4072 matches found
OS Command Injection in falconchristmas/fpp
✍️ Description Hi, there is a command injection vulnerability in https://github.com/FalconChristmas/fpp/blob/40a636c6e38442e3674db0b85fdfc5ed8a79b823/www/changebranch.phpL23 php &1"; echo "Command: $command\n"; echo...
in mcfriend99/bird
✍️ Description Heap-based 1-byte write violation. Certain programs can cause the parser/syntax-checker to write out of bounds. The below program writes a single byte out of bounds. 🕵️♂️ Proof of Concept Program: var a = 'outer' def test var a = 'inner' echo 'It works! $a' echo a echo test test def...
in hstm/dotfiles
✍️ Description Owner of this Github repo has inadvertently committed their .pgpass file which contains login information for a localhost PostgreSQL server. We suggest the owner of this Github repo deletes the file from the repo, adds .pgpass to their .gitignore and changes their localhost...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can add personal email to another user. 💥 IMPACT user who dont have any access in "users and groups" can update users personal email. 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B...
Improper Access Control in codingtrain/website
✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️♂️ Proof of Concept Visit this link to verify that you can use the service by visiting...
Improper Access Control in kenzo-404/lynx-userbot
✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️♂️ Proof of Concept Visit this link to verify that you can use the service by visiting...
SQL Injection in akshayp282/quizx
✍️ Description Course deletion on the teacher portal is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely erase, export or change all information in the database - potentially rendering the entire platform unusable. 🕵️♂️ Proof of Concept - Log in to...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can edit/share linked file of a project . 💥 VIDEO https://drive.google.com/file/d/1YaiG0vjFTuqZRck7dMLqkhT7HSZqaEdu/view?usp=sharing 💥 STEP TO REPRODUCE 1. From admin account add user B as normal user .\ now give user B bellow permission for project module.\ ----Read...
OS Command Injection in falconchristmas/fpp
✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL32 a command is built using unsanitized user input : php \n"; echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; // scripts and args ar...
Improper Privilege Management in chatwoot/chatwoot
✍️ Description Privilege escalation bug to add slack integration by a agent 🕵️♂️ Proof of Concept 1. First goto https://app.chatwoot.com/app/accounts/4534/settings/agents/list from admin account and add a user B as agent . Now here user B cant add slack integration 2. Finally from user B account...
Cross-site Scripting (XSS) - Generic in bigprof-software/online-invoicing-system
✍️ Description A cross-site scripting XSS allows remote attackers to inject JavaScript via the "p0-end" Parameter 🕵️♂️ Proof of Concept You can find installation instructions here: https://bigprof.com/appgini/applications/online-invoicing-system Vulnerable Parameter: p0-end p1-end & p2-end end XSS...
Cross-site Scripting (XSS) - Generic in forkcms/forkcms
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publishondate" Parameter 🕵️♂️ Proof of Concept Vulnerable parameter: publishondate XSS payload: '"%26%25alert1 Steps to reproduce issue 1- Login to Fork admin panel 2-...
Cross-site Scripting (XSS) - Stored in forkcms/forkcms
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "startdate" Parameter 🕵️♂️ Proof of Concept XSS payload: '"%26%25alert1 Steps to reproduce issue 1- Login to Fork admin panel 2- Goto Modules=Formbuilder 3- Turn on Burp...
Cross-site Scripting (XSS) - Generic in forkcms/forkcms
✍️ Description A cross-site scripting XSS issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "enddate" Parameter 🕵️♂️ Proof of Concept XSS payload: '"%26%25alert1 Steps to reproduce issue 1- Login to Fork admin panel 2- Goto Modules=Formbuilder 3- Turn on Burp...
Open Redirect in forkcms/forkcms
✍️ Description Open redirect is a security flaw in an app or a web page that causes it to fail to properly authenticate URLs. When apps and web pages have requests for URLs, they are supposed to verify that those URLs are part of the intended page’s domain. Open redirect is a failure in that...
Code Injection in antoinestudio/dok
✍️ Description Dok is a documentation tool/system that converts an architecture of folders and files into a static website that anyone can explore. It can be seen as a personal assistant, it invites you to write, organize and then publish your personal knowledge online. , which is vulnerable to...
Code Injection in vitessio/arewefastyet
:book: Description arewefastyet Nightly Benchmarks Project, this package is vulnerable for arbitaryCodeexecution https://github.com/cmason3/jinjafx :recycle: Steps To Reproduce-: 0 git clone http://github.com/vitessio/arewefastyet 1 run as in poc.png :telescope: POC 💥 Impact Arbitary code executi...
Prototype Pollution in fedeghe/objwun
Description objwun is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: javascript // poc.js const set = require'objwun' console.log'Before: ' + .polluted set, 'proto.polluted', true console.log'After: ' + .polluted 2. Execute the following commands in the...
Prototype Pollution in xiaoyifan6/json-glat
Description json-glat is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var jsonGlat = require"json-glat" console.log"Before : " + .polluted; jsonGlat.parse'proto.polluted': 'Yes! Its Polluted'; console.log"After : " + .polluted; 2. Execute the...
Prototype Pollution in rodrigocmoreira/sgt-fields
Description sgt-fields is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var sgtFields = require"sgt-fields" var obj = console.log"Before : " + .polluted; sgtFields.setobj,"proto.polluted","Yes! Its Polluted"; console.log"After : " + .polluted; 2...
Code Injection in svaarala/duktape
Description Arbitrary Code Excecution in svaarala/duktape/tools/genconfig.py. Duktape - embeddable Javascript engine with a focus on portability and compact footprint. Genconfig is a Process Duktape option metadata and produce various useful outputs. Technical Description This package was...
Cross-site Scripting (XSS) - Generic in alibaba/bizcharts
Description bizcharts is vulnerable to Cross-Site Scripting XSS. Steps To Reproduce-: 1. Open NPM repo https://www.npmjs.com/package/bizcharts 2. Open the demo https://bizcharts.net/product/BizCharts4/gallery 3. Select any chartI used pie chart Ex: https://bizcharts.net/product/BizCharts4/demo/37...
Cross-site Scripting (XSS) - Generic in forkcms/forkcms
Description ForkCMS is an easy to use open source CMS using Symfony Components this package is vulnerable to Stored Cross-Site Scripting XSS. https://github.com/forkcms/forkcms Steps To Reproduce-: 1 install https://github.com/forkcms/forkcms locally or https://demo.fork-cms.com/private/ use demo...
Arbitrary File Write via Path Traversal in Malicious NLTK Downloader Index (nltk.downloader.Package.fromxml)
NLTK relies on the nltk.downloader.Downloader class to securely fetch corpora and models. It fetches an index.xml file to map package ids to payload URLs. A critical Arbitrary File Write vulnerability exists in nltk.downloader.Package.fromxml due to a lack of sanitization on the id field. When...
AI Gateway secret API accepts `$ENV_VAR` references and can be remotely abused to exfiltrate server-side environment credentials to an attacker-controlled upstream endpoint. And the leaked credentials can be further leveraged to break security boundaries.
Analyzed project versions: Current target branch: master Current HEAD: dc8ef3cbbefccf7384f4e3023492aae635c5d5d0 Fix 403 Forbidden for artifact list via query param when defaultpermission=NOPERMISSIONS 21220, commit date: 2026-03-04 The vulnerability is that AI Gateway secrets allow...
`trust_remote_code=False` Bypass in LightGlue Nested Config Resolution (Transformers 5.2.0) Leading to Remote Code Execution During Normal `from_pretrained()` Loading
Description Transformers contains a trust-boundary flaw in the LightGlue loading path. When loading a LightGlue model, LightGlueConfig reads trustremotecode from untrusted model config.json and reuses it for nested AutoConfig.frompretrained... resolution. This allows an attacker-controlled model...
Authentication Bypass via endswith() Health Check Exemption Allows Unauthenticated Access to Variables/Secrets in prefecthq/prefect
Description When PREFECTSERVERAPIAUTHSTRING is configured, Prefect Server's authentication middleware exempts any URL path ending with "health" or "ready" to allow health check probes. However, multiple API endpoints accept user-controlled string names as URL path parameters e.g.,...
Arbitrary File Read via Absolute Path Input in nltk.util.filestring() enabling Local & Remote File Disclosure
This report is not public...
Insecure Temporary File Handling Vulnerability in llama-index-core
Description The getcachedir function in llama-index-core uses a predictable, hardcoded directory path /tmp/llamaindex on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct...
Incorrect Access Control check results in authorization bypass
Description When setting the access control for users, an incorrect access check allows for the bypass of authorization, due to the incorrect use of .some Proof of Concept 1. This is for a scenario, where I admin have created a custom agent and want everyone on the platform to use it, without bei...
Improper Access Control in Socket.IO Event Handlers Allows Unauthenticated Execution of Sensitive Actions
1. Summary Vulnerability: Unauthenticated Access to Sensitive Socket.IO Events Affected Component: lollmsgenerationevents.py in the lollms server Root Cause: Sensitive actions exposed via Socket.IO events lack authentication and authorization checks, and the application relies on insecure global...
Regular Expression Denial of Service (ReDoS) in AdamWeightDecay Optimizer
The AdamWeightDecay optimizer is vulnerable to Regular Expression Denial of Service ReDoS. If an attacker can control the patterns in the includeinweightdecay or excludefromweightdecay lists, they can provide a malicious regular expression that causes catastrophic backtracking. When the optimizer...
Regular expression Denial of Service - ReDoS
Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's CLVP number normalizer. The vulnerability exists in the normalizenumbers method of the EnglishNormalizer class, which converts numeric strings to their English wor...
Mysql Jdbc Attck about CVE-2024-45758 and CVE-2024-10553 Bypass
Summary Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization Details https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac Affected Version: The latest master branch Build project version: 3.47.0.99999...
Arbitary file read through path traversal
Description: The code in genericutils.py has a path traversal vulnerability, which allows an attacker to control the file path provided to the ImageDocument class. This can lead to the reading of arbitrary files on the server, including sensitive system files, through base64 encoding and decoding...
Using Mermaid to cause JS memory overflow and service downtime
Description Librechat has many means of limiting the rate, which can be found at https://www.librechat.ai/docs/configuration/librechatyaml/objectstructure/configratelimits. However, it can be found that the Fork Function in /api/convos/fork is not restricted, which allows attackers to fork...
Timing attacks to guess password in lollms_authentication.py
Description The authenticateuser function in /server/endpoints/lollmsauthentication.py is vulnerable to timing attacks that can be exploited to: Enumerate valid usernames. Guess passwords incrementally by analyzing response time differences. Explanation of the vulnerability def...
Uncontrolled Memory Consumption in `SimpleDirectoryReader` Due to Post-Limit File Processing
Description Summary: The SimpleDirectoryReader component in llamaindex.core contains a resource management flaw where user-specified file limits numfileslimit are applied after fully enumerating and loading all discovered files into memory. This design causes uncontrolled memory consumption and...
Logging into webui as view only internal user provides overly privileged bearer key
Description When an user with the role "internaluserviewer" logs into the application they are provided with an overly privileged API key. This key can be used to access all the admin functionality of the application. The following steps are taken: An admin creates an Internal User with the role...
RCE via Global State Override
This exploit effectively serves as a bypass for CVE-2024-3408. An attacker can override global state to enable custom filters, which then facilitates remote code execution RCE. Specifically, this vulnerability leverages the ability to manipulate global application settings to activate the...
A malicious gguf model can lead to DoS due to unchecked array bound access via network
This report is not public...
CSRF ON SIGNUP PAGE
CSRF ON CREATING A NEW USER in mlflow/mlflow Reported on Oct 31st 2024 The Signup feature of Mlflow is vulnerable to CSRF attack that allow attacker to create a new account. This may be used to perform unauthorised actions on behalf of the malcious user . Proof of Concept : An attacker can use CS...
XSS by uploading pdf file
This report is not public...
2 FPE in MP4Box
Description 2 FPE in MP4Box Version $ ./MP4Box -version MP4Box - GPAC version 2.3-DEV-rev566-g50c2ab06f-master Platform $ uname -a Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic 3322.04.1-Ubuntu SMP PREEMPTDYNAMIC Thu Sep 7 10:33:52 UTC 2 x8664 x8664 x8664 GNU/Linux Reproduce ./MP4Box -dash 100...
Add arbitrary users to the user group
Description Add arbitrary users to the user group Proof of Concept 1 .Administrator user haido456 creates a user group name : group456 2 .User hai123 has general user rights but has the right to add arbitrary users to the user group: group456 3 .This includes users that the admin does not want...
Store DOM XSS when create survey
Description I noticed, your website is very secure. But you overlooked a flaw Store DOM XSS . Proof of Concept Detail: 1 .Login vs admin demo account 2 .Create new survey , insert payload in to Survey title: test" onclick = "alertdocument.domain" 3 . Click create == detect Store DOM XSS Video Poc...
BrowserView Allows Popups, which leads to Remote Code Execution
Description The Application has a functionality that allows users to add URLs for custom Webservices. If a user adds a URL containing malicious code, then it can be used to open a new Browser Window, which will lead to Remote Code Execution on the victims computer. Proof of Concept ATTACKER SETUP...
Self XSS in "Content Types / Add Content Type"
Description Add payload to field System name: Proof of Concept https://drive.google.com/file/d/1xJ24a3HveP4dpKXF5zmtsNIa2-wweoA/view?usp=sharing...
stored XSS Bypass in the TAGS Section and other places in the application
Hello, I was able to bypass the XSS Protection and get a stored XSS using the XSS Payload in the Video and Screenshots. Thank you for your time and effort. Best regards Ahmed Hassan...
Potential XSS injection in stuff and say attributes
Description The stuff and say attributes are not sanitized before being used in innerHTML. Because of this, they could be used to inject arbitrary JS in the page. Proof of Concept html obfumatic XSS "Fallback text...