Lucene search
K
OsvMost viewed

909146 matches found

OSV
OSV
added 2022/05/21 12:0 p.m.63 views

RUSTSEC-2022-0030 Stack overflow during recursive expression parsing

When parsing untrusted rulex expressions, the stack may overflow, possibly enabling a Denial of Service attack. This happens when parsing an expression with several hundred levels of nesting, causing the process to abort immediately. The flaw was corrected in commits 60aa2dc03a by adding a check ...

6.5CVSS6.2AI score0.00879EPSS
Exploits0References3
OSV
OSV
added 2022/05/16 12:0 a.m.63 views

DLA-3011-1 vim - security update

Bulletin has no description...

8.4CVSS8.1AI score0.26583EPSS
Exploits9
OSV
OSV
added 2022/04/28 5:13 p.m.63 views

GHSA-RVJG-GXWX-J5GF OIDC Logout redirect in keycloak

A flaw was found in keycloak. The OIDC logout endpoint does not have CSRF protection. The highest threat from this vulnerability is to system availability...

3.3CVSS3.5AI score0.00211EPSS
Exploits0References5
OSV
OSV
added 2022/04/20 12:0 a.m.63 views

GHSA-Q6H7-4QGW-2J9P Hashicorp Consul HTTP health check endpoints returning an HTTP redirect may be abused as SSRF vector

A vulnerability was identified in Consul and Consul Enterprise “Consul” such that HTTP health check endpoints returning an HTTP redirect may be abused as a vector for server-side request forgery SSRF. This vulnerability, CVE-2022-29153, was fixed in Consul 1.9.17, 1.10.10, and 1.11.5...

7.5CVSS7.5AI score0.08912EPSS
Exploits0References9
OSV
OSV
added 2022/04/07 12:0 a.m.63 views

OSV-2022-312 Heap-buffer-overflow in dhcp_reply

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46416 Crash type: Heap-buffer-overflow READ 1 Crash state: dhcpreply dhcppacket FuzzDhcp...

7.2AI score
Exploits0References1
OSV
OSV
added 2022/03/14 10:43 p.m.63 views

GHSA-4VVG-X86P-MVQC Leaking of user information on Cross-Domain communication in sysend

Impact Users that use Cross-Origin communication and send sensitive information make it possible for this data to be intercepted. This is not a big impact because it happens only on the same browser. Patches It has been patched in version 1.10.0 Workarounds The only workaround is to not send...

6.5CVSS6.2AI score0.00673EPSS
Exploits1References6
OSV
OSV
added 2022/03/14 11:15 a.m.63 views

CVE-2022-23943

Out-of-bounds Write vulnerability in modsed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions...

9.8CVSS4.3AI score
Exploits0References11
OSV
OSV
added 2022/01/27 3:9 p.m.63 views

GHSA-7528-7JG5-6G62 Cross-site Scripting Vulnerability in CodeIgniter4

Impact Cross-Site Scripting XSS vulnerability was found in API\ResponseTrait in Codeigniter4. Attackers can do XSS attacks if you are using API\ResponseTrait. Patches Upgrade to v4.1.8 or later. Workarounds Do one of the following: 1. Do not use API\ResponseTrait nor ResourceController 2. Disable...

5.4CVSS5.5AI score0.01002EPSS
Exploits0References6
OSV
OSV
added 2022/01/06 9:12 p.m.63 views

GHSA-3CF2-X423-X582 Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman

A flaw was found in podman. The podman machine function used to create and manage Podman virtual machine containing a Podman process spawns a gvproxy process on the host system. The gvproxy API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall...

6.5CVSS6.6AI score0.01057EPSS
Exploits1References5
OSV
OSV
added 2022/01/04 12:0 a.m.63 views

DSA-5035-1 apache2 - security update

Bulletin has no description...

9.8CVSS8.9AI score0.97108EPSS
Exploits4
OSV
OSV
added 2021/10/18 7:44 p.m.63 views

GHSA-WV83-JRFH-RP33 Cross site scripting in kindeditor

Cross SIte Scripting XSS vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor the file suffix is allowed...

6.1CVSS5.9AI score0.00907EPSS
Exploits1References3
OSV
OSV
added 2021/07/15 12:0 a.m.63 views

DLA-2708-1 php7.0 - security update

Bulletin has no description...

7.8CVSS6.9AI score0.03179EPSS
Exploits4
OSV
OSV
added 2021/06/16 5:39 p.m.63 views

GHSA-9MGM-GCQ8-86WQ Improper Authentication in Apache ActiveMQ and Apache Artemis

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error...

7.5CVSS7.5AI score0.11239EPSS
Exploits0References41
OSV
OSV
added 2021/06/02 4:15 p.m.63 views

PYSEC-2021-137

An issue was discovered in Pillow before 8.2.0. There is an out-of-bounds read in J2kDecode, in j2kugrayala...

9.1CVSS2.3AI score0.02876EPSS
Exploits0References4
OSV
OSV
added 2021/04/10 12:0 a.m.63 views

DLA-2623-1 qemu - security update

Bulletin has no description...

6.5CVSS6.5AI score0.00587EPSS
Exploits2
OSV
OSV
added 2021/02/26 4:31 p.m.63 views

GHSA-M33V-338H-4V9F Path traversal in Node-Red

Impact This vulnerability allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with projects.read permission is able to access any file via the Projects API. Patches The issue has been patched in Node-RED 1.2.8 Workarounds The vulnerability applies only...

6.5CVSS6.2AI score0.01177EPSS
Exploits0References5
OSV
OSV
added 2020/12/18 12:0 a.m.63 views

DLA-2500-1 curl - security update

Bulletin has no description...

7.5CVSS6.4AI score0.09917EPSS
Exploits2
OSV
OSV
added 2020/11/22 12:0 a.m.63 views

DLA-2463-1 samba - security update

Bulletin has no description...

10CVSS7.1AI score0.99512EPSS
Exploits75
OSV
OSV
added 2020/06/15 7:36 p.m.63 views

GHSA-MM9X-G8PC-W292 Denial of Service in Netty

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder...

7.5CVSS7.5AI score0.09438EPSS
Exploits0References46
OSV
OSV
added 2020/01/31 12:0 a.m.63 views

DLA-2091-1 libjackson-json-java - security update

Bulletin has no description...

9.8CVSS9AI score0.37925EPSS
Exploits7
OSV
OSV
added 2019/10/11 6:40 p.m.63 views

GHSA-X4W5-R546-X9QH Arbitrary File Read in html-pdf

All versions of html-pdf are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as...

7.5CVSS7.5AI score0.01867EPSS
Exploits1References8
OSV
OSV
added 2019/09/02 12:0 p.m.63 views

RUSTSEC-2019-0018 Internally mutating methods take immutable ref self

Affected versions of this crate exposed several methods which took self by immutable reference, despite the requesting the RenderDoc API to set a mutable value internally. This is technically unsound and calling these methods from multiple threads without synchronization could lead to unexpected...

9.8CVSS9.3AI score0.01796EPSS
Exploits0References3
OSV
OSV
added 2019/08/26 12:0 a.m.63 views

DSA-4509-1 apache2 - security update

Bulletin has no description...

9.1CVSS6.9AI score0.81466EPSS
Exploits6
OSV
OSV
added 2019/07/17 2:15 p.m.63 views

PYSEC-2019-179

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656...

7.5CVSS5.9AI score0.01884EPSS
Exploits1References2
OSV
OSV
added 2019/06/20 3:35 p.m.63 views

GHSA-28XH-WPGR-7FM8 Command Injection in open

Versions of open before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: The same care should be taken when calling open as if you were calling childprocess.exec directly. If it is an executable it...

7.5AI score
Exploits0References4
OSV
OSV
added 2018/07/27 5:4 p.m.63 views

GHSA-8G7P-74H8-HG48 Denial of Service in https-proxy-agent

Versions of https-proxy-agent before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options proxy.auth being passed to Buffer. Recommendation Update to version 2.2.0 or later...

9.1CVSS8.2AI score0.02012EPSS
Exploits1References6
OSV
OSV
added 2018/04/03 12:0 a.m.63 views

DSA-4164-1 apache2 - security update

Bulletin has no description...

9.8CVSS6.9AI score0.86006EPSS
Exploits0
OSV
OSV
added 2016/09/18 12:0 a.m.63 views

DLA-628-1 php5 - security update

Bulletin has no description...

9.8CVSS8.2AI score0.15484EPSS
Exploits25
OSV
OSV
added 2014/09/24 12:0 a.m.63 views

DSA-3032-1 bash - security update

Bulletin has no description...

10CVSS10AI score0.99999EPSS
Exploits131
OSV
OSV
added 2009/11/05 12:0 a.m.63 views

DSA-1927-1 linux-2.6 - several vulnerabilities

Bulletin has no description...

7.8CVSS7AI score0.0493EPSS
Exploits12
OSV
OSV
added 2026/06/03 6:56 p.m.62 views

ROOT-APP-PYPI-CVE-2026-28684 CVE-2026-28684 in rootio-python-dotenv - Patched by Root

Root has patched CVE-2026-28684 in the rootio-python-dotenv package for Root:PyPI. Multiple fixed versions available...

6.6CVSS5.2AI score0.00236EPSS
Exploits1
OSV
OSV
added 2025/01/08 7:20 a.m.62 views

BIT-REDIS-2024-51741 Redis allows denial-of-service due to malformed ACL selectors

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2...

4.4CVSS5.4AI score0.00299EPSS
Exploits0References5
OSV
OSV
added 2024/11/14 1:15 p.m.62 views

CVE-2024-10978

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses...

4.2CVSS6.6AI score0.00705EPSS
Exploits0References4
OSV
OSV
added 2024/10/02 11:22 a.m.62 views

RHSA-2023:5931 Red Hat Security Advisory: Satellite 6.13.5 Async Security Update

Bulletin has no description...

9.8CVSS8.3AI score0.99999EPSS
Exploits26References84
OSV
OSV
added 2024/09/23 8:29 a.m.62 views

SUSE-SU-2024:3383-1 Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP6 kernel was updated to receive various security bugfixes. The following security bugs were fixed: - CVE-2024-43911: wifi: mac80211: fix NULL dereference at band check in starting tx ba session bsc1229827. - CVE-2024-43899: drm/amd/display: Fix null pointer deref in...

9.1CVSS8.4AI score0.01219EPSS
Exploits11References874
OSV
OSV
added 2024/08/21 4:4 p.m.62 views

GO-2022-1236 usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos

usememos/memos makes Incorrect Use of Privileged APIs in github.com/usememos/memos...

8.1CVSS8.1AI score0.00761EPSS
Exploits1References4
OSV
OSV
added 2024/07/12 9:0 p.m.62 views

GHSA-9794-PC4R-438W Local File Inclusion in Solara

A Local File Inclusion LFI vulnerability was identified in widgetti/solara, in version 1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to properly validate URI fragments for directory traversal sequences such as '../' when serving static files. ...

8.6CVSS8.3AI score0.02884EPSS
Exploits0References4
OSV
OSV
added 2024/05/22 12:0 a.m.62 views

ALSA-2024:3271 Important: bind and dhcp security update

The Berkeley Internet Name Domain BIND is an implementation of the Domain Name System DNS protocols. BIND includes a DNS server named; a resolver library routines for applications to use when interfacing with DNS; and tools for verifying that the DNS server is operating correctly. The Dynamic Hos...

7.5CVSS8.3AI score0.99995EPSS
Exploits1References8
OSV
OSV
added 2024/05/10 3:33 p.m.62 views

GHSA-JCQQ-G64V-GCM7 Previous ATX is not checked to be the newest valid ATX by Smesher when validating incoming ATX

Impact Nodes can publish ATXs which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier but not the latest ATX as previous break...

8.2CVSS8AI score0.00734EPSS
Exploits0References7
OSV
OSV
added 2024/04/01 12:0 a.m.62 views

ASB-A-311374917

In assertPackageWithSharedUserIdIsPrivileged of InstallPackageHelper.java, there is a possible execution of arbitrary app code as a privileged app due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is...

7.8CVSS7.8AI score0.0009EPSS
Exploits0References2
OSV
OSV
added 2024/03/06 11:23 a.m.62 views

BIT-GITLAB-2020-10091

GitLab 9.3 through 12.8.1 allows XSS. A cross-site scripting vulnerability was found when viewing particular file types...

6.1CVSS5.8AI score0.00691EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 11:11 a.m.62 views

BIT-GITLAB-2023-1401 Insertion of Sensitive Information Into Sent Data in GitLab

An issue has been discovered in GitLab DAST scanner affecting all versions starting from 3.0.29 before 4.0.5, in which the DAST scanner leak cross site cookies on redirect during authorization...

5CVSS4.4AI score0.00432EPSS
Exploits1References3
OSV
OSV
added 2024/02/19 9:15 a.m.62 views

CVE-2024-26308

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue...

5.5CVSS6.8AI score
Exploits0References3
OSV
OSV
added 2024/01/25 9:15 p.m.62 views

CVE-2023-52251

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/topic/messages...

8.8CVSS8AI score0.85025EPSS
Exploits5References2
OSV
OSV
added 2024/01/02 12:0 a.m.62 views

ALSA-2024:0003 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 115.6.0. Security Fixes: Mozilla: Heap-buffer-overflow affecting WebGL DrawElementsInstanced method with Mesa VM driver CVE-2023-6856 Mozilla: Memory safety bugs fixed in Firefox 121, Firefo...

8.8CVSS8.8AI score0.20472EPSS
Exploits0References24
OSV
OSV
added 2023/11/14 8:36 p.m.62 views

GHSA-XX9P-XXVH-7G8J Aiohttp has inconsistent interpretation of `Content-Length` vs. `Transfer-Encoding` differing in C and Python fallbacks

Impact Aiohttp has a security vulnerability regarding the inconsistent interpretation of the http protocol. As we know that HTTP/1.1 is persistent, if we have both Content-LengthCL and Transfer-EncodingTE it can lead to incorrect interpretation of two entities that parse the HTTP and we can poiso...

3.4CVSS6AI score0.00827EPSS
Exploits1References7
OSV
OSV
added 2023/10/27 9:55 p.m.62 views

GHSA-7C2Q-5QMR-V76Q DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998

Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods or more specifically...

7.5CVSS7.2AI score
Exploits0References2
OSV
OSV
added 2023/10/26 8:53 p.m.62 views

GHSA-X9W5-V3Q2-3RHW browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack

Summary An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. Details In dsaVerify function, it checks whether the value of the signature is legal by calling...

7.5CVSS6.7AI score0.00508EPSS
Exploits0References8
OSV
OSV
added 2023/06/22 9:30 p.m.62 views

GHSA-MPV3-G8M3-3FJC Grafana vulnerable to Authentication Bypass by Spoofing

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app...

9.4CVSS9.6AI score0.04094EPSS
Exploits0References6
OSV
OSV
added 2023/05/17 9:30 p.m.62 views

GHSA-WJQ3-7JXX-WHJ9 mlflow Path Traversal vulnerability

mlflow prior to 2.3.0 is vulnerable to path traversal due to a bypass of the fix for CVE-2023-1177...

9.8CVSS9.3AI score0.06311EPSS
Exploits1References5
Total number of security vulnerabilities5000