4072 matches found
in polonel/trudesk
✍️ Description trudesk is vulnerable to arbitrary file upload. The app is allowing upload files, such as text/html. Consequently, It is possible to exploit XSS. 🕵️♂️ Proof of Concept 1. Create a ticket. 2. Access the ticket created and upload an HTML file which contains . 3. Access the HTML file...
Cross-site Scripting (XSS) - Stored in polonel/trudesk
✍️ Description trudesk is vulnerable to XSS via chat. 🕵️♂️ Proof of Concept 1. Send a message with the content . PoC video 💥 Impact JavaScript code execution...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Reflected XSS in playlists.php when a user asked to add a note in Sequence Entry, resulting in XSS. 🕵️♂️ Proof of Concept https://drive.google.com/file/d/1uU9IxbH3A45V8BSgtFOBrc5Gwj7S7k56/view?usp=sharing 💥 Impact This vulnerability is capable of doing Reflected XSS...
Stack-based Buffer Overflow in falconchristmas/fpp
✍️ Description Hi, there is a stack based buffer overflow in https://github.com/FalconChristmas/fpp/blob/f4a1621c8be15a41305269830b700a2b5443aa0f/src/command.cL131 : When ./fpp is running it can send commands to ./fppd, a daemon that runs a main loop and listen for incoming socket connections : In...
Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
✍️ Description Hi, few days ago I reported this vulnerability : https://huntr.dev/bounties/8-other-FalconChristmas/fpp/ There were 2 XSS vectors in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/runEventScript.phpL41 : php \n"; // 1 // else ? ERROR: Unknow...
OS Command Injection in falconchristmas/fpp
✍️ Description Hi, a command is built without filtering user input in https://github.com/FalconChristmas/fpp/blob/cc026bd238b641ad147a3f8e1df47052e34f16d3/www/copyFilesToRemote.phpL50 php $ip = $GET'ip'; // $command = "rsync -rtDlv --modify-window=1 $compress --stats $fppHome/media/$dir/...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can attach agenda with leave. 💥 IMPACT user who dont have any access in leave can add agenda to this leave 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user B bellow permission for Agenda...
Improper Privilege Management in dolibarr/dolibarr
💥 BUG unprivileged user can see task associated with a project 💥 IMPACT user dont have access to specific project but still can see task attached to this project . 💥 TESTED VERSION dolibarr 14.0.0-beta 💥 STEP TO REPRODUCE 1. First goto admin account and add user B as normal user .\ Now give user ...
Cross-site Scripting (XSS) - DOM in apexcharts/apexcharts.js
✍️ Description Last version of Apexcharts.js is vulnerable to Cross-Site Scripting XSS 🕵️♂️ Proof of Concept Simply try one of the examples provided in samples/vanilla-js/scatter/scatter-images.html in this way: javascript var options = series: name: 'Messenger', data: 16.4, 5.4, ..... , name:...
Cross-site Scripting (XSS) - Generic in utmsigep/member-directory
✍️ Description Non-administrative functions display success banners after multiple actions that reflect user-input directly without sanitization. 🕵️♂️ Proof of Concept Donation Creation and Update - Donations - New Donation - Enter XSS payloads into the fields Last Name, First Name and Receipt ID,...
in cythron/tweango
✍️ Description The Django secret key was hard coded in the Github repository which is vulnerable as https://huntr.dev/bounties/1-other-cythron/Tweango/ accordingly. Since the GitHub public API monitor every single git commit that is made, attacker can still find the key from commit lists. = It is...
Prototype Pollution in borderlesslabs/assign
Description @borderlesslabs/assign is vulnerable to Prototype Pollution. Proof of Concept 1. Create the following PoC file: // poc.js var a = require"@borderlesslabs/assign" const payload = JSON.parse'"proto":"polluted":"Yes! Its Polluted"'; var obj = console.log"Before : " + .polluted;...
Command Injection in totaljs/framework
Description Command Injection in total.js Proof of Concept 1. Create the following PoC file: // poc.js const total = require'total.js'; let image = Image.load""; let payload = ";touch HACKED;"; image.pipenull,payload; 2. Execute the following commands in terminal: npm i total.js Install affected...
Code Injection in mozilla/deepspeech
Description Arbitrary Code Excecution in mozilla/DeepSpeech.DeepSpeech is an open source embedded offline, on-device speech-to-text engine which can run in real time on devices ranging from a Raspberry Pi 4 to high power GPU servers. Technical Description This package was vulnerable to Arbitrary...
Cross-site Scripting (XSS) - Generic in dolibarr/dolibarr
Description dolibarr is a modern and easy to use web software to manage your business. The error page is vulnerable to self XSS because of lack of escaping on $SERVER'HTTPUSERAGENT' variable before printing it. The flaw is in the dolprinterror function in the htdocs/core/lib/functions.lib.php fil...
Arbitrary File Read via Percent-Encoded Path Traversal in nltk.data.find() / nltk.data.load() - Incomplete Fix of Issue #3504
This report is not public...
XSS via unsanitized `text/vnd.mermaid` output in nbconvert HTML export
This report is not public...
Uncontrolled Search Path in HunposTagger Allows Untrusted Local Binary Selection in nltk/nltk
This report is not public...
Session is not expiring after password resetting
This report is not public...
Path Traversal in Agent Flows via `uuid` (Arbitrary .json File Read/Delete)
Description : Summary I discovered a Path Traversal vulnerability in the AgentFlows component that allows reading and deleting arbitrary .json files on the server. The issue stems from the improper usage of path.join combined with normalizePath. The application resolves the file path using user...
Airflow externalLogUrl Permission Bypass
1. Summary The externalLogUrl endpoint in Airflow’s FastAPI enforces only the weaker Task Instance access permission TASKINSTANCE instead of the intended Task Logs permission TASKLOGS. As a result, low-privileged users who are not authorized to view task logs can still obtain external log access...
Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator
A High severity Unsafe Deserialization vulnerability exists in the airflow.providers.http package. The HttpOperator uses pickle.loads to deserialize untrusted data received from the Triggerer service via the database in the executecomplete method. This allows an attacker who has gained write acce...
Arbitrary File Read via FileSystemPathPointer + PlaintextCorpusReader (bypass even if nltk.data.find() is patched
This report is not public...
Authorization Bypass in MLflow Basic Auth (unprotected Flask/GraphQL routes)
This report is not public...
Insecure API Design: Able to Disable 2-Factor Authentication Without OTP or Backup Code
Description There is a minor issue in the 2-Factor Authentication 2FA flow. when a user tries to disable 2FA from the dashboard, the system should ask for a valid OTP or backup code and verify it through the following API: POST /api/auth/2fa/verify HTTP/1.1 Host: 127.0.0.1:3080 User-Agent:...
Bypass of Mysql Jdbc Attck for CVE-2025-6507
Credits Le1ahttps://github.com/Le1a A1kaidhttps://github.com/for-A1kaid ph0ebushttps://github.com/ph0ebus Description Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization. The project manager fixed CVE-2025-6507 which I discovere...
Denial of Service via `Uncontrolled Recursive` JSON Parsing in `JSONReader`
Description The JSONReader in llamaindex is vulnerable to stack overflow when processing deeply nested JSON, leading to a RecursionError. Attackers can exploit this to trigger Denial of Service DoS by submitting malicious JSON, crashing applications before input validation. This impacts...
Hardlink-Based Path Traversal in ObsidianReader
Overview A vulnerability has been identified in the ObsidianReader class from llamaindex.readers.obsidian. This vulnerability allows an attacker to bypass the path restriction mechanism using hardlinks , enabling unauthorized access to sensitive system files such as /etc/passwd. Affected Componen...
XSS vulnerability exists in some specific browsers
Description The XSS vulnerability cannot be triggered in Chrome, but it is triggered when using Firefox and the latest version of Firefox. Since Firefox is widely used, when the administrator uses Firefox to view the relevant interface, the XSS vulnerability will be triggered, resulting in the...
MD5 Hash Collision Causes Overwriting of Papers with the Same Title, Leading to Data Loss
Description The ArxivReader class in LlamaIndex is responsible for searching for papers on ArXiv, downloading them, and processing them for AI model training. The workflow of ArxivReader is as follows: 1. The user searches for a specific topic on ArXiv, retrieving a list of relevant papers. impor...
SQL Injection in DuckDBVectorStore via delete can lead to RCE
Description The delete function in DuckDBVectorStore easily attacks SQL when the attack controls the refdocid parameter.This can help attackers read and write arbitrary files on the server and lead to rce. ddbquery = f""" DELETE FROM self.tablename WHERE jsonextractstringmetadata, '$.refdocid' =...
Remote Code Execution via Unsafe Torch Load in TransfoXLCorpus
Description This is a new bypass to the patch of my previous report, in which the maintainers only apply the "TRUSTREMOTECODE" to guard the vulnerable code of vocabdict = pickle.loadf, but overlooked another vulnerable code of corpusdict = torch.loadresolvedcorpusfile without setting...
Arbitrary file deletion on Windows via the '/v1/agent/hub/update' endpoint.
This report is not public...
multer(file upload middleware in express) misused, lead to remote code execution
Description Librechat use multer to handle multi-part file upload. multer library will deal with '../' kind of path traversal, then let the programmer decide the actual filename, then join the path to write the upload the file. this means, if '../' is provided by the user of librechat, multer wil...
IDOR Vulnerability in PATCH `/v1/runs/:id/score` Endpoint Allows Unauthorized Score Updates for Other Users’ Runs
Description An Insecure Direct Object Reference IDOR vulnerability exists in the PATCH /v1/runs/:id/score endpoint. This endpoint allows an attacker to update the score data of any run by manipulating the id parameter in the request URL, which corresponds to the runIdscore in the database. The...
Logs Debug Injection In File Download
Description In 2 API: /code/download/:sessionId/:fileId and /download/:userId/:fileid The parameters sessionId, fileId, userId, fileid are not validated or filtered at all but are saved directly to log.debug Proof of Concept Prepare: The logs file on the server is stored at /app/api/debug-.log I...
Admin user account takeover due to password reset code not being checked on the backend
This report is not public...
Allowing execution user provided regexp, lead to Redos
Description librechat have a functionality of uploading chatgpt chat log. when processing the log, following code is executed: const pattern = new RegExp \u3010$citation.metadata.extra.citedmessageidx\u2020.+?\u3011, 'g', ; const replacement = $citation.metadata.title; messageText =...
An user can view any others invite list
This report is not public...
SSRF via POST /v1/llm/add_llm and /v1/conversation/tts
This report is not public...
Denial of Service
This report is not public...
Web server DOS through run metrics
This report is not public...
Lack of access control on /users/me/org endpoint
Description The /users/me/org route is not adequately protected by access control mechanisms such as a middleware. This lack of authorization allows unauthorized users to access information about all team members in the current organization, even if the user does not have sufficient privileges. A...
XSS through document upload
This report is not public...
Denial of service through sshfs-client in tracking server
This report is not public...
Running user provided regular expression, lead to DOS
This report is not public...
7z slip lead to remote code execution
This report is not public...
rar slip lead to remote code execution
This report is not public...
Redos (Regular Expression Denial of Service)
This report is not public...
Missing check_access leads to directory deletion
This report is not public...