.'data'.DS.'sha1.csv', "r"; if $handle while $line = fgets$handle !== false ifsubstr$line,0,40==$sha1 return...
Classic Buffer Overflow in chatwoot/chatwoot
You can put a very long work email text until you get the last user to put and aries or DoS. Normally emails have 64 to 225 digits. Summary There is no limit to the number of characters in the work email, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE: Th...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in proxies.php when a user asked to add a proxy, resulting in XSS. 🕵️♂️ Proof of Concept https://drive.google.com/file/d/14uabBenjADBpzWbbYqiF8a9FU2fzhX/view?usp=sharing payload: ' onmouseover='alert1 💥 Impact This vulnerability is capable of doing Reflected XSS...
Improper Access Control in openwhyd/openwhyd
✍️ Description Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️♂️ Proof of Concept Visit following link to verify anyone can access the api key:...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
✍️ Description The dolibarr is vulnerable to XSS. It is possible to bypass the sanitizer through onpointerdown event. 🕵️♂️ Proof of Concept Payload: XSS. 1. With an authenticated user, access http://localhost/product/index.php. 2. Click on New product in the left bar. 3. Put any content in the Ref...
Prototype Pollution in jalik/js-deep-extend
✍️ Description Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker...
Cross-site Scripting (XSS) - Stored in utmsigep/member-directory
✍️ Description Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input. 🕵️♂️ Proof of Concept - Select a member-status/group - Create Member - Enter an XSS payload into the directory notes field, eg. - Hit save. Upon...
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
✍️ Description Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️♂️ Proof of Concept Member-status Creation and Update - Directory Admin - Member Statuses - Create New Member Status - Code: Enter a string, Label: Enter...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL26 you echo a user input without sanitization : html Version: 🕵️♂️ Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in blockonomics/woocommerce-plugin
✍️ Description Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts...
Open Redirect in forkcms/forkcms
✍️ Description The forkcms is vulnerable to Open Redirect through invalid characters in the URL path. 🕵️♂️ Proof of Concept With an authenticated user, access: http://localhost/private/en/authentication?querystring=/%01/effectrenan.com 💥 Impact This vulnerability allows attackers to fool victims...
Prototype Pollution in automattic/cli-table
Description Prototype Pollution in cli-table Proof of Concept 1. Create the following PoC file: // poc.js var cliTable = require"cli-table" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; cliTablepayload; console.log"After : " +...
Code Injection in uber/petastorm
Description Petastorm is an open source data access library developed at Uber ATG. This library enables single machine or distributed training and evaluation of deep learning models directly from datasets in Apache Parquet format. Petastorm supports popular Python-based machine learning ML...
Prototype Pollution in ionicabizau/obj-def
Description obj-def is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var objDef = require"obj-def" var obj = console.log"Before : " + .polluted; objDefobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...
Prototype Pollution in ionicabizau/set-or-get.js
Description set-or-get is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var SetOrGet = require"set-or-get"; var obj = console.log"Before : " + .polluted; SetOrGetobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2...
Cross-site Scripting (XSS) - Generic in igniterealtime/openfire-bookmarks-plugin
Description openfire-bookmarks-plugin is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Download openfire and install https://www.igniterealtime.org/downloads/ 2. Run the server http://localhost:9090/index.jsp 3. Click on "Plugins" http://localhost:9090/plugin-admin.jsp and install...
Prototype Pollution in generates/generates
Description @generates/merger is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var merger = require"@generates/merger" const paylo...
OS Command Injection in adrieankhisbe/bundle-phobia-cli
Description BundlePhobia is a tool to help you find the cost of adding a npm package to your bundle. It enables you to query package sizes. The npm-utils.js has a unsanitized exec function which leads to Arbitrary code execution Proof-of-concept const util = require'./npm-utils.js'; let a =...
Command Injection in sh0ji/git-tags-remote
Overview git-tags-remote is a Get remote repository tags, this package is vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This can allow attackers to execute arbitrary code in the system if the...
Command Injection in forsigner/node-pngdefry
Overview Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks...
Path Traversal in Keras Archive Extraction via CWD Validation Bypass Leading to Arbitrary File Write
Description Technical Details of the Vulnerability Summary Keras's archive extraction utilities in keras/src/utils/fileutils.py are vulnerable to path traversal. The functions filtersafetarinfos and filtersafezipinfos validate archive member paths against the process current working directory...
model.weights.h5: h5py.ExternalLink at Group level silently followed during load_model(), bypassing CVE-2025-9905 fix — information disclosure from arbitrary HDF5 files
Keras 3.x introduced a fix for CVE-2025-9905 by checking dataset.external in H5IOStore.verifydataset. This check blocks datasets whose raw bytes are stored in external files via the HDF5 "External Data Storage" mechanism. However, HDF5 supports a second, unrelated external-reference mechanism:...
Unsafe cloudpickle deserialization in Prefect task runners and bundle deserialization
This report is not public...
Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys
Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....
Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)
Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...
Tracing + Assessments Access
This report is not public...
Arbitrary file write via tar traversal
Summary A crafted tar.gz passed to MLflow pyfunc extraction is unpacked with tarfile.extractall without path validation. Archive entries containing .. or absolute paths can escape the destination directory and write arbitrary files on the host. This is reachable when users supply prebuiltenvuri o...
Unlimited-memory decompression leads to DoS bypassing `--http-max-input-size`
This report is not public...
Account takeover due to missing oauth audience verification in google sign in
Description The web application integrates Google OAuth for user authentication. Upon successful Google sign-in and user consent, the application receives a token from Google. This token is used by the web application to fetch user profile information such as email and name and complete the login...
XPath Injection in search_item_ctrl_f Function - Hugging Face Smolagents v1.20.0
The searchitemctrlf function in the Hugging Face Smolagents library is vulnerable to XPath injection. The function simply concatenates user input into an XPath query without sanitizing or escaping the input. Vulnerable Code Location: File: src/smolagents-1.20.0/smolagents/visionwebbrowser.py...
Regular expression Denial of Service - ReDoS in huggingface/transformers
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's Donut processor. The vulnerability exists in the token2json method of the DonutProcessor class, which processes document tokens into JSON format. The regex pattern...
Regular expression Denial of Service - ReDoS
Description The preprocessstring function in the transformers.testingutils module uses a regular expression to process code blocks in docstrings. This regular expression has the following structure: codeblockpattern = r"?:python|py\s\n\s ?:.?\n?.?" The segment ?:.?\n?.? contains nested quantifier...
Changing the "ID" parameter in the user cookie allows loading the profile picture of other users
Description A vulnerability has been discovered in AnythingLLM Docker that allows users, even with "Default" permission, to obtain other users' profile pictures. Proof of Concept 1 Create a new user with the default role; 2 Log in to the user account you created; 3 Open the browser inspector and...
Denial of service through batched queries in GraphQL
This report is not public...
Leakage of Langfuse API keys in team exception handling
This report is not public...
malicious gguf model can be uploaded and created causing division by zero via network, leading to DoS
This report is not public...
Patch bypass (Insufficient Patch) of CVE-2024-8736 leads to DoS
This report is not public...
Store XSS when Edit label set
Description Store XSS when Edit label set. I noticed, you have filtered the input when creating the label set. But, perhaps you forgot to filter when editing the label set. Proof of Concept 1 .Create a label set 2 .Edit label set with payload : haidoalertdocument.domain 3 .Click Export multiple...
Insufficient Session Expiration
Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application m...
stored XSS Bypass in the TAGS Section and other places in the application
Hello, I was able to bypass the XSS Protection and get a stored XSS using the XSS Payload in the Video and Screenshots. Thank you for your time and effort. Best regards Ahmed Hassan...
Stored XSS in label function
Description By Injecting the payloads to the fields dataToSend, users who visited "Label sets list" screen maybe compromises Proof of Concept Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the...
IDOR in notification function
Description By manipulating the notId, a user can view the notification of other users Proof of Concept Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the...
Broken Authentication
Description I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions. Proof of Concept link video PoC https://screenpal.com/watch/c01F1bVBmX1 Step 1. In t...