Lucene search
+L
VeracodeRecent

38468 matches found

Veracode
Veracode
•added 2026/05/09 5:37 a.m.•10 views

Improper Certificate Validation

CKAN is vulnerable to Improper Certificate Validation. The vulnerability is due to insufficient validation of SMTP server certificates, allowing attackers to spoof the configured mail server using invalid or self-signed certificates and enabling man-in-the-middle attacks against email traffic and...

8.7CVSS5.8AI score0.00194EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/09 5:37 a.m.•11 views

Server-Side Request Forgery

Weblate is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of repository URLs during project backup import, where Component.objects.bulkcreate bypasses Django fullclean validation and allows attacker-controlled repository URLs to be written into...

8.1CVSS5.8AI score0.00371EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/09 5:36 a.m.•13 views

SQL Injection

CKAN is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of input in datastoresearchsql, which allows an attacker to inject arbitrary SQL queries and gain access to private resources and PostgreSQL system information...

9.8CVSS6AI score0.01815EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/05/09 5:31 a.m.•7 views

Server-Side Request Forgery (SSRF)

PlaywrightCapture is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restrictions on navigations and resource requests initiated by rendered pages, which allows an attacker to abuse browser-side redirection mechanisms to access local files file:// or reque...

8.7CVSS5.9AI score0.00319EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/09 5:29 a.m.•6 views

Improper Privilege Management

snipe/snipe-it is vulnerable to improper privilege management. The vulnerability is due to insufficient validation of permission fields in the user update API, which allows an authenticated attacker with users.edit permission to send a crafted PATCH request that sets permissionsadmin=1, thereby...

8.8CVSS5.8AI score0.00314EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/09 5:23 a.m.•18 views

Remote Code Execution (RCE)

dedoc/scramble is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe evaluation of user-controlled input during documentation generation, which allows an attacker to execute arbitrary PHP code in the application context...

9.4CVSS6.2AI score0.0586EPSS
Exploits3References5Affected Software1
Veracode
Veracode
•added 2026/05/09 5:13 a.m.•5 views

Code Generation Literal Injection

Kiota is vulnerable to code generation literal injection. The vulnerability is due to insufficient context-aware escaping of malicious values from OpenAPI descriptions during source code generation, which allows an attacker to inject arbitrary code into generated client applications by supplying ...

7.8CVSS6.1AI score0.00421EPSS
Exploits1References2Affected Software3
Veracode
Veracode
•added 2026/05/09 5:9 a.m.•15 views

Authorization Bypass

com.arcadedb, arcadedb-server is vulnerable to Authorization Bypass. The vulnerability is due to improper initialization of access controls and missing security configuration during database creation, which allows an attacker to bypass database and record-level authorization restrictions...

9CVSS5.8AI score0.00344EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/09 5:6 a.m.•12 views

HTTP Header Injection

io.netty, netty-handler-proxy is vulnerable to HTTP Header Injection. The vulnerability is due to improper validation of user-supplied outbound headers in the HttpProxyHandler CONNECT request construction, which allows an attacker to inject arbitrary HTTP headers into requests sent to the proxy...

7.5CVSS7AI score0.00952EPSS
Exploits1References13Affected Software1
Veracode
Veracode
•added 2026/05/09 5:4 a.m.•59 views

Command Injection

github.com/gotenberg/gotenberg is vulnerable to Command Injection. The vulnerability is due to lack of validation of JSON metadata keys passed to ExifTool, which allows an attacker to inject arbitrary ExifTool arguments and execute operating system commands...

9.8CVSS6AI score0.0295EPSS
Exploits2References3Affected Software1
Veracode
Veracode
•added 2026/05/09 5:2 a.m.•7 views

Information Exposure

microsoft/kiota-java is vulnerable to Information Exposure. The vulnerability is due to the RedirectHandler middleware failing to remove sensitive HTTP headers such as Cookie, Proxy-Authorization, and custom headers when following redirects to a different host or scheme, which allows an attacker ...

7CVSS5.9AI score0.00505EPSS
Exploits0References6Affected Software9
Veracode
Veracode
•added 2026/05/08 9:32 a.m.•21 views

Man-in-the-middle

Apache Airflow is vulnerable to Man-in-the-middle. The vulnerability is due to the lack of certificate validation when using the SMTP provider SmtpHook, where a man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate and capture the SMTP credential...

5.9CVSS5.8AI score0.00268EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/08 8:10 a.m.•11 views

Command Injection

Click is vulnerable to Command Injection. The vulnerability is due to improper handling of user-controlled input in the click.edit function, allowing attackers to inject and execute arbitrary operating system commands from an unprivileged account...

7.2CVSS6AI score0.0081EPSS
Exploits1References8Affected Software1
Veracode
Veracode
•added 2026/05/08 8:6 a.m.•18 views

Improper Authorization

github.com/mattermost/mattermost-server is vulnerable to improper authorization. The vulnerability is due to insufficient validation of team membership permissions in the Add Channel Member API, which allows an attacker to exploit the API endpoint to access user metadata and channel membership...

4.3CVSS7.2AI score0.00177EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2026/05/08 7:45 a.m.•16 views

Improper Access Control

Apollo Federation is vulnerable to improper access control. The vulnerability is due to improper enforcement of user-defined access control directives on interface types and fields, which allows an attacker to bypass access restrictions by querying implementing object types and fields through...

7.5CVSS5.8AI score0.00386EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/05/08 7:17 a.m.•18 views

Insecure Direct Object Reference (IDOR)

File Browser is vulnerable to an Insecure Direct Object Reference IDOR. The vulnerability is due to insufficient authorization checks in the share deletion functionality, which allows an authenticated attacker with share permissions to delete other users’ shared links by exploiting improper acces...

8.8CVSS5.8AI score0.0042EPSS
Exploits1References4Affected Software2
Veracode
Veracode
•added 2026/05/08 6:43 a.m.•15 views

Improper Authentication

github.com/mattermost/mattermost-server is vulnerable to improper authentication. The vulnerability is due to the failure to enforce multi-factor authentication on WebSocket connections, which allows an unauthenticated attacker to access sensitive information through WebSocket events...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/08 6:18 a.m.•15 views

Remote Code Execution

Sonatype Nexus Repository is vulnerable to Remote Code Execution. The vulnerability is due to a flaw in the task management component, where an authenticated attacker with task creation permissions can bypass the nexus.scripts.allowCreation security control and execute arbitrary code...

9.4CVSS6.1AI score0.00359EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/07 6:23 p.m.•18 views

Denial Of Service (DoS)

brace-expansion is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of brace patterns with a zero step value, which allows an attacker to trigger infinite loops and excessive memory consumption...

7.5CVSS6.2AI score0.0043EPSS
Exploits0References11Affected Software1
Veracode
Veracode
•added 2026/05/07 5:27 p.m.•20 views

Uncontrolled Recursion

@nestjs/microservices is vulnerable to Uncontrolled Recursion. The vulnerability is due to recursive processing of multiple JSON messages in a single TCP frame without proper recursion limits, which allows an attacker to trigger a stack overflow and crash the application...

7.5CVSS5.9AI score0.00329EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/07 3:44 p.m.•13 views

Path Traversal

ServiceStack is vulnerable to Path Traversal. The vulnerability is due to improper validation of user-supplied paths in the FindType method, which allows an attacker to manipulate file operations and execute arbitrary code...

8.1CVSS7.5AI score0.01128EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/07 10:5 a.m.•19 views

Denial Of Service

Apache Neethi is vulnerable to Denial of Service DoS. The vulnerability is due to algorithmic complexity in the policy normalization process, where specially crafted WS-Policy documents trigger exponential Cartesian cross-product expansion, leading to excessive memory allocation and JVM heap...

7.5CVSS5.7AI score0.00711EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 9:32 a.m.•16 views

Insecure Deserialization

pdfminer.six vulnerable to insecure deserialization. The vulnerability is due to the unsafe use of Python pickle for deserializing CMap cache files without proper validation, which allows an attacker to place a malicious pickle file in an accessible location and execute arbitrary code or escalate...

6.5CVSS6.2AI score0.00223EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 8:45 a.m.•17 views

Server-Side Request Forgery (SSRF)

Apache Neethi is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to lack of validation of URIs in the PolicyReference API, allowing applications to fetch policies from arbitrary protocols or internal addresses, enabling attackers to trigger outbound requests to internal o...

7.2CVSS5.9AI score0.00497EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 8:31 a.m.•19 views

Denial Of Service

Apache Neethi is vulnerable to Denial of Service.The vulnerability is due to improper handling of circular references during policy normalization, where recursive policy references are not detected, leading to infinite loops or excessive recursion that can cause stack overflow or application hang...

7.5CVSS5.9AI score0.00763EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 8:8 a.m.•22 views

Unsafe Deserialization

Apache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to delayed enforcement of the classname allowlist in AbstractIoBuffer.getObject, where deserialization via ObjectInputStream.readObject occurs before validation, allowing execution of static initializers in malicious...

9.8CVSS6.2AI score0.00657EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 7:50 a.m.•11 views

Host Header Injection

github.com/zitadel/zitadel is vulnerable to Host Header Injection. The vulnerability is due to improper validation of the Forwarded or X-Forwarded-Host header while constructing password reset confirmation links, which allows an attacker to manipulate the reset URL and potentially hijack password...

9.3CVSS5.9AI score0.00322EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/07 7:11 a.m.•16 views

Command Injection

willitmerge is vulnerable to Command Injection. The vulnerability is due to improper neutralization of user-controlled input in command execution, which allows an attacker to inject and execute arbitrary system commands through crafted input parameters...

9.8CVSS6AI score0.02466EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/07 7:6 a.m.•17 views

Unsafe Deserialization

Apache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to incomplete enforcement of a classname allowlist in AbstractIoBuffer.resolveClass, where certain branches e.g., for primitive or static classes bypass validation and call Class.forName without checks, allowing attacke...

9.8CVSS6AI score0.00902EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/06 5:22 p.m.•20 views

Privilege Escalation

@oneuptime/common is vulnerable to privilege escalation. The vulnerability is due to improper validation of the isMasterAdmin parameter in the login response, which allows an attacker to manipulate its value and gain unauthorized access to the admin dashboard...

8.2CVSS5.8AI score0.0027EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/06 5:0 p.m.•20 views

Denial Of Service(DoS)

github.com/free5gc/openapi is vulnerable to a denial of service. The vulnerability is due to improper handling in the NudmSubscriberDataManagement API, which allows an attacker to exploit it and cause a denial of service...

6.5CVSS7.2AI score0.00319EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2026/05/06 3:58 p.m.•16 views

Privilege Escalation

github.com/grafana/grafana is vulnerable to privilege escalation. The vulnerability is due to inadequate validation of the SCIM externalId field, which allows a malicious or compromised SCIM client to assign numeric values that override internal user IDs, enabling attackers to impersonate users o...

10CVSS6AI score0.17653EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2026/05/06 3:43 p.m.•6 views

Improper Access Control

@anthropic-ai/claude-code is vulnerable to improper access control. The vulnerability is due to an error in sed command parsing that bypasses read-only validation, which allows an attacker to write to arbitrary files on the host system...

9.8CVSS6AI score0.00403EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/06 8:44 a.m.•11 views

Path Traversal

OpenClaw is vulnerable to Path Traversal. The vulnerability is due to mis-scoped mirror mode paths, where attackers can manipulate OpenShell config paths to cause mirror sync operations to delete unintended remote directory contents and replace them with uploaded workspace data...

8.1CVSS5.8AI score0.00371EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/06 8:41 a.m.•17 views

Improperly Controlled Modification Of Dynamically-Determined Object Attributes

Apache Camel is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. The vulnerability is due to lack of header filtering when mapping CoAP query parameters to message headers, which allows an attacker to inject malicious headers and execute arbitrary...

10CVSS6AI score0.06157EPSS
Exploits2References15Affected Software3
Veracode
Veracode
•added 2026/05/06 8:26 a.m.•12 views

Insecure File Permissions

Claude SDK for TypeScript is vulnerable to insecure file permissions. The vulnerability is due to the BetaLocalFilesystemMemoryTool creating memory files and directories with world-readable and world-writable permissions, where a local attacker on a shared host could read persisted agent state, a...

4.8CVSS5.8AI score0.00119EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/05/06 7:50 a.m.•18 views

Denial Of Service

Marked is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of specific input sequences during parsing, where a crafted sequence \x09\x0b\n triggers infinite recursion, leading to unbounded memory allocation and application crash due to out-of-memory conditions...

8.7CVSS5.8AI score0.00342EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/06 7:27 a.m.•16 views

Conversation Isolation Bypass

Spring AI is vulnerable to conversation isolation bypass. The vulnerability is due to insufficient validation of user-supplied input as a conversationId, where an attacker can inject filter logic through conversationId and exfiltrate sensitive memory from other users’ chat histories, including...

5.9CVSS5.8AI score0.00233EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/05 1:24 p.m.•15 views

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to direct property access of configuration fields in the HTTP adapter e.g., config.auth, config.baseURL, config.socketPath, config.beforeRedirect, config.insecureHTTPParser without hasOwnProperty checks, allowing polluted...

9.1CVSS5.8AI score0.00715EPSS
Exploits1References14Affected Software1
Veracode
Veracode
•added 2026/05/05 12:6 p.m.•17 views

Insecure Deserialization

org.apache.camel, camel-mina is vulnerable to insecure deserialization. The vulnerability is due to the MinaConverter.toObjectInputIoBuffer method wrapping untrusted data in a java.io.ObjectInputStream without applying filtering or class restrictions, which allows an attacker to send crafted...

8.8CVSS6.3AI score0.00926EPSS
Exploits2References8Affected Software1
Veracode
Veracode
•added 2026/05/05 11:48 a.m.•15 views

Deserialization Of Untrusted Data

Apache MINA is vulnerable to deserialization of untrusted data. The vulnerability is due to missing class validation in the AbstractIoBuffer.resolveClass method, which bypasses the classname allowlist and allows an attacker to execute arbitrary code via crafted serialized input...

9.8CVSS6.2AI score0.0064EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/05 11:24 a.m.•14 views

Header Injection

Apache Camel is vulnerable to Header Injection. The vulnerability is due to missing inbound header filtering in the MailHeaderFilterStrategy, which allows an attacker to inject malicious Camel-specific headers via email and manipulate downstream component behavior...

9.4CVSS5.8AI score0.00621EPSS
Exploits1References13Affected Software3
Veracode
Veracode
•added 2026/05/05 10:48 a.m.•9 views

Improper Validation Of Certificate

Apache Thrift is vulnerable to Improper Validation of Certificate. The vulnerability is due to improper validation of certificates against the host name, which allows an attacker to perform man-in-the-middle attacks by presenting a mismatched or malicious certificate...

8.2CVSS5.8AI score0.00571EPSS
Exploits0References13Affected Software2
Veracode
Veracode
•added 2026/05/05 9:51 a.m.•14 views

Remote Code Execution (RCE)

simple-git is vulnerable to Remote Code Execution RCE. The vulnerability is due to incomplete validation of command options allowing the --config form to bypass restrictions, which allows an attacker to inject malicious options and execute arbitrary code...

9.8CVSS6.1AI score0.00877EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2026/05/05 6:40 a.m.•16 views

Information Exposure

org.springframework.ai, spring-ai-autoconfigure-model-transformers is vulnerable to information exposure. The vulnerability is due to improper isolation in a shared environment, which allows an attacker to access and retrieve the ONNX model used by the application...

6.1CVSS5.8AI score0.00105EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/05/05 6:24 a.m.•16 views

Code Injection

Apache ActiveMQ is vulnerable to Code Injection. The vulnerability is due to improper input validation and improper control of generation of code, where an attacker can construct a malicious broker name that bypasses name validation to include an xbean binding, and then use the DestinationView...

8.8CVSS6.4AI score0.0098EPSS
Exploits0References6Affected Software3
Veracode
Veracode
•added 2026/05/05 5:43 a.m.•15 views

SQL Injection

org.springframework.ai, spring-ai-azure-cosmos-db-store is vulnerable to SQL Injection. The vulnerability is due to improper handling of crafted document IDs in the CosmosDBVectorStore, which allows an attacker to execute arbitrary SQL queries...

8.8CVSS6.1AI score0.00338EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/04 9:5 p.m.•15 views

Remote Code Execution (RCE)

Apache Camel is vulnerable to Remote Code Execution. The vulnerability is due to inconsistent case-sensitive header filtering in non-HTTP HeaderFilterStrategy implementations, which allows an attacker to inject malicious headers that are later interpreted by downstream components to execute...

9.9CVSS6.2AI score0.0086EPSS
Exploits1References9Affected Software4
Veracode
Veracode
•added 2026/05/04 8:47 p.m.•15 views

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe deserialization of data using ObjectInputStream without proper filtering, which allows an attacker to inject malicious serialized objects and execute arbitrary code...

8.8CVSS6AI score0.00711EPSS
Exploits2References10Affected Software1
Veracode
Veracode
•added 2026/05/04 8:19 p.m.•11 views

Arbitrary Command Injection

Claude Code is vulnerable to Arbitrary Command Injection. The vulnerability is due to lack of validation of the git worktree commondir file when determining folder trust, which allows an attacker to bypass trust checks and execute malicious hooks...

8.8CVSS5.9AI score0.00281EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities38468