Server-Side Request Forgery (SSRF)

@portkey-ai/gateway is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper trust of the x-portkey-custom-host request header when determining the destination baseURL, which allows an attacker to manipulate requests and perform unauthorized external fetches...

Cross-Site Scripting (XSS)

mayanedms is vulnerable to cross-site scripting XSS. The vulnerability is due to improper handling of input in an unknown function within the /authentication/ endpoint, which allows a remote attacker to inject and execute malicious scripts...

Server-Side Request Forgery (SSRF)

kube-controller-manager is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of requests in the in-tree Portworx StorageClass, which allows an attacker to leak sensitive information from internal or unprotected endpoints within the control plane’s hos...

Path Traversal

croogo/croogo is vulnerable to path traversal. The vulnerability is due to improper validation of the edit-file parameter, which allows an attacker to craft malicious file paths and read arbitrary files on the server...

Improper Authentication

github.com/smallstep/certificates is vulnerable to improper authentication. The vulnerability is due to missing safeguards against unauthenticated certificate issuance through the SCEP UpdateReq, which allows an attacker to obtain certificates without authentication...

Integer Overflow

bcrypt-ruby is vulnerable to Integer Overflow. The vulnerability is due to an integer overflow in the Java BCrypt implementation for JRuby, where the key-strengthening round count is computed as a signed 32-bit integer, and when cost=31, signed integer overflow causes the round count to become...

Devise Has A Confirmable "change Email" Race Condition Permits User To Confirm Email They Have No Access To

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the "reconfirmable" option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

TLS Connection Bypass

pyOpenSSL is vulnerable to TLS connection bypass. The vulnerability is due to an unhandled exception in a user-provided settlsextservernamecallback, where the exception is not caught and results in the connection being accepted, allowing attackers to bypass security-sensitive checks...

Denial Of Service

pypdf is vulnerable to Denial of Service. The vulnerability is due to inefficient decoding of array-based streams, where accessing an array-based stream with many entries leads to long runtimes and large memory usage, and attackers can exploit it by crafting a malicious PDF with a large array-bas...

Path Traversal

PyMuPDF is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths in the embedded get function in main.py, allowing attackers to manipulate paths and write files outside the intended directory, leading to arbitrary file write...

Format String Injection

Ruby JSON is vulnerable to Format String Injection. The vulnerability is due to a format string injection vulnerability, where the allowduplicatekey: false parsing option is used to parse user supplied documents and can lead to denial of service attacks or information disclosure...

Privilege Escalation

Craft CMS is vulnerable to Privilege Escalation. The vulnerability is due to improper authorization checks in the UsersController-actionImpersonateWithToken functionality, which allows an attacker to abuse shared or low-privileged access to gain administrative privileges...

Arbitrary Code Execution

PySpector is vulnerable to Arbitrary Code Execution. The vulnerability is due to incomplete AST validation in the plugin system where indirect calls via getattr are not properly resolved, which allows an attacker to bypass security checks and execute arbitrary system commands through malicious...

Unauthenticated Remote Code Execution In Langflow Via Public Flow Build Endpoint

Summary The "POST /api/v1/buildpublictmp/flowid/flow" endpoint allows building public flows without requiring authentication. When the optional "data" parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored...

Authentication Bypass

Authlib is vulnerable to Authentication Bypass. The vulnerability is due to fail-open behavior in the verifyhash function when processing unsupported or unknown algorithms, where hash validation incorrectly returns success, allowing attackers to forge ID Tokens and bypass integrity checks...

Directory Traversal

Langflow is vulnerable to Directory Traversal. The vulnerability is due to improper validation of foldername and filename parameters in the download endpoint, which allows an attacker to access sensitive files such as the secretkey across directories...

Code Injection

SimpleEval is vulnerable to code injection. The vulnerability is due to objects leaking dangerous modules through to direct access inside the sandbox, where dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call...

Missing Authentication

Glances is vulnerable to Missing Authentication. The vulnerability is due to the web server running without authentication by default glances -w, exposing REST API endpoints that return sensitive system information, including process command-lines containing credentials, to any network client...

Cross-Site Scripting (XSS)

PySpector is vulnerable to stored Cross-Site Scripting XSS. The vulnerability is due to the HTML report generator inserting code snippets without sanitization, where the scanned Python file's JavaScript payload is interpolated into the report and an attacker can trigger execution by opening the...

Incorrect Authorization

Craft CMS is vulnerable to Incorrect Authorization. The vulnerability is due to improper authorization checks in the UsersController-actionImpersonateWithToken functionality, which allows an attacker to abuse shared or low-privileged access to gain administrative privileges...

Code Injection

craftcms/cms is vulnerable to Code Injection. The vulnerability is due to passing unvalidated configuration data to Craft::configure without proper sanitization, which allows an attacker to inject malicious behavior or event handlers and execute arbitrary code...

Denial Of Service (DoS)

DeepDiff is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient restriction on constructor arguments during pickle deserialization, which allows an attacker to supply crafted payloads that trigger excessive memory allocation and crash the application...

Buffer Overflow

pyOpenSSL is vulnerable to Buffer Overflow. The vulnerability is due to improper bounds checking in setcookiegeneratecallback, where cookie values exceeding 256 bytes can overflow an OpenSSL buffer, potentially leading to memory corruption...

Broken Access Control In Extension "Redirect Tab" (redirect_tab)

The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page...

AVideo: IDOR - Any Admin Can Set Another User's Channel Password Via SetPassword.json.php

Summary The "setPassword.json.php" endpoint in the CustomizeUser plugin allows administrators to set a channel password for any user. Due to a logic error in how the submitted password value is processed, any password containing non-numeric characters is silently coerced to the integer zero befor...

Remote Code Execution (RCE)

cpsit/typo3-mailqueue is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper restriction of allowed classes during deserialization of transport failure metadata, which allows an attacker to execute arbitrary code if they can write to the configured spool directory...

Behavior Injection Remote Code Execution (RCE)

Craft CMS is vulnerable to Behavior Injection Remote Code Execution RCE. The vulnerability is due to improper handling of behavior injection in ElementIndexesController and FieldsController, which allows an attacker with admin privileges and enabled admin changes to execute arbitrary code...

Authentication Bypass

ralffreit/mfa-email is vulnerable to Authentication Bypass. The vulnerability is due to failure to properly reset the MFA code after successful authentication, which allows an attacker to bypass MFA by providing an empty code in subsequent login attempts...

Denial Of Service (DoS)

Micronaut Framework is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of descending array index order in JsonBeanPropertyBinder::expandArrayToThreshold, where crafted form-urlencoded parameters can trigger a non-terminating loop, leading to CPU exhaustion and...

Improper Access Control

OneUptime is vulnerable to Improper Access Control. The vulnerability is due to missing authorization checks on account creation APIs, which allows a low-privileged user to create new accounts via direct API requests...

Regular Expression Denial Of Service (ReDoS)

Valibot is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient processing in the EMOJIREGEX used by the emoji action, which allows an attacker to supply a crafted input that triggers excessive CPU consumption and causes a denial of service...

Denial Of Service (DoS)

github.com/VictoriaMetrics/VictoriaMetrics is vulnerable to Denial of Service DoS. The vulnerability is due to the snappy decoder ignoring request size limits, which allows an attacker to send malformed compressed blocks that trigger excessive memory usage and cause service disruption...

Denial Of Service (DoS)

github.com/free5gc/nssf is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of crafted POST requests to the NnssfNSSAIAvailability API, which allows an attacker to disrupt service availability...

Denial Of Service (DoS)

github.com/free5gc/pcf is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of crafted POST requests to the NpcfBDTPolicyControl API, which allows an attacker to trigger service disruption...

Improper Authorization

code.gitea.io/gitea is vulnerable to improper authorization. The vulnerability is due to insufficient authorization checks when deleting releases, which allows an attacker to delete releases without proper permissions...

Improper Access Control

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to insufficient authorization checks, which allows an anonymous attacker to access private user projects...

Improper Access Control.

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to inadequate enforcement of branch deletion permissions after merging a pull request, which allows an attacker to delete branches without proper authorization...

Cross Site Scripting (XSS)

code.gitea.io/gitea is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper validation of URL schemes in links, which allows an attacker to inject malicious javascript: URLs and execute arbitrary scripts in a user's browser...

Denial Of Service (DoS)

Node.js is vulnerable to Denial of Service DoS. The vulnerability is due to improper error handling when asynchooks.createHook is enabled, where "Maximum call stack size exceeded" errors become uncatchable and terminate the process instead of reaching uncaughtException, allowing attackers to...

Improper Input Validation

code.gitea.io/gitea is vulnerable to improper input validation. The vulnerability is due to insufficient validation of attachment file names in the attachment API, which allows an attacker to bypass file extension restrictions by modifying the attachment name...

Information Disclosure

code.gitea.io/gitea is vulnerable to information disclosure. The vulnerability is due to improper exposure of user metadata through sortable fields such as last login time, which allows an attacker to infer users' login activity by manipulating the explore/users sort order...

Server-Side Request Forgery (SSRF)

github.com/QuantumNous/new-api is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to incomplete SSRF protection that only validates the initial request, which allows an attacker to use a 302 redirect to bypass restrictions and access internal network resources...

Privilege Escalation

OpenBao is vulnerable to Privilege Escalation. The vulnerability is due to improper access control in the identity group subsystem, which allows a privileged operator to assign root policies to group identities and escalate permissions...

Authentication Bypass

github.com/hashicorp/terraform-provider-vault is vulnerable to Authentication Bypass. The vulnerability is due to the default denynullbind parameter being set to false in the LDAP auth method, which allows an attacker to authenticate using anonymous or unauthenticated binds when the LDAP server...

Improper Authorization

github.com/authzed/spicedb is vulnerable to Improper Authorization. The vulnerability is due to incorrect handling of permission unions referencing the same relation in the LookupResources API, which allows an attacker to bypass expected permission checks by causing incomplete or missing...

Cross-site Scripting (XSS)

phpPgAdmin is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization and encoding of user-supplied input from $REQUEST parameters across multiple components, which allows an attacker to inject and execute arbitrary JavaScript in users’ browsers...

SQL Injection

phpPgAdmin is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of user-controlled input from the $REQUEST'query' parameter passed to the browseQuery function, which allows an attacker to execute arbitrary SQL commands and compromise the database...

SQL Injection

phpPgAdmin is vulnerable to SQL Injection. The vulnerability is due to direct execution of user-supplied input from the $REQUEST'query' parameter without sanitization or parameterization, which allows an attacker to execute arbitrary SQL commands and compromise the database...

Access Control Bypass

phpPgAdmin is vulnerable to Improper Access Control. The vulnerability is due to lack of validation and access control on user-controlled parameters subject, server, database, queryid in sql.php, which allows an attacker to manipulate session variables and inject arbitrary SQL queries, potentiall...

Denial Of Service (DoS)

github.com/elastic/beats is vulnerable to Denial of Service DoS. The vulnerability is due to improper resource management when processing integrated IPv4 fragments, which allows an unauthenticated remote attacker to send malicious fragments that trigger excessive memory and CPU allocation...