Lucene search
K
OsvMost viewed

909636 matches found

OSV
OSV
•added 2021/06/21 8:15 p.m.•118 views

CVE-2020-27511

An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Service ReDOS through stripping crafted HTML tags...

7.5CVSS6.6AI score0.02455EPSS
Exploits1References3
OSV
OSV
•added 2026/05/19 3:40 p.m.•117 views

GHSA-XMPW-2VMM-P4P6 Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

Impact On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Affected: any user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026. Security researchers identified the malicious package within approximately 2 hours ...

9.6CVSS5.8AI score0.00276EPSS
Exploits0References6
OSV
OSV
•added 2024/12/20 12:8 p.m.•117 views

CGA-3P7C-2H7X-XXJX

Bulletin has no description...

5.3CVSS6.2AI score0.00856EPSS
Exploits0
OSV
OSV
•added 2024/09/30 8:53 a.m.•117 views

BIT-GITLAB-2024-8974 Incorrect Provision of Specified Functionality in GitLab

Information disclosure in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1 in specific conditions it was possible to disclose to an unauthorised user the path of a private project."...

4.3CVSS4AI score0.00276EPSS
Exploits0References2
OSV
OSV
•added 2023/06/26 9:30 p.m.•117 views

GHSA-257Q-PV89-V3XV Duplicate Advisory: jQuery Cross Site Scripting vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jpcq-cgw6-v4j6. This link is maintained to preserve external references. Original Description Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code...

6.1CVSS6.6AI score
Exploits5References12
OSV
OSV
•added 2022/07/15 11:30 p.m.•117 views

GO-2022-0493 Incorrect privilege reporting in syscall and golang.org/x/sys/unix

When called with a non-zero flags parameter, the Faccessat function can incorrectly report that a file is accessible...

5.3CVSS8.6AI score0.02593EPSS
Exploits1References4
OSV
OSV
•added 2018/10/17 6:28 p.m.•117 views

GHSA-6FVX-R7HX-3VH6 JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.

JavaMelody before 1.74.0 has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java...

9.8CVSS9.5AI score0.27873EPSS
Exploits0References7
OSV
OSV
•added 2025/10/09 6:5 a.m.•116 views

BELL-CVE-2025-61984

Bulletin has no description...

3.6CVSS7AI score0.00211EPSS
Exploits2References1
OSV
OSV
•added 2025/07/16 8:19 a.m.•116 views

BIT-MYSQL-CLIENT-2025-30722

Vulnerability in the MySQL Client product of Oracle MySQL component: Client: mysqldump. Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise...

6.8CVSS5.1AI score0.00431EPSS
Exploits0References4
OSV
OSV
•added 2024/02/01 4:10 p.m.•116 views

CVE-2024-24752 Bref Uploaded Files Not Deleted in Event-Driven Functions

Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each whic...

6.5CVSS6.4AI score0.0075EPSS
Exploits1References4
OSV
OSV
•added 2024/02/01 4:9 p.m.•116 views

CVE-2024-24753 Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2

Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relie...

4.8CVSS6.5AI score0.00426EPSS
Exploits1References4
OSV
OSV
•added 2023/03/03 9:30 p.m.•116 views

GHSA-VPVM-3WQ2-2WVM Opencontainers runc Incorrect Authorization vulnerability

runc 1.0.0-rc95 through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfslinux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue...

7CVSS6.9AI score0.00448EPSS
Exploits1References19
OSV
OSV
•added 2022/05/14 3:48 a.m.•116 views

GHSA-WR5J-Q359-6VR2 backup-agoddard and backup_checksum have Information Exposure vulnerability

1 lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and 2 lib/backup/cli/utility.rb in the backupchecksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process...

7.8CVSS7.4AI score0.00512EPSS
Exploits1References7
OSV
OSV
•added 2022/05/02 12:0 a.m.•116 views

DSA-5127-1 linux - security update

Bulletin has no description...

7.8CVSS7.8AI score0.05524EPSS
Exploits20
OSV
OSV
•added 2022/04/11 9:30 p.m.•116 views

GHSA-XXX9-3XCR-GJJ3 XML Injection in Xerces Java affects Nokogiri

Summary Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record. Please note that this advisory only applies to the JRuby implementation of Nokogiri = v1.13.4. Impact CVE-2022-23437 in...

6.5CVSS7.2AI score0.0444EPSS
Exploits0References6
OSV
OSV
•added 2020/06/05 7:37 p.m.•116 views

GHSA-V73W-R9XG-7CR9 Use of insecure jQuery version in OctoberCMS

Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. Patches Issue has been patched in Build 466 v1.0.466 by applying the recommended patch from @jquery. Workarounds Apply...

7.3AI score
Exploits0References4
OSV
OSV
•added 2025/02/01 7:29 a.m.•115 views

BIT-GITLAB-2023-6195 Server-Side Request Forgery (SSRF) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image...

4.3CVSS3.6AI score0.00307EPSS
Exploits1References3
OSV
OSV
•added 2024/08/10 7:18 a.m.•115 views

BIT-GITLAB-2024-7610 Uncontrolled Resource Consumption in GitLab

A Denial of Service DoS condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch...

6.5CVSS5AI score0.00448EPSS
Exploits0References2
OSV
OSV
•added 2022/12/25 5:15 a.m.•115 views

CVE-2022-44640

Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center KDC...

9.8CVSS7.2AI score
Exploits0References3
OSV
OSV
•added 2022/06/24 9:15 p.m.•115 views

PYSEC-2022-217

The cryptoasset-data-downloader package in PyPI v1.0.0 to v1.0.1 was discovered to contain a code execution backdoor via the request package. This vulnerability allows attackers to access sensitive user information and digital currency keys, as well as escalate privileges...

9.8CVSS6.7AI score0.01857EPSS
Exploits1References3
OSV
OSV
•added 2022/05/24 5:30 p.m.•115 views

GHSA-GWFG-CQMG-CF8F WEBRick vulnerable to HTTP Request/Response Smuggling

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

7.5CVSS7.8AI score0.03849EPSS
Exploits0References16
OSV
OSV
•added 2022/05/03 12:0 a.m.•115 views

GHSA-M2H2-264F-F486 angular vulnerable to regular expression denial of service (ReDoS)

AngularJS lets users write client-side web applications. The package angular after 1.7.0 is vulnerable to Regular Expression Denial of Service ReDoS by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat of NUMBERFORMATS.PATTERNS1.posPre with a very...

5.3CVSS7.2AI score0.04658EPSS
Exploits1References13
OSV
OSV
•added 2022/03/28 8:28 p.m.•115 views

GHSA-C3H9-896R-86JM Improper Input Validation in GoGo Protobuf

An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue...

8.6CVSS8.5AI score0.03478EPSS
Exploits0References10
OSV
OSV
•added 2021/12/17 8:15 p.m.•115 views

PYSEC-2021-857

Buffer overflow in the arrayfrompyobj function of fortranobject.c in NumPy 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative values...

5.5CVSS6.2AI score0.00368EPSS
Exploits1References2
OSV
OSV
•added 2021/10/22 4:20 p.m.•115 views

GHSA-H58V-G3Q6-Q9FX Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in sulu/sulu

Impact What kind of vulnerability is it? Who is impacted? It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags. Patches Has the problem been patched? What...

6.2CVSS5.7AI score0.00572EPSS
Exploits0References4
OSV
OSV
•added 2022/06/03 12:0 a.m.•114 views

GHSA-52VJ-MR2J-F8JH Server-Side Template Injection in formio

A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...

9.8CVSS9.8AI score0.02177EPSS
Exploits0References3
OSV
OSV
•added 2021/12/16 12:0 a.m.•114 views

DSA-5022-1 apache-log4j2 - security update

Bulletin has no description...

9CVSS8.8AI score0.99977EPSS
Exploits40
OSV
OSV
•added 2021/05/01 12:0 p.m.•114 views

RUSTSEC-2021-0056 CA certificate check bypass with X509_V_FLAG_X509_STRICT

The X509VFLAGX509STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an...

7.4CVSS7.5AI score0.18339EPSS
Exploits1References3
OSV
OSV
•added 2021/03/25 9:26 p.m.•114 views

GHSA-8Q59-Q68H-6HV4 Improper Input Validation in PyYAML

A vulnerability was discovered in the PyYAML library in versions before 5.4, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the fullload method or with the FullLoader loader. Applications that use the library to process untrusted input may be...

9.8CVSS8.1AI score0.05984EPSS
Exploits1References12
OSV
OSV
•added 2013/02/17 12:0 a.m.•114 views

DSA-2627-1 nginx - information leak

Bulletin has no description...

2.6CVSS5.9AI score0.04266EPSS
Exploits2
OSV
OSV
•added 2025/02/07 7:16 a.m.•113 views

BIT-GITLAB-2024-6356 Incorrect User Management in GitLab

An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot...

4.4CVSS4.6AI score0.00187EPSS
Exploits1References3
OSV
OSV
•added 2024/03/07 9:30 p.m.•113 views

GHSA-RJ98-CRF4-G69W pgAdmin 4 vulnerable to Unsafe Deserialization and Remote Code Execution by an Authenticated user

pgAdmin prior to version 8.4 is affected by a path-traversal vulnerability while deserializing users’ sessions in the session handling code. If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is...

9.9CVSS9.6AI score0.79326EPSS
Exploits4References6
OSV
OSV
•added 2022/05/26 6:15 p.m.•113 views

CVE-2022-26691

A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges...

6.7CVSS3.2AI score
Exploits0References9
OSV
OSV
•added 2022/02/18 9:55 p.m.•113 views

GSD-2022-1000204 PCI: pciehp: Fix infinite loop in IRQ handler upon power fault

PCI: pciehp: Fix infinite loop in IRQ handler upon power fault This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.97 by commit...

7.2AI score
Exploits0
OSV
OSV
•added 2021/04/22 4:15 p.m.•113 views

GHSA-64X2-GQ24-75PV Cross-site scripting in Apache CXF

By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting XSS attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This...

6.1CVSS6.3AI score0.42993EPSS
Exploits0References16
OSV
OSV
•added 2024/11/28 12:0 a.m.•112 views

DLA-3973-1 redis - security update

Bulletin has no description...

6.5CVSS6.5AI score0.33269EPSS
Exploits0
OSV
OSV
•added 2024/04/03 9:12 p.m.•112 views

GO-2024-2687 HTTP/2 CONTINUATION flood in net/http

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

7.5CVSS8.1AI score0.91969EPSS
Exploits1References3
OSV
OSV
•added 2024/03/06 10:56 a.m.•112 views

BIT-APACHE-2020-35452 mod_auth_digest possible stack overflow by one nul byte

Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Digest nonce can cause a stack overflow in modauthdigest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make i...

7.3CVSS8.1AI score0.53191EPSS
Exploits0References13
OSV
OSV
•added 2024/02/09 12:11 a.m.•112 views

CVE-2024-24819 icingaweb2-module-incubator base implementation for HTML forms is susceptible to CSRF

icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class gipfl\Web\Form is the base for various concrete form implementations 1 and provides protection against cross site request forgery CSRF by default. This is done by automatically...

5.3CVSS8.2AI score0.0026EPSS
Exploits0References5
OSV
OSV
•added 2022/06/20 8:16 p.m.•112 views

MAL-2022-2944 Malicious code in extraneous-detected (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5c37443660cc0f4d7112c362734a5370d76c45d1444f9ae76efbac3b4bbed71e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
•added 2022/01/06 6:31 p.m.•112 views

GHSA-3QPM-H9CH-PX3C Remote code injection, Improper Input Validation and Uncontrolled Recursion in Log4j library

Summary The version used of Log4j, the library used for logging by PowerNukkit, is subject to a remote code execution vulnerability via the ldap JNDI parser. It's well detailed at CVE-2021-44228 and CVE-2021-45105https://github.com/advisories/GHSA-p6xc-xr62-6r2g. Impact Malicious client code coul...

10CVSS9.3AI score
Exploits0References2
OSV
OSV
•added 2018/03/08 9:29 p.m.•112 views

CVE-2018-7889

gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on imported bookmark data, which allows remote attackers to execute arbitrary code via a crafted .pickle file, as demonstrated by Python code that contains an os.system call...

7.8CVSS8.1AI score
Exploits0References2
OSV
OSV
•added 2025/04/18 9:15 p.m.•111 views

CVE-2025-43903

NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries...

3.3CVSS6.8AI score
Exploits0References1
OSV
OSV
•added 2025/03/01 12:0 a.m.•111 views

PUB-A-364794723

In ProtocolUnsolOnSSAdapter::GetServiceClass of protocolcalladapter.cpp, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation...

5.1CVSS6.1AI score0.00078EPSS
Exploits0References1
OSV
OSV
•added 2023/04/24 10:34 p.m.•111 views

GHSA-6M9F-PJ6W-W87G Rancher Webhook is misconfigured during upgrade process

Impact A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. When the Webhook is operating in a degraded state, it no...

9.9CVSS9.4AI score0.00779EPSS
Exploits0References5
OSV
OSV
•added 2024/08/01 12:0 a.m.•110 views

ASB-A-343727534

In dstnegativeadvice of sock.h, there is a possible failure to clear sk-skdstcache in the correct order resulting in a use after free. This could lead to remote code execution with System execution privileges needed. User interaction is not needed for exploitation...

7.8CVSS9AI score0.02701EPSS
Exploits1References12
OSV
OSV
•added 2024/01/31 10:33 p.m.•110 views

CVE-2024-24573 facileManager Privilege Escalation via Mass Assignment

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...

8.8CVSS8.4AI score0.00817EPSS
Exploits1References4
OSV
OSV
•added 2025/01/10 7:17 p.m.•109 views

BIT-GITLAB-2024-6324 Inefficient Algorithmic Complexity in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 17.5.5, starting from 17.6 prior to 17.6.3, and starting from 17.7 prior to 17.7.1. It was possible to trigger a DoS by creating cyclic references between epics...

4.3CVSS4.3AI score0.00692EPSS
Exploits1References4
OSV
OSV
•added 2024/11/16 7:11 a.m.•109 views

BIT-GITLAB-2024-8180 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled...

5.4CVSS5.3AI score0.0035EPSS
Exploits0References4
OSV
OSV
•added 2022/09/29 2:12 p.m.•109 views

GHSA-36JR-MH4H-2G58 d3-color vulnerable to ReDoS

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds...

7AI score
Exploits0References4
Total number of security vulnerabilities5000