Lucene search
K
OsvMost viewed

909148 matches found

OSV
OSV
•added 2023/01/17 10:17 p.m.•82 views

CVE-2022-23521 gitattributes parsing integer overflow in git

Git is distributed revision control system. gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this...

9.8CVSS8.9AI score0.56334EPSS
Exploits0References5
OSV
OSV
•added 2022/06/02 3:37 p.m.•82 views

GHSA-HJ9C-8JMM-8C52 Packing does not respect root-level ignore files in workspaces

Impact npm pack ignores root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag ie. --workspaces, --workspace=. Anyone who has run npm pack or npm publish with workspaces, as of v7.9.0 & v7.13.0 respectively, may be affected and have published...

7.5CVSS8AI score0.03465EPSS
Exploits0References12
OSV
OSV
•added 2022/05/24 5:35 p.m.•82 views

GHSA-F8FH-XP28-Q59M OpenStack Horizon Open redirect in workflow forms

An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provid...

6.1CVSS6.1AI score0.014EPSS
Exploits1References13
OSV
OSV
•added 2022/01/28 12:0 a.m.•82 views

CVE-2022-0392 Heap-based Buffer Overflow in vim/vim

Heap-based Buffer Overflow in GitHub repository vim prior to 8.2...

6.1CVSS7.3AI score0.01514EPSS
Exploits1References12
OSV
OSV
•added 2021/11/19 8:14 p.m.•82 views

GHSA-XX4C-JJ58-R7X6 Inefficient Regular Expression Complexity in Validator.js

Impact Versions of validator prior to 13.7.0 are affected by an inefficient Regular Expression complexity when using the rtrim and trim sanitizers. Patches The problem has been patched in validator 13.7.0...

5.3CVSS8.3AI score0.01666EPSS
Exploits1References6
OSV
OSV
•added 2021/11/08 6:7 p.m.•82 views

GHSA-QM7X-RC44-RRQW Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)

Impact In certain configurations, Apollo Server serves the client-side web app "GraphQL Playground" from the same web server that executes GraphQL operations. This web app has access to cookies and other credentials associated with the web server's operations. There is a cross-site scripting...

6.3AI score
Exploits0References2
OSV
OSV
•added 2021/06/21 5:16 p.m.•82 views

GHSA-RGX6-RJJ4-C388 ckeditor4 vulnerable to cross-site scripting

A cross-site scripting XSS vulnerability in the HTML Data Processor in CKEditor 4 4.14.0 through 4.16.x before 4.16.1 allows remote attackers to inject executable JavaScript code through a crafted comment because --! is mishandled...

6.1CVSS5.8AI score0.03189EPSS
Exploits0References11
OSV
OSV
•added 2021/05/18 9:8 p.m.•82 views

GHSA-W73W-5M7G-F7QC Authorization bypass in github.com/dgrijalva/jwt-go

jwt-go allows attackers to bypass intended access restrictions in situations with string for m"aud" which is allowed by the specification. Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience...

7.5CVSS7.4AI score0.02158EPSS
Exploits0References8
OSV
OSV
•added 2021/02/11 9:20 p.m.•82 views

GHSA-43F8-P5W3-5M25 vrana/adminer vulnerable to SSRF by connecting to privileged ports

Impact All users are affected. Patches Unsuccessfully patched by 0fae40fb, included in version 4.4.0. Patched by 35bfaa75, included in version 4.7.8. Workarounds Protect access to Adminer also by other means, e.g. by HTTP password, IP address limiting or by OTP plugin. References...

9.8CVSS9.3AI score0.04603EPSS
Exploits1References5
OSV
OSV
•added 2020/05/03 12:0 a.m.•82 views

DSA-4673-1 tomcat8 - security update

Bulletin has no description...

9.8CVSS8.1AI score0.9927EPSS
Exploits45
OSV
OSV
•added 2019/04/08 3:18 p.m.•82 views

GHSA-C6FM-RGW4-8Q73 CoAPthon3 vulnerable to Deserialization of Untrusted Data

The Serialize.deserialize method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library e.g., the standard CoAP server, CoAP client, example collect CoAP server and client when they receive crafted CoAP messages...

8.7CVSS7.3AI score0.01446EPSS
Exploits1References5
OSV
OSV
•added 2018/10/11 7:29 a.m.•82 views

CVE-2018-18240

Pippo through 1.11.0 allows remote code execution via a command to java.lang.ProcessBuilder because the XstreamEngine component does not use XStream's available protection mechanisms to restrict unmarshalling...

9.8CVSS7.8AI score
Exploits0References1
OSV
OSV
•added 2017/10/24 6:33 p.m.•82 views

GHSA-M7FQ-CF8Q-35Q7 crack does not properly restrict casts of string values

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service memory and CPU consumption by leveraging Action Pack support for 1 YAML type...

7.5CVSS7.7AI score0.04952EPSS
Exploits1References9
OSV
OSV
•added 2025/04/05 10:15 p.m.•81 views

CVE-2025-32365

Poppler before 25.04.0 allows crafted input files to trigger out-of-bounds reads in the JBIG2Bitmap::combine function in JBIG2Stream.cc because of a misplaced isOk check...

7.1CVSS6.7AI score
Exploits0References3
OSV
OSV
•added 2024/12/31 11:37 p.m.•81 views

MAL-2024-12174 Malicious code in xeno.dll (npm)

This package uses obfuscation to hide that its downloading a malicious binary from an attacker-controlled domain --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8903fab539c0352f278ee3116807f48f52403f7e26b855fe9d68c3328012200d Any computer that has this package...

7AI score
Exploits0References1
OSV
OSV
•added 2024/10/13 7:7 p.m.•81 views

BIT-GITLAB-2024-9596 Inclusion of Sensitive Information in Source Code in GitLab

An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance...

5.3CVSS4.7AI score0.0033EPSS
Exploits0References2
OSV
OSV
•added 2024/06/25 1:30 p.m.•81 views

MAL-2024-4553 Malicious code in Monero (NuGet)

--- -= Per source details. Do not edit below this line.=-...

7.1AI score
Exploits0References1
OSV
OSV
•added 2024/06/06 12:25 p.m.•81 views

CGA-F79M-WWXV-M882

Bulletin has no description...

5.3CVSS5.4AI score0.00723EPSS
Exploits1
OSV
OSV
•added 2024/03/06 11:5 a.m.•81 views

BIT-PYTHON-2022-37454

The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface...

9.8CVSS9.4AI score0.05193EPSS
Exploits1References15
OSV
OSV
•added 2024/03/06 10:57 a.m.•81 views

BIT-APACHE-2020-13950 mod_proxy_http NULL pointer dereference

Apache HTTP Server versions 2.4.41 to 2.4.46 modproxyhttp can be made to crash NULL pointer dereference with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service...

7.5CVSS8.4AI score0.49089EPSS
Exploits0References11
OSV
OSV
•added 2023/10/10 9:29 p.m.•81 views

GHSA-G9V2-WQCJ-J99G Uptime Kuma has Persistentent User Sessions

Summary Attackers with access to a users' device can gain persistent account access. This is caused by missing verification of Session Tokens after password changes and/or elapsed inactivity-periods. Details uptime-kuma sets JWT tokens for users after successful authentication. These tokens have...

7.8CVSS7.3AI score0.00267EPSS
Exploits1References5
OSV
OSV
•added 2023/07/30 12:0 a.m.•81 views

DSA-5461-1 linux - security update

Bulletin has no description...

7.8CVSS7.2AI score0.05794EPSS
Exploits1
OSV
OSV
•added 2023/07/24 8:15 p.m.•81 views

CVE-2023-20593

An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information...

5.5CVSS7AI score
Exploits0References35
OSV
OSV
•added 2023/06/08 8:16 p.m.•81 views

GO-2023-1839 Code injection via go command with cgo in cmd/go

The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved...

9.8CVSS8.5AI score0.01708EPSS
Exploits0References3
OSV
OSV
•added 2023/05/18 6:30 p.m.•81 views

GHSA-282V-666C-3FVG transformers has Insecure Temporary File

Insecure Temporary File in GitHub repository huggingface/transformers 4.29.2 and prior. A fix is available at commit 80ca92470938bbcc348e2d9cf4734c7c25cb1c43 and has been released as part of version 4.30.0...

4.7CVSS5AI score0.00282EPSS
Exploits1References6
OSV
OSV
•added 2023/03/19 6:30 p.m.•81 views

GHSA-CH9G-X9J7-RCGP imgproxy Cross-site Scripting vulnerability

Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0...

5.4CVSS5.3AI score0.01585EPSS
Exploits1References4
OSV
OSV
•added 2023/03/13 12:0 a.m.•81 views

DLA-3359-1 libapache2-mod-auth-mellon - security update

Bulletin has no description...

6.1CVSS6.6AI score0.01423EPSS
Exploits0
OSV
OSV
•added 2023/03/01 5:38 p.m.•81 views

GHSA-9HHC-PJ4W-W5RV Keycloak Cross-site Scripting on OpenID connect login service

A reflected cross-site scripting XSS vulnerability was found in the oob OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page...

8.1CVSS6.8AI score0.01149EPSS
Exploits0References11
OSV
OSV
•added 2022/11/22 12:0 a.m.•81 views

DLA-3201-1 ntfs-3g - security update

Bulletin has no description...

7.8CVSS5.8AI score0.00347EPSS
Exploits0
OSV
OSV
•added 2022/06/20 9:13 p.m.•81 views

MAL-2022-5590 Malicious code in rapidjson (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1d8cde70e5ebdf9f1f3ca47531c69bd833ee151e87b26e71cab845eba16fdbe4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI score
Exploits0References1
OSV
OSV
•added 2022/05/26 4:15 p.m.•81 views

CVE-2022-30783

An invalid return code in fusekernmount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite...

6.7CVSS2.7AI score
Exploits0References10
OSV
OSV
•added 2022/05/24 5:18 p.m.•81 views

GHSA-VR6V-G96P-CJC3 Moodle vulnerable to RCE

A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before 3.7.6, 3.6 before 3.6.10, 3.5 before 3.5.12 and earlier unsupported versions. It was possible to create a SCORM package in such a way that when added to a course, it could be interacted with via web services in order to achieve remo...

8.8CVSS8.7AI score0.03083EPSS
Exploits0References6
OSV
OSV
•added 2022/05/14 2:47 a.m.•81 views

GHSA-M27M-628V-XXP2 Exposure of Sensitive Information to an Unauthorized Actor in Apache Sling Servlets Post

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors...

7.5CVSS7.1AI score0.46187EPSS
Exploits6References6
OSV
OSV
•added 2022/05/13 1:17 a.m.•81 views

GHSA-29GQ-H27W-54QF Jenkins VS Team Services Continuous Deployment Plugin stores credentials in plain text

Jenkins VS Team Services Continuous Deployment Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system...

4.3CVSS8.7AI score0.01365EPSS
Exploits0References4
OSV
OSV
•added 2022/04/27 9:9 p.m.•81 views

GHSA-8M5H-HRQM-PXM2 Path traversal in the OWASP Enterprise Security API

Impact The default implementation of Validator.getValidDirectoryPathString, String, File, boolean may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire...

7.5CVSS7.1AI score0.02674EPSS
Exploits2References10
OSV
OSV
•added 2022/02/09 12:45 a.m.•81 views

GHSA-FMJ2-7WX8-QJ4V Server-side request forgery (SSRF) in Apache XmlGraphics Commons

Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests...

8.2CVSS7.4AI score0.0665EPSS
Exploits0References12
OSV
OSV
•added 2021/03/29 12:0 a.m.•81 views

DLA-2610-1 linux-4.19 - security update

Bulletin has no description...

8.8CVSS6.9AI score0.02079EPSS
Exploits3
OSV
OSV
•added 2009/11/05 12:0 a.m.•81 views

DSA-1929-1 linux-2.6 - several vulnerabilities

Bulletin has no description...

7.8CVSS7.1AI score0.0493EPSS
Exploits23
OSV
OSV
•added 2024/02/08 10:46 p.m.•80 views

CVE-2024-25107 Cross-Site Scripting in WikiDiscover

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

4.9CVSS6AI score0.00402EPSS
Exploits0References5
OSV
OSV
•added 2023/10/23 7:15 a.m.•80 views

CVE-2023-45802

When a HTTP/2 stream was reset RST frame by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing...

5.9CVSS7.9AI score
Exploits0References6
OSV
OSV
•added 2023/10/23 3:30 a.m.•80 views

GHSA-CQVV-R3G3-26RF free5GC udm vulnerable to Invalid Curve Attack

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its...

7.5CVSS7.5AI score0.00408EPSS
Exploits0References6
OSV
OSV
•added 2023/08/10 2:53 p.m.•80 views

CVE-2023-39955 Notes attachment render HTML in preview mode

Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version 4.8.0 contains a...

3.5CVSS6.1AI score0.0048EPSS
Exploits0References5
OSV
OSV
•added 2023/07/19 3:30 p.m.•80 views

GHSA-MRWQ-X4V8-FH7P Pygments vulnerable to ReDoS

A ReDoS issue was discovered in pygments/lexers/smithy.py in Pygments until 2.15.0 via SmithyLexer...

6.8CVSS5.6AI score0.00503EPSS
Exploits1References11
OSV
OSV
•added 2023/04/08 5:15 a.m.•80 views

CVE-2023-24626

socket.c in GNU Screen through 4.9.0, when installed setuid or setgid the default on platforms such as Arch Linux and FreeBSD, allows local users to send a privileged SIGHUP signal to any PID, causing a denial of service or disruption of the target process...

6.5CVSS6.4AI score
Exploits0References4
OSV
OSV
•added 2022/12/06 6:30 p.m.•80 views

GHSA-59FH-RJQ3-XQ7J Thinkphp has a code logic error

Thinkphp 5.1.41 and 5.0.24 has a code logic error which causes file upload getshell...

8.8CVSS8.8AI score0.02906EPSS
Exploits1References3
OSV
OSV
•added 2022/07/05 1:15 p.m.•80 views

CVE-2022-33741

Linux disk/nic frontends data leaks This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend CVE-2022-26365,...

7.1CVSS1.8AI score
Exploits0References7
OSV
OSV
•added 2022/02/24 7:15 p.m.•80 views

CVE-2022-0546

A missing bounds check in the image loader used in Blender 3.x and 2.93.8 leads to out-of-bounds heap access, allowing an attacker to cause denial of service, memory corruption or potentially code execution...

7.8CVSS7.4AI score
Exploits0References4
OSV
OSV
•added 2022/01/26 2:15 p.m.•80 views

PYSEC-2022-48

Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to...

6.5CVSS3.2AI score0.0266EPSS
Exploits0References4
OSV
OSV
•added 2022/01/21 11:2 p.m.•80 views

GHSA-H79X-98R2-G6QC Impersonation of other users (passing XBOX Live authentication) by theft of logins in PocketMine-MP

Impact Minecraft Bedrock authentication and its protocol encryption are inseparably linked. One is not complete without the other. This vulnerability affects servers which are able to be directly connected to via the internet i.e. not behind a proxy. If you are using a proxy, please check that it...

4.7CVSS6.9AI score
Exploits0References3
OSV
OSV
•added 2021/11/19 8:16 p.m.•80 views

GHSA-896R-F27R-55MW json-schema is vulnerable to Prototype Pollution

json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes 'Prototype Pollution'...

9.8CVSS8.8AI score0.03563EPSS
Exploits1References8
Total number of security vulnerabilities5000