Lucene search
K
OsvMost viewed

909148 matches found

OSV
OSV
added 2024/06/06 6:30 p.m.70 views

GHSA-CGWC-QVRX-RF7F Remote code execution in pytorch lightning

A remote code execution RCE vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the deepdiff library. The library uses deepdiff.Delta objects to modify application state base...

9.8CVSS6.5AI score0.26488EPSS
Exploits3References6
OSV
OSV
added 2024/03/06 10:54 a.m.70 views

BIT-CODEIGNITER-2022-21647

CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the old function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a...

9.8CVSS9.2AI score0.37671EPSS
Exploits0References2
OSV
OSV
added 2024/03/04 5:29 p.m.70 views

GO-2024-2587 SQL injection in github.com/apache/age/drivers/golang

SQL injection in github.com/apache/age/drivers/golang...

8.1CVSS8.4AI score0.00948EPSS
Exploits0References2
OSV
OSV
added 2023/04/12 1:41 a.m.70 views

RLSA-2023:1670 Important: httpd and mod_http2 security update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: HTTP request splitting with modrewrite and modproxy CVE-2023-25690 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other...

9.8CVSS8.8AI score0.8377EPSS
Exploits5References2
OSV
OSV
added 2023/02/28 12:0 a.m.70 views

ALSA-2023:0953 Moderate: python3.9 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

7.5CVSS8AI score0.02453EPSS
Exploits1References4
OSV
OSV
added 2022/09/13 5:40 p.m.70 views

GO-2022-0978 Protection bypass in github.com/open-policy-agent/opa

Open Policy Agent OPA is an open source, general-purpose policy engine. The Rego compiler provides a deprecated WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation...

9.8CVSS8.4AI score0.01224EPSS
Exploits1References6
OSV
OSV
added 2022/05/13 1:9 a.m.70 views

GHSA-2G99-C67P-56HM XML Signature/Encryption Not Validated in Apache CXF

Apache CXF 2.4.x before 2.4.8, 2.5.x before 2.5.4, and 2.6.x before 2.6.1, when a Supporting Token specifies a child WS-SecurityPolicy 1.1 or 1.2 policy, does not properly ensure that an XML element is signed or encrypted, which has unspecified impact and attack vectors...

10CVSS5.8AI score0.04112EPSS
Exploits1References18
OSV
OSV
added 2022/05/09 6:15 p.m.70 views

CVE-2022-28738

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations...

9.8CVSS2.8AI score0.02744EPSS
Exploits0References5
OSV
OSV
added 2022/04/07 3:20 p.m.70 views

GHSA-3HJG-VC7R-RCRW Denial of Service vulnerability in @podium/layout and @podium/proxy

Impact An attacker using the Trailer header as part of the request against proxy endpoints has the ability to take down the server. All Podium layouts that include podlets with proxy endpoints are affected. Patches @podium/layout which is the main way developers/users are vulnerable to this...

7.5CVSS7.4AI score0.01594EPSS
Exploits0References6
OSV
OSV
added 2017/10/24 6:33 p.m.70 views

GHSA-QQXP-XP9V-VVX6 jquery-ui Tooltip widget vulnerable to XSS

Cross-site scripting XSS vulnerability in the default content option in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before 1.10.0 allows remote attackers to inject arbitrary web script or HTML via the title attribute, which is not properly handled in the autocomplete combo box demo...

4.3CVSS5.9AI score0.06463EPSS
Exploits0References13
OSV
OSV
added 2017/10/19 12:0 a.m.70 views

DSA-4002-1 mysql-5.5 - security update

Bulletin has no description...

6.5CVSS6.1AI score0.03264EPSS
Exploits0
OSV
OSV
added 2016/05/31 12:0 a.m.70 views

DLA-499-1 php5 - security update

Bulletin has no description...

9.8CVSS8.1AI score0.19455EPSS
Exploits15
OSV
OSV
added 2015/07/25 12:0 a.m.70 views

DLA-282-1 lighttpd - security update

Bulletin has no description...

4.3CVSS4.9AI score0.99999EPSS
Exploits7
OSV
OSV
added 2026/06/12 12:25 p.m.69 views

OESA-2026-2645 assimp security update

Assimp is a library to load and process geometric scenes from various data formats. Assimp aims to provide a full asset conversion pipeline for use in game engines and real-time rendering systems of any kind, but is not limited to this purpose. Security Fixes: A vulnerability, which was classifie...

8.8CVSS4.6AI score0.00581EPSS
Exploits4References5
OSV
OSV
added 2025/03/31 4:5 p.m.69 views

CGA-XCXW-9493-3GQ3

Bulletin has no description...

8.7CVSS7.2AI score0.00369EPSS
Exploits0
OSV
OSV
added 2024/05/15 5:10 p.m.69 views

GHSA-X3WM-HFFR-CHWM Amazon JDBC Driver for Redshift SQL Injection via line comment generation

Impact SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that...

10CVSS9.7AI score0.00778EPSS
Exploits0References8
OSV
OSV
added 2024/05/14 10:33 a.m.69 views

BIT-PYTHON-2024-4030

On Windows a directory returned by tempfile.mkdtemp would not always have permissions set to restrict reading and writing to the temporary directory by other users, instead usually inheriting the correct permissions from the default location. Alternate configurations or users without a profile...

7.1CVSS7.1AI score0.003EPSS
Exploits0References15
OSV
OSV
added 2024/05/07 2:29 p.m.69 views

CVE-2024-34342 react-pdf's PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true which is the default value, unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in...

7.1CVSS6.6AI score0.01064EPSS
Exploits1References8
OSV
OSV
added 2024/03/06 11:23 a.m.69 views

BIT-GITLAB-2020-10088

GitLab 12.5 through 12.8.1 has Insecure Permissions. Depending on particular group settings, it was possible for invited groups to be given the incorrect permission level...

8.1CVSS7.9AI score0.00814EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 10:55 a.m.69 views

BIT-APACHE-2021-36160 mod_proxy_uwsgi out of bound read

A carefully crafted request uri-path can cause modproxyuwsgi to read above the allocated memory and crash DoS. This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48 inclusive...

7.5CVSS8.5AI score0.62887EPSS
Exploits0References25
OSV
OSV
added 2024/01/28 4:15 a.m.69 views

CVE-2024-23740

An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings...

9.8CVSS8AI score0.01456EPSS
Exploits0References2
OSV
OSV
added 2023/03/20 12:0 a.m.69 views

DSA-5376-1 apache2 - security update

Bulletin has no description...

9.8CVSS7.8AI score0.8377EPSS
Exploits5
OSV
OSV
added 2023/03/18 9:30 p.m.69 views

GHSA-PMHG-CMJC-3875 Ansible Semaphore mishandles authentication

api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication...

9.8CVSS9.4AI score0.00873EPSS
Exploits0References4
OSV
OSV
added 2022/12/12 6:15 p.m.69 views

PYSEC-2022-43002

Improper Privilege Management in GitHub repository ikus060/rdiffweb prior to 2.5.2...

9.8CVSS6.9AI score0.00789EPSS
Exploits1References5
OSV
OSV
added 2022/12/06 6:15 p.m.69 views

PYSEC-2022-42997

Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator...

7.5CVSS6.9AI score0.00791EPSS
Exploits0References3
OSV
OSV
added 2022/10/31 6:15 a.m.69 views

CVE-2022-40617

strongSwan before 5.9.8 allows remote attackers to cause a denial of service in the revocation plugin by sending a crafted end-entity and intermediate CA certificate that contains a CRL/OCSP URL that points to a server under the attacker's control that doesn't properly respond but for example jus...

7.5CVSS5.3AI score
Exploits0References2
OSV
OSV
added 2022/10/01 12:0 a.m.69 views

ASB-A-195410559

In btadmremovedevice of btadmact.cc, there is a possible way for a BT device to receive a long term trackable identifier due to a permissions bypass. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation...

6.3AI score
Exploits0References3
OSV
OSV
added 2022/08/30 8:54 p.m.69 views

GHSA-C8FJ-4PM8-MP2C Broken Authorization in ZITADEL Actions

Impact Actions, introduced in ZITADEL 1.42.0 on the API and 1.56.0 for Console, is a feature, where users with role ORGOWNER are able to create Javascript Code, which is invoked by the system at certain points during the login. Actions, for example, allow creating authorizations user grants on...

8.7CVSS8.7AI score0.00788EPSS
Exploits0References7
OSV
OSV
added 2022/05/03 12:0 a.m.69 views

GHSA-QP49-3PVW-X4M5 sinatra does not validate expanded path matches

Sinatra before 2.2.0 does not validate that the expanded path matches publicdir when serving static files...

7.5CVSS7.5AI score0.02059EPSS
Exploits0References8
OSV
OSV
added 2022/01/13 3:5 p.m.69 views

GHSA-7P8F-8HJM-WM92 Lookup operations do not take into account wildcards in SpiceDB

Impact Any user making use of a wildcard relationship under the right hand branch of an exclusion or within an intersection operation will see Lookup/LookupResources return a resource as "accessible" if it is not accessible by virtue of the inclusion of the wildcard in the intersection or the rig...

8.1CVSS7.9AI score0.01472EPSS
Exploits0References6
OSV
OSV
added 2018/08/21 7:3 p.m.69 views

GHSA-FR52-4HQW-P27F Nokogiri does not forbid namespace nodes in XPointer ranges

xpointer.c in libxml2 before 2.9.5 as used in nokogiri before 1.7.1 amongst other products does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service use-after-free and memory corruption via a crafted XML document...

9.8CVSS8AI score0.08628EPSS
Exploits0References11
OSV
OSV
added 2017/11/07 12:0 a.m.69 views

DLA-1166-1 tomcat7 - security update

Bulletin has no description...

8.1CVSS6.9AI score0.99988EPSS
Exploits23
OSV
OSV
added 2006/03/21 12:0 a.m.69 views

DSA-1010-1 ilohamail - missing input sanitising

Bulletin has no description...

4.3CVSS6.8AI score0.01404EPSS
Exploits0
OSV
OSV
added 2026/06/17 8:17 p.m.68 views

UBUNTU-CVE-2026-55200

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...

9.2CVSS7.5AI score0.00732EPSS
Exploits10References4
OSV
OSV
added 2026/04/14 11:18 p.m.68 views

GHSA-FF5Q-CC22-FGP4 WWBN AVideo has a CORS Origin Reflection Bypass via plugin/API/router.php and allowOrigin(true) Exposes Authenticated API Responses

Summary The CORS origin validation fix in commit 986e64aad is incomplete. Two separate code paths still reflect arbitrary Origin headers with credentials allowed for all /api/ endpoints: 1 plugin/API/router.php lines 4-8 unconditionally reflect any origin before application code runs, and 2...

7.1CVSS6.1AI score0.00132EPSS
Exploits1References4
OSV
OSV
added 2025/01/07 4:3 p.m.68 views

GO-2025-3361 GoPhish sends cleartext passwords in github.com/gophish/gophish

GoPhish sends cleartext passwords in github.com/gophish/gophish...

7.5CVSS7.5AI score0.00358EPSS
Exploits0References3
OSV
OSV
added 2024/07/16 7:32 p.m.68 views

GHSA-Q5FM-55C2-V6J9 Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib

Summary Vulnerability scan of fiona shows CVE-2023-45853. The vulnerability is in GDAL, a dependency of fiona. Details Fiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip464 via a...

9.8CVSS7.7AI score0.02918EPSS
Exploits0References5
OSV
OSV
added 2024/03/06 10:59 a.m.68 views

BIT-NGINX-2021-23017

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact...

7.7CVSS6.4AI score0.52838EPSS
Exploits10References15
OSV
OSV
added 2024/03/06 10:51 a.m.68 views

BIT-ELASTICSEARCH-2023-31419 Elasticsearch StackOverflow vulnerability

A flaw was discovered in Elasticsearch, affecting the search API that allowed a specially crafted query string to cause a Stack Overflow and ultimately a Denial of Service...

7.5CVSS6.5AI score0.60679EPSS
Exploits4References4
OSV
OSV
added 2024/02/09 9:15 a.m.68 views

CVE-2024-25674

An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type...

9.8CVSS7.2AI score
Exploits0References2
OSV
OSV
added 2023/11/02 9:44 p.m.68 views

GO-2023-2160 Panic during QUIC handshake in github.com/quic-go/quic-go

The QUIC handshake can cause a panic when processing a certain sequence of frames. A malicious peer can deliberately trigger this panic...

7.5CVSS7.4AI score0.00765EPSS
Exploits0References2
OSV
OSV
added 2023/10/24 8:27 p.m.68 views

GO-2023-2137 Credentials leak in github.com/ydb-platform/ydb-go-sdk/v3

A custom credentials object that does not implement the fmt.Stringer interface may leak sensitive information e.g., credentials via logs...

5.5CVSS5.2AI score0.00219EPSS
Exploits0References3
OSV
OSV
added 2023/10/11 4:49 p.m.68 views

GO-2023-2102 HTTP/2 rapid reset can cause excessive work in net/http

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

7.5CVSS7.7AI score0.99999EPSS
Exploits19References4
OSV
OSV
added 2023/09/13 3:44 p.m.68 views

GHSA-4W8R-3XRW-V25G Craft CMS Remote Code Execution vulnerability

Impact This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. Mitigations This has been fixed in Craft 4.4.15. You should ensure you’re running at least that version. Refresh you...

10CVSS9.4AI score0.92918EPSS
Exploits10References9
OSV
OSV
added 2023/08/22 7:16 p.m.68 views

CVE-2022-48174

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution...

9.8CVSS8.2AI score
Exploits0References3
OSV
OSV
added 2023/02/08 12:35 a.m.68 views

GHSA-74FP-R6JW-H4MP Kubernetes apimachinery packages vulnerable to unbounded recursion in JSON or YAML parsing

CVE-2019-11253 is a denial of service vulnerability in the kube-apiserver, allowing authorized users sending malicious YAML or JSON payloads to cause kube-apiserver to consume excessive CPU or memory, potentially crashing and becoming unavailable. When creating a ConfigMap object which has...

7.5CVSS7.4AI score0.25939EPSS
Exploits2References8
OSV
OSV
added 2022/11/22 7:15 p.m.68 views

PYSEC-2022-42995

A vulnerability was found in keylime. This security issue happens in some circumstances, due to some improperly handled exceptions, there exists the possibility that a rogue agent could create errors on the verifier that stopped attestation attempts for that host leaving it in an attested state b...

5.1CVSS6.6AI score0.00247EPSS
Exploits0References5
OSV
OSV
added 2022/05/14 1:28 a.m.68 views

GHSA-X5QJ-9VMX-7G6G Improper Input Validation in .Net Framework API's

A vulnerability exists in certain .Net Framework API's and Visual Studio in the way they parse URL's, aka '.NET Framework and Visual Studio Spoofing Vulnerability'...

5.9CVSS6.8AI score0.04518EPSS
Exploits0References6
OSV
OSV
added 2022/01/26 10:13 p.m.68 views

GHSA-V82V-RQ72-PHQ9 Server side request forgery in @isomorphic-git/cors-proxy

The package @isomorphic-git/cors-proxy before 2.7.1 is vulnerable to Server-side Request Forgery SSRF due to missing sanitization and validation of the redirection action in middleware.js...

8.6CVSS8AI score0.01389EPSS
Exploits1References4
OSV
OSV
added 2021/11/23 6:18 p.m.68 views

GHSA-RHF5-F553-XG82 Password exposure in concrete5/core

Unauthorized individuals could view password protected files using viewinline in Concrete CMS previously concrete 5 prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in viewinline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations...

7.5CVSS7.6AI score0.01075EPSS
Exploits0References3
Total number of security vulnerabilities5000