Lucene search
K
OsvMost viewed

905908 matches found

OSV
OSV
added 2023/10/25 6:18 a.m.262 views

BIT-2023-4399

Grafana is an open-source platform for monitoring and observability. In Grafana Enterprise, Request security is a deny list that allows admins to configure Grafana in a way so that the instance doesn’t call specific hosts.However, the restriction can be bypassed used punycode encoding of the...

7.2CVSS6.8AI score0.01082EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2022/07/19 12:0 a.m.258 views

GHSA-5QJ8-6XXJ-HP9H Dompdf before v2.0.0 vulnerable to chroot check bypass

Dompdf prior to version 2.0.0 is vulnerable to a chroot check bypass, which could cause disclosure of png and jpeg files...

5.3CVSS6.8AI score0.00913EPSS
Exploits1References5
OSV
OSV
added 2023/06/03 12:0 a.m.255 views

DLA-3444-1 mariadb-10.3 - security update

Bulletin has no description...

6.5CVSS6.8AI score0.01486EPSS
Exploits0
OSV
OSV
added 2024/06/28 3:28 p.m.254 views

GO-2024-2486 HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault

HashiCorp Vault Improper Privilege Management in github.com/hashicorp/vault...

5.3CVSS5.2AI score0.00763EPSS
Exploits0References6
OSV
OSV
added 2011/07/01 12:0 a.m.253 views

DSA-2268-1 iceweasel - several

Bulletin has no description...

10CVSS9.6AI score0.75691EPSS
Exploits19
OSV
OSV
added 2024/06/28 3:28 p.m.252 views

GO-2024-2508 Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault

Enumeration of users in HashiCorp Vault in github.com/hashicorp/vault...

5.3CVSS5.1AI score0.01289EPSS
Exploits0References5
OSV
OSV
added 2017/09/29 12:0 a.m.250 views

DSA-3987-1 firefox-esr - security update

Bulletin has no description...

10CVSS7.7AI score0.03641EPSS
Exploits3
OSV
OSV
added 2023/04/11 6:30 a.m.249 views

GHSA-79XF-67R4-Q2JJ safe-eval vulnerable to Sandbox Bypass due to improper input sanitization

All versions of the package safe-eval are vulnerable to Sandbox Bypass due to improper input sanitization. The vulnerability is derived from prototype pollution exploitation. Exploiting this vulnerability might result in remote code execution RCE. Vulnerable functions: defineGetter, stack,...

10CVSS9.5AI score0.02101EPSS
Exploits1References10
OSV
OSV
added 2017/04/23 12:0 a.m.249 views

DLA-910-1 libreoffice - security update

Bulletin has no description...

9.8CVSS7.4AI score0.03864EPSS
Exploits0
OSV
OSV
added 2024/03/06 11:24 a.m.244 views

BIT-GITLAB-2020-10073

GitLab EE 12.4.2 through 12.8.1 allows Denial of Service. It was internally discovered that a potential denial of service involving permissions checks could impact a project home page...

7.5CVSS7.3AI score0.01124EPSS
Exploits0References3
OSV
OSV
added 2024/03/06 11:8 a.m.244 views

BIT-VAULT-2023-5954 Vault Requests Triggering Policy Checks May Lead To Unbounded Memory Consumption

HashiCorp Vault and Vault Enterprise inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. Fixed in Vault 1.15.2, 1.14.6, and 1.13.10...

7.5CVSS6.3AI score0.00719EPSS
Exploits0References3
OSV
OSV
added 2021/09/20 8:47 p.m.241 views

GHSA-RP65-9CF3-CJXR Inefficient Regular Expression Complexity in nth-check

There is a Regular Expression Denial of Service ReDoS vulnerability in nth-check that causes a denial of service when parsing crafted invalid CSS nth-checks. The ReDoS vulnerabilities of the regex are mainly due to the sub-pattern \s?:+-?\s\d+? with quantified overlapping adjacency and can be...

7.5CVSS7.5AI score0.02014EPSS
Exploits1References5
OSV
OSV
added 2022/11/07 7:0 p.m.240 views

GHSA-97XG-PHPR-RG8Q Apache Commons BCEL vulnerable to out-of-bounds write

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those...

9.8CVSS9.6AI score0.02836EPSS
Exploits0References13
OSV
OSV
added 2024/03/06 11:24 a.m.238 views

BIT-GITLAB-2020-10075

GitLab 12.5 through 12.8.1 allows HTML Injection. A particular error header was potentially susceptible to injection or potentially other vulnerabilities via unescaped input...

6.1CVSS6.4AI score0.0073EPSS
Exploits0References3
OSV
OSV
added 2022/02/08 5:23 p.m.238 views

GHSA-G6W6-R76C-28J7 Incorrect Authorization in NATS nats-server

This advisory is canonically Problem Description NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature. A client crafting the initial protocol-level...

8.8CVSS8.7AI score0.01305EPSS
Exploits0References5
OSV
OSV
added 2021/07/17 12:15 a.m.237 views

CVE-2021-36769

A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client...

5.3CVSS6.7AI score
Exploits0References1
OSV
OSV
added 2024/03/06 10:53 a.m.236 views

BIT-APACHE-2022-23943 mod_sed: Read/write beyond bounds

Out-of-bounds Write vulnerability in modsed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions...

9.8CVSS9.1AI score0.50401EPSS
Exploits0References12
OSV
OSV
added 2024/01/30 1:16 a.m.236 views

CVE-2024-22938

Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component...

7.8CVSS7.8AI score0.0031EPSS
Exploits1References3
OSV
OSV
added 2014/06/19 12:0 a.m.234 views

DLA-0007-1 linux-2.6 - security update

Bulletin has no description...

7.8CVSS7.3AI score0.37233EPSS
Exploits15
OSV
OSV
added 2024/03/06 10:58 a.m.233 views

BIT-GITLAB-2023-4700 Missing Authorization in GitLab

An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals...

6.5CVSS4.8AI score0.00373EPSS
Exploits0References3
OSV
OSV
added 2022/04/12 8:45 p.m.228 views

GHSA-CQCC-MM6X-VMVW Persistent Cross-site Scripting vulnerability in PrivateBin

In PrivateBin polygon id="triangle" points="0,0 0,50 50,0" fill="00990...

8.2CVSS7.7AI score0.01271EPSS
Exploits1References4
OSV
OSV
added 2024/02/21 6:4 p.m.227 views

GHSA-VGV8-5CPJ-QJ2F pymatgen vulnerable to arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string

Summary A critical security vulnerability exists in the JonesFaithfulTransformation.fromtransformationstr method within the pymatgen library. This method insecurely utilizes eval for processing input, enabling execution of arbitrary code when parsing untrusted input. This can be exploited when...

9.3CVSS8.7AI score0.03816EPSS
Exploits8References7
OSV
OSV
added 2025/08/14 6:52 p.m.226 views

MAL-2025-21003 Malicious code in fs (npm)

The package fs was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2024/03/06 10:51 a.m.226 views

BIT-APACHE-2022-36760 Apache HTTP Server: mod_proxy_ajp Possible request smuggling

Inconsistent Interpretation of HTTP Requests 'HTTP Request Smuggling' vulnerability in modproxyajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions...

9CVSS7.9AI score0.01879EPSS
Exploits0References3
OSV
OSV
added 2023/05/17 5:24 p.m.226 views

CVE-2023-26044 ReactPHP's HTTP server continues parsing unused multipart parts after reaching limits

react/http is an event-driven, streaming HTTP client and server implementation for ReactPHP. Previous versions of ReactPHP's HTTP server component contain a potential DoS vulnerability that can cause high CPU load when processing large HTTP request bodies. This vulnerability has little to no impa...

5.3CVSS5.2AI score0.0068EPSS
Exploits0References4
OSV
OSV
added 2024/03/06 10:54 a.m.224 views

BIT-APACHE-2021-41773 Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

9.8CVSS9.2AI score0.99992EPSS
Exploits148References31
OSV
OSV
added 2024/01/11 5:39 p.m.224 views

CVE-2024-22199 Django Template Engine Vulnerable to XSS

This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious...

9.3CVSS6.7AI score0.00484EPSS
Exploits0References4
OSV
OSV
added 2023/02/28 8:12 p.m.224 views

GHSA-PFVH-P8QP-9WW9 Gogs OS Command Injection vulnerability

Impact The malicious user is able to update a crafted config file into repository's .git directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with repository upload enabled default on case-insensitive file systems...

9.8CVSS9.4AI score0.97839EPSS
Exploits1References7
OSV
OSV
added 2021/12/12 12:0 a.m.224 views

DLA-2842-1 apache-log4j2 - security update

Bulletin has no description...

10CVSS10AI score0.99999EPSS
Exploits348
OSV
OSV
added 2021/06/29 6:32 p.m.223 views

GHSA-G6XV-8Q23-W2Q3 SQL Injection in Gogs

Multiple SQL injection vulnerabilities in Gogs aka Go Git Service 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to 1 api/v1/repos/search, which is not properly handled in models/repo.go, or 2 api/v1/users/search, which is...

7.3CVSS8.1AI score0.34274EPSS
Exploits5References13
OSV
OSV
added 2022/06/17 8:56 p.m.216 views

GHSA-H4MX-XV96-2JGM Cross-Site Scripting in TYPO3's Frontend Login Mailer

Meta CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C 4.9 Problem User submitted content was used without being properly encoded in HTML emails sent to users. The actually affected components were mail clients used to view those messages. Solution Update to TYPO3 versions 9.5.35...

5.4CVSS5.2AI score0.00717EPSS
Exploits0References7
OSV
OSV
added 2025/03/07 3:13 p.m.215 views

CVE-2025-27152 Possible SSRF and Credential Leakage via Absolute URL in axios Requests

axios is a promise based HTTP client for the browser and node.js. The issue occurs when passing absolute URLs rather than protocol-relative URLs to axios. Even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage. This issue...

8.7CVSS6.1AI score0.00759EPSS
Exploits1References4
OSV
OSV
added 2022/01/06 11:13 p.m.215 views

GHSA-W2PM-R78H-4M7V OS Command Injection in Laravel Framework

OS Command injection vulnerability in function link in Filesystem.php in Laravel Framework before 5.8.17...

8.8CVSS8.8AI score0.02523EPSS
Exploits1References4
OSV
OSV
added 2022/02/17 5:19 p.m.214 views

GHSA-FMVM-X8MV-47MJ Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0

Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface UI Misrepresentation of Critical Information. In order to be affected, the next.config.js file must have an images.domains array assigned and the image host assigned in...

5.9CVSS6.5AI score0.01767EPSS
Exploits0References5
OSV
OSV
added 2022/09/23 4:32 p.m.212 views

GHSA-W9MF-83W3-FV49 Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release 18.0.1. The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality...

5.4CVSS5.1AI score0.00572EPSS
Exploits0References5
OSV
OSV
added 2024/12/16 7:10 a.m.211 views

BIT-GITLAB-2024-9367 Allocation of Resources Without Limits or Throttling in GitLab

An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service DoS condition while parsing templates to generate...

4.3CVSS4.4AI score0.00465EPSS
Exploits1References3
OSV
OSV
added 2021/05/18 1:27 a.m.211 views

GHSA-Q28M-8XJW-8VR5 Puma's Keepalive Connections Causing Denial Of Service

This vulnerability is related to CVE-2019-16770. Impact The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process...

7.5CVSS7.4AI score0.01599EPSS
Exploits0References9
OSV
OSV
added 2024/10/29 6:30 p.m.210 views

GHSA-66C4-2G2V-54QW Grafana org admin can delete pending invites in different org

Organization admins can delete pending invites created in an organization they are not part of...

2.2CVSS3.8AI score0.00496EPSS
Exploits0References5
OSV
OSV
added 2024/12/09 5:3 a.m.209 views

MAL-2024-11458 Malicious code in solara.dll (npm)

--- -= Per source details. Do not edit below this line.=-...

7.1AI score
Exploits0
OSV
OSV
added 2023/09/25 12:0 a.m.209 views

DLA-3582-1 ghostscript - security update

Bulletin has no description...

7.8CVSS5.5AI score0.00707EPSS
Exploits2
OSV
OSV
added 2021/04/08 11:15 p.m.208 views

CVE-2021-3448

A flaw was found in dnsmasq in versions before 2.85. When configured to use a specific server for a given network interface, dnsmasq uses a fixed port while forwarding queries. An attacker on the network, able to find the outgoing port used by dnsmasq, only needs to guess the random transmission ...

4CVSS1.6AI score
Exploits0References6
OSV
OSV
added 2025/04/14 11:12 a.m.206 views

BIT-GRAFANA-2024-8118 Grafana alerting wrong permission on datasource rule write endpoint

In Grafana, the wrong permission is applied to the alert rule write API endpoint, allowing users with permission to write external alert instances to also write alert rules...

5.1CVSS6.6AI score0.00583EPSS
Exploits0References2
OSV
OSV
added 2024/03/06 10:53 a.m.206 views

BIT-APACHE-2022-22720 HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling...

9.8CVSS9.2AI score0.28189EPSS
Exploits0References17
OSV
OSV
added 2023/10/31 7:27 a.m.205 views

BIT-2023-45145

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask2 is used, this creates a race condition that enables, during a short period of time, another process...

3.6CVSS7AI score0.00444EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/01/24 7:41 p.m.204 views

CVE-2024-23646 Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic...

8.8CVSS9.1AI score0.00755EPSS
Exploits1References7
OSV
OSV
added 2024/03/06 11:11 a.m.203 views

BIT-TOMCAT-2020-13935

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 9.0.0 through 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service...

7.5CVSS6.7AI score0.87553EPSS
Exploits1References18
OSV
OSV
added 2006/05/18 12:0 a.m.201 views

DSA-1058-1 awstats - missing input sanitising

Bulletin has no description...

5.1CVSS6AI score0.58356EPSS
Exploits10
OSV
OSV
added 2024/06/17 7:20 a.m.199 views

BIT-GITLAB-2024-4201 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab

A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.111.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HT...

4.4CVSS4.3AI score0.00483EPSS
Exploits0References4
OSV
OSV
added 2024/03/06 10:54 a.m.199 views

BIT-APACHE-2021-42013 Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773)

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default...

9.8CVSS9.3AI score0.99964EPSS
Exploits62References32
OSV
OSV
added 2023/07/05 5:15 p.m.199 views

PYSEC-2023-102

A refcounting issue which leads to potential memory leak was discovered in scipy commit 8627df31ab in PyFindObjects function...

5.5CVSS6.8AI score0.00385EPSS
Exploits1References7
Total number of security vulnerabilities5000