4072 matches found
in polonel/trudesk
💥 BUG Stored xss via file upload 💥 IMPACT Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here. 💥 STEP TO REPRODUCE 1. First from admin goto http://localhost:8118/teams and create a team called team2.\ Now goto...
in hascheksolutions/pictshare
BUG ========== sha1 comparision bypass DETAILS ============= There is vulnerable code which can bypass file sha1 hash checking bypass function sha1Exists$sha1 $handle = fopenROOT.DS.'data'.DS.'sha1.csv', "r"; if $handle while $line = fgets$handle !== false ifsubstr$line,0,40==$sha1 return...
Classic Buffer Overflow in chatwoot/chatwoot
You can put a very long work email text until you get the last user to put and aries or DoS. Normally emails have 64 to 225 digits. Summary There is no limit to the number of characters in the work email, which allows a DoS attack. The DoS attack affects both server-side and client-side. NOTE: Th...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in proxies.php when a user asked to add a proxy, resulting in XSS. 🕵️♂️ Proof of Concept https://drive.google.com/file/d/14uabBenjADBpzWbbYqiF8a9FU2fzhX/view?usp=sharing payload: ' onmouseover='alert1 💥 Impact This vulnerability is capable of doing Reflected XSS...
Improper Access Control in openwhyd/openwhyd
✍️ Description Youtube API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️♂️ Proof of Concept Visit following link to verify anyone can access the api key:...
Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr
✍️ Description The dolibarr is vulnerable to XSS. It is possible to bypass the sanitizer through onpointerdown event. 🕵️♂️ Proof of Concept Payload: XSS. 1. With an authenticated user, access http://localhost/product/index.php. 2. Click on New product in the left bar. 3. Put any content in the Ref...
Prototype Pollution in jalik/js-deep-extend
✍️ Description Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as proto, constructor and prototype. An attacker...
Cross-site Scripting (XSS) - Stored in utmsigep/member-directory
✍️ Description Donor creation is vulnerable to stored XSS originating from donor creation due to missing sanitization on user input. 🕵️♂️ Proof of Concept - Select a member-status/group - Create Member - Enter an XSS payload into the directory notes field, eg. - Hit save. Upon...
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
✍️ Description Administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️♂️ Proof of Concept Member-status Creation and Update - Directory Admin - Member Statuses - Create New Member Status - Code: Enter a string, Label: Enter...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/721c99aed6897792bf7f79fa02a280995e27d409/www/gitCheckoutVersion.phpL26 you echo a user input without sanitization : html Version: 🕵️♂️ Proof of Concept Visit...
Cross-site Scripting (XSS) - Reflected in blockonomics/woocommerce-plugin
✍️ Description Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts...
Open Redirect in forkcms/forkcms
✍️ Description The forkcms is vulnerable to Open Redirect through invalid characters in the URL path. 🕵️♂️ Proof of Concept With an authenticated user, access: http://localhost/private/en/authentication?querystring=/%01/effectrenan.com 💥 Impact This vulnerability allows attackers to fool victims...
Prototype Pollution in automattic/cli-table
Description Prototype Pollution in cli-table Proof of Concept 1. Create the following PoC file: // poc.js var cliTable = require"cli-table" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted; cliTablepayload; console.log"After : " +...
Code Injection in uber/petastorm
Description Petastorm is an open source data access library developed at Uber ATG. This library enables single machine or distributed training and evaluation of deep learning models directly from datasets in Apache Parquet format. Petastorm supports popular Python-based machine learning ML...
Prototype Pollution in ionicabizau/obj-def
Description obj-def is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var objDef = require"obj-def" var obj = console.log"Before : " + .polluted; objDefobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...
Cross-site Scripting (XSS) - Generic in igniterealtime/openfire-bookmarks-plugin
Description openfire-bookmarks-plugin is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce 1. Download openfire and install https://www.igniterealtime.org/downloads/ 2. Run the server http://localhost:9090/index.jsp 3. Click on "Plugins" http://localhost:9090/plugin-admin.jsp and install...
Prototype Pollution in ionicabizau/set-or-get.js
Description set-or-get is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var SetOrGet = require"set-or-get"; var obj = console.log"Before : " + .polluted; SetOrGetobj, "proto", .polluted ='Yes! Its Polluted'; console.log"After : " + .polluted; 2...
Prototype Pollution in generates/generates
Description @generates/merger is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var merger = require"@generates/merger" const paylo...
Prototype Pollution in sagold/gson-query
Description gson-query is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var gsonQuery = require"gson-query" var obj =...
OS Command Injection in adrieankhisbe/bundle-phobia-cli
Description BundlePhobia is a tool to help you find the cost of adding a npm package to your bundle. It enables you to query package sizes. The npm-utils.js has a unsanitized exec function which leads to Arbitrary code execution Proof-of-concept const util = require'./npm-utils.js'; let a =...
Path Traversal in youngerheart/nodeserver
Overview nodeserver is a Achieve node server's domain name resolution and web application's router, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. For example, requesting the following URL: /../../etc/passwd would result in...
Command Injection in sh0ji/git-tags-remote
Overview git-tags-remote is a Get remote repository tags, this package is vulnerable to Command Injection. The package fails to sanitize the repository input and passes it directly to an exec call on the get function . This can allow attackers to execute arbitrary code in the system if the...
Command Injection in forsigner/node-pngdefry
Overview Affected versions execute arbitrary commands remotely inside the victim's PC. The issue occurs because user input is formatted inside a command that will be executed without any checks...
Path Traversal in Keras Archive Extraction via CWD Validation Bypass Leading to Arbitrary File Write
Description Technical Details of the Vulnerability Summary Keras's archive extraction utilities in keras/src/utils/fileutils.py are vulnerable to path traversal. The functions filtersafetarinfos and filtersafezipinfos validate archive member paths against the process current working directory...
model.weights.h5: h5py.ExternalLink at Group level silently followed during load_model(), bypassing CVE-2025-9905 fix — information disclosure from arbitrary HDF5 files
Keras 3.x introduced a fix for CVE-2025-9905 by checking dataset.external in H5IOStore.verifydataset. This check blocks datasets whose raw bytes are stored in external files via the HDF5 "External Data Storage" mechanism. However, HDF5 supports a second, unrelated external-reference mechanism:...
Unsafe cloudpickle deserialization in Prefect task runners and bundle deserialization
This report is not public...
Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys
Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....
Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)
Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...
Tracing + Assessments Access
This report is not public...
Arbitrary file write via tar traversal
Summary A crafted tar.gz passed to MLflow pyfunc extraction is unpacked with tarfile.extractall without path validation. Archive entries containing .. or absolute paths can escape the destination directory and write arbitrary files on the host. This is reachable when users supply prebuiltenvuri o...
Unlimited-memory decompression leads to DoS bypassing `--http-max-input-size`
This report is not public...
Account takeover due to missing oauth audience verification in google sign in
Description The web application integrates Google OAuth for user authentication. Upon successful Google sign-in and user consent, the application receives a token from Google. This token is used by the web application to fetch user profile information such as email and name and complete the login...
XPath Injection in search_item_ctrl_f Function - Hugging Face Smolagents v1.20.0
The searchitemctrlf function in the Hugging Face Smolagents library is vulnerable to XPath injection. The function simply concatenates user input into an XPath query without sanitizing or escaping the input. Vulnerable Code Location: File: src/smolagents-1.20.0/smolagents/visionwebbrowser.py...
Regular expression Denial of Service - ReDoS in huggingface/transformers
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's Donut processor. The vulnerability exists in the token2json method of the DonutProcessor class, which processes document tokens into JSON format. The regex pattern...
Regular expression Denial of Service - ReDoS
Description The preprocessstring function in the transformers.testingutils module uses a regular expression to process code blocks in docstrings. This regular expression has the following structure: codeblockpattern = r"?:python|py\s\n\s ?:.?\n?.?" The segment ?:.?\n?.? contains nested quantifier...
Changing the "ID" parameter in the user cookie allows loading the profile picture of other users
Description A vulnerability has been discovered in AnythingLLM Docker that allows users, even with "Default" permission, to obtain other users' profile pictures. Proof of Concept 1 Create a new user with the default role; 2 Log in to the user account you created; 3 Open the browser inspector and...
Denial of service through batched queries in GraphQL
This report is not public...
Leakage of Langfuse API keys in team exception handling
This report is not public...
RCE via Global State Override
This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution RCE. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...
malicious gguf model can be uploaded and created causing division by zero via network, leading to DoS
This report is not public...
Patch bypass (Insufficient Patch) of CVE-2024-8736 leads to DoS
This report is not public...
Store XSS when Edit label set
Description Store XSS when Edit label set. I noticed, you have filtered the input when creating the label set. But, perhaps you forgot to filter when editing the label set. Proof of Concept 1 .Create a label set 2 .Edit label set with payload : haidoalertdocument.domain 3 .Click Export multiple...
Insufficient Session Expiration
Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. This can allow an attacker to hijack the user's session and gain unauthorized access to the application. The web application m...
Stored XSS in label function
Description By Injecting the payloads to the fields dataToSend, users who visited "Label sets list" screen maybe compromises Proof of Concept Step 1: Login as a user who has permission to edit the Label. Go to the label function and view a label Step 2: Inject the payload to the Code field as the...
IDOR in notification function
Description By manipulating the notId, a user can view the notification of other users Proof of Concept Step 1: Login as user demo, click on a notification and see that the notification has a notId as 227. Step 2: Open another browser and login as user. Step 3: Access the URL to view the...
Broken Authentication
Description I tested the demo site you provided. I see that there is an Broken Authentication vulnerability in Administration: CPU stats API. The Administration: CPU stats API does not validated user permissions. Proof of Concept link video PoC https://screenpal.com/watch/c01F1bVBmX1 Step 1. In t...
The user can delete himself
Description Bypassing the conditional check leads to the user can delete himself. Proof of Concept Step 1: The user with id 18834 attempts to delete himself but encounter an error Step 2: By using userid=18834' instead of userid=18834, the user was able to successfully delete himself...
Able to change username that is by default unchangeable
Description The website receives input from the user that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. Proof of Concept Step 1: We have a user with ID 18833 and the...
Stored XSS in End page
Description Allows a user who only has the authority to create surveys not the administrator to bypass validation and embed javascript schemes when creating surveys Step to reproduce - Login as administrator 1. Open User management and Create a user with create surveys only permissions. 1. Logout...
Partial Local file inclusion
Description An authenticated user can extend the range of the web application's folder context and can dig out to OS level. To reproduce the issue, please authenticate to the web application, and simply open the following URL in the browser:...