Lucene search
+L
VeracodeRecent

38468 matches found

Veracode
Veracode
•added 2026/04/16 11:15 a.m.•8 views

Improper Access Control.

Vite is vulnerable to improper access control. The vulnerability is due to missing Origin header validation in the WebSocket connection path, which allows an attacker to invoke internal functions and retrieve arbitrary server files via crafted WebSocket requests...

8.2CVSS5.9AI score0.02907EPSS
Exploits3References11Affected Software1
Veracode
Veracode
•added 2026/04/16 11:12 a.m.•12 views

Code Injection

Handlebars is vulnerable to code injection. The vulnerability is due to improper sanitization of user-controlled inputs in the CLI precompiler, which allows an attacker to inject arbitrary JavaScript via crafted template filenames or CLI arguments and execute it when the generated code is run...

8.2CVSS6AI score0.00291EPSS
Exploits1References9Affected Software1
Veracode
Veracode
•added 2026/04/16 9:21 a.m.•13 views

Cross-site Request Forgery

RedwoodSDK is vulnerable to Cross-site Request Forgery. The vulnerability is due to server functions exported from 'use server' files being invoked via GET requests, bypassing their intended HTTP method, where browsers send SameSite=Lax cookies on top-level GET requests and an attacker could...

8.1CVSS5.8AI score0.0021EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/16 8:59 a.m.•14 views

Path Traversal

LiquidJS is vulnerable to Path Traversal. The vulnerability is due to the top-level file loads not enforcing the boundary set by the configured root, where a Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files and attackers can exploit...

7.5CVSS5.8AI score0.00447EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/04/16 8:45 a.m.•8 views

Memory Limit Bypass

LiquidJS is vulnerable to Memory Limit Bypass. The vulnerability is due to the replace filter incorrectly accounting for memory usage when the memoryLimit option is enabled, where an attacker who controls template content can bypass the memoryLimit DoS protection with approximately 2,500x...

5.3CVSS5.8AI score0.00495EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/04/16 7:54 a.m.•8 views

Improper Access Control

github.com/1panel-dev/1panel is vulnerable to improper access control. The vulnerability is due to trusting all proxy IPs in Gin’s default configuration, which allows an attacker to spoof the X-Forwarded-For header and bypass IP-based security controls...

6.5CVSS7.2AI score0.00204EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/16 7:36 a.m.•9 views

Path Traversal

LiquidJS is vulnerable to Path Traversal. The vulnerability is due to the path-based check for partial and layout roots, where a symlink to a file outside the allowed root can be loaded if it is placed inside an allowed partials or layouts directory, and attackers can exploit this by placing...

8.2CVSS5.8AI score0.00396EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/04/16 7:35 a.m.•9 views

Arbitrary File Deletion

Gin-vue-admin is vulnerable to arbitrary file deletion. The vulnerability is due to improper validation of the FileMd5 parameter, which allows an attacker to manipulate file paths and delete arbitrary files or folders on the server...

9.1CVSS5.9AI score0.00506EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/16 7:14 a.m.•8 views

Improper Access Control

@fastify/express is vulnerable to Improper Access Control. The vulnerability is due to incorrect path handling in the onRegister function, where middleware paths are duplicated when inherited by child plugins, causing them to not match incoming requests and resulting in bypass of security control...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/04/16 6:2 a.m.•14 views

Prototype Pollution

Lodash is vulnerable to Prototype Pollution. The vulnerability is due to incomplete validation of path segments in .unset and .omit functions, which allows an attacker to bypass checks using array-wrapped inputs and delete properties from built-in prototypes...

6.5CVSS5.7AI score0.00317EPSS
Exploits0References1Affected Software4
Veracode
Veracode
•added 2026/04/16 5:10 a.m.•16 views

Improper Verification Of Cryptographic Signature

node-forge is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is due to insufficient validation of RSASSA PKCS1 v1.5 signatures allowing malformed ASN structures and inadequate padding checks, which allows an attacker to forge valid signatures and bypass signatur...

7.5CVSS5.7AI score0.00339EPSS
Exploits0References21Affected Software1
Veracode
Veracode
•added 2026/04/15 3:32 p.m.•11 views

Cross-site Scripting (XSS)

Unhead is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper decoding and validation of HTML entities in URI schemes, which allows an attacker to bypass protocol checks using padded entities and inject malicious scripts into the rendered HTML...

6.1CVSS5.7AI score0.00285EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/15 2:33 p.m.•10 views

Injection

@nestjs/core is vulnerable to Injection. The vulnerability is due to unsanitized interpolation of user-controlled fields into Server-Sent Events output, which allows an attacker to inject arbitrary events, spoof event types, and manipulate the event stream...

6.3CVSS5.9AI score0.00234EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/04/15 11:29 a.m.•14 views

Missing Cryptographic Step

jsrsasign is vulnerable to Missing Cryptographic Step. The vulnerability is due to improper handling of invalid DSA signature values without retry logic, which allows an attacker to recover the private key by forcing signature parameters to predictable values...

9.4CVSS5.7AI score0.003EPSS
Exploits1References14Affected Software1
Veracode
Veracode
•added 2026/04/15 11:18 a.m.•10 views

Denial Of Service (DoS)

Axios is vulnerable to Denial Of Service DoS. The vulnerability is due to a state corruption bug in HTTP/2 session cleanup logic, which allows a malicious server to trigger concurrent session closures and crash the client process...

5.9CVSS5.8AI score0.00731EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/04/15 11:5 a.m.•8 views

Sensitive Information Disclosure

Vite is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper enforcement of file access restrictions in the dev server, which allows an attacker to bypass deny rules using crafted query parameters and access sensitive files...

8.2CVSS5.7AI score0.02095EPSS
Exploits1References10Affected Software1
Veracode
Veracode
•added 2026/04/15 10:38 a.m.•12 views

Improper Verification Of Cryptographic Signature

jsrsasign is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is due to insufficient validation of DSA domain parameters during signature verification, which allows an attacker to craft malicious parameters and forge valid signatures or certificates...

9.1CVSS5.7AI score0.00225EPSS
Exploits1References14Affected Software1
Veracode
Veracode
•added 2026/04/15 7:17 a.m.•7 views

Improper Access Control

github.com/mattermost/mattermost is vulnerable to improper access control. The vulnerability is due to insufficient restriction on the archived channel search API, which allows a guest user to discover archived public channels via the /api/v4/teams/teamid/channels/searcharchived endpoint...

4.3CVSS5.9AI score0.00188EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/04/15 6:46 a.m.•7 views

Improper Session Invalidation

github.com/usememos/memos is vulnerable to improper session invalidation. The vulnerability is due to access tokens not being revoked after a password change, which allows an attacker to retain unauthorized access using previously issued valid tokens...

7.5CVSS5.8AI score0.00278EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/04/15 6:38 a.m.•7 views

Improper Attestation Verification

github.com/evervault/evervault-go is vulnerable to improper attestation verification. The vulnerability is due to incomplete validation of attestation documents, which allows an attacker to bypass integrity checks and potentially make a client trust a compromised or unverified enclave operator...

8.7CVSS5.9AI score0.00134EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/04/15 6:19 a.m.•11 views

Improper Authentication And Authorization

kubevirt.io/kubevirt is vulnerable to improper authentication and authorization. The vulnerability is due to improper validation of the Common Name CN field in client TLS certificates during mTLS authentication, which allows an attacker to bypass RBAC controls by impersonating the Kubernetes API...

4.7CVSS6.8AI score0.00139EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/04/14 11:14 a.m.•8 views

Improper Neutralization

Soft Serve is vulnerable to improper neutralization. The vulnerability is due to insufficient sanitization of user-supplied inputs and git messages, which allows an attacker to inject malicious ANSI escape sequences and display misleading or fake terminal outputs such as alerts...

4.6CVSS5.8AI score0.00174EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/14 11:1 a.m.•10 views

Improper Certificate Validation

Apache Log4j Core is vulnerable to Improper Certificate Validation. The vulnerability is due to ignored hostname verification settings in TLS configuration, which allows an attacker to perform a man-in-the-middle attack by presenting a trusted certificate and intercepting secure communications...

6.3CVSS5.8AI score0.00395EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/04/14 10:41 a.m.•8 views

Log Injection

Apache Log4j Core is vulnerable to Log Injection. The vulnerability is due to improper handling of newline escaping caused by renamed configuration attributes in Rfc5424Layout, which allows an attacker to inject CRLF sequences into logs and manipulate log entries...

7.5CVSS5.7AI score0.00831EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/04/14 10:39 a.m.•10 views

Arbitrary File Read And Write

kubevirt.io/kubevirt is vulnerable to an Arbitrary file read and write. The vulnerability is due to a logic flaw in the hostDisk feature’s DiskOrCreate option, which allows an attacker to read and write arbitrary files owned by more privileged users on the host system...

8.5CVSS6AI score0.00227EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/04/14 8:20 a.m.•7 views

XML Injection

xmldom is vulnerable to an XML Injection. The vulnerability is due to improper handling of CDATA termination during serialization, which allows an attacker to inject malicious XML markup and manipulate the structure of the output...

7.5CVSS5.8AI score0.00472EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/04/14 7:58 a.m.•28 views

Denial Of Service (DoS)

Electron is vulnerable to Denial Of Service DoS. The vulnerability is due to improper handling of invalid clipboard image data leading to unchecked null bitmap usage, which allows an attacker to cause application crashes when malformed image data is processed...

3.3CVSS5.2AI score0.00144EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/04/14 7:49 a.m.•9 views

Authentication Bypass

github.com/kgateway-dev/kgateway is vulnerable to Authentication Bypass. The vulnerability is due to lack of authentication on the xDS port, which allows an attacker with network access to retrieve sensitive configuration data such as certificates, backend services, routing rules, and cluster...

5.3CVSS5.8AI score0.00154EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/04/14 7:35 a.m.•7 views

Server-Side Request Forgery (SSRF)

github.com/jon4hz/jellysweep is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the URL parameter in the /api/images/cache endpoint, which allows an authenticated attacker to make the server download arbitrary content from attacker-controlled URL...

8.9CVSS5.9AI score0.00289EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/04/13 12:44 p.m.•7 views

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper hostname normalization when evaluating NOPROXY rules, where crafted loopback addresses e.g., localhost. or ::1 bypass proxy exclusions and are routed through the proxy, allowing attackers to access...

9.9CVSS5.8AI score0.01161EPSS
Exploits1References44Affected Software1
Veracode
Veracode
•added 2026/04/13 12:10 p.m.•7 views

Denial Of Service

React Server Components is vulnerable to Denial of Service. The vulnerability is due to specially crafted HTTP requests to Server Function endpoints, where the payload of the HTTP request causes excessive CPU usage for up to a minute ending in a thrown error that is catchable...

7.5CVSS7.2AI score0.01551EPSS
Exploits4References8Affected Software4
Veracode
Veracode
•added 2026/04/13 11:14 a.m.•10 views

Header Injection

Axios is vulnerable to Header Injection. The vulnerability is due to the presence of a gadget chain that allows existing Prototype Pollution in dependent code to be escalated, enabling attackers to achieve remote code execution or access sensitive resources such as AWS IMDSv2 metadata...

9CVSS6.4AI score0.01815EPSS
Exploits5References44Affected Software1
Veracode
Veracode
•added 2026/04/13 10:8 a.m.•7 views

Cross-Namespace Secret Access

github.com/3scale-sre/marin3r is vulnerable to cross-namespace secret access. The vulnerability is due to insufficient RBAC enforcement in the DiscoveryServiceCertificate, which allows an attacker to bypass access controls and retrieve secrets from unauthorized namespaces...

8.7CVSS5.9AI score0.00197EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/04/13 6:51 a.m.•8 views

Prototype Pollution

LangSmith is vulnerable to Prototype Pollution. The vulnerability is due to an incomplete prototype pollution fix in its internally vendored lodash set utility, where the baseAssignValue function only guards against the proto key, but fails to prevent traversal via constructor.prototype, and...

9.8CVSS5.8AI score0.00313EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/04/11 5:36 a.m.•9 views

Command Injection

PraisonAIAgents is vulnerable to Command Injection. The vulnerability is due to passing user-controlled command strings directly to subprocess.run with shell=True without sanitization, which allows an attacker to execute arbitrary system commands through crafted inputs or malicious hook...

9.3CVSS5.8AI score0.00229EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/04/11 5:36 a.m.•11 views

Directory Traversal

PraisonAI is vulnerable to Directory Traversal. The vulnerability is due to unsafe extraction of archive files without validating member paths, which allows an attacker to overwrite arbitrary files outside the intended directory...

9.4CVSS5.5AI score0.00379EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/04/11 5:36 a.m.•7 views

Remote Code Execution (RCE)

stata-mcp is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient validation of user-supplied Stata do-file content, which allows an attacker to inject and execute arbitrary commands...

9.8CVSS6.1AI score0.00557EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/04/11 5:36 a.m.•14 views

MLflow Is Vulnerable To Stored Cross-Site Scripting (XSS) Caused By Unsafe Parsing Of YAML-based MLmodel Artifacts In It

MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...

5.4CVSS5.8AI score0.00218EPSS
Exploits1Affected Software1
Veracode
Veracode
•added 2026/04/11 5:35 a.m.•11 views

Eval Injection

Agno is vulnerable to Eval Injection. The vulnerability is due to unsafe use of eval on the fieldtype parameter without proper validation, which allows an attacker to execute arbitrary Python code by manipulating input...

9.8CVSS5.8AI score0.00852EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/04/11 5:35 a.m.•13 views

Missing Authentication For Critical Function

marimo is vulnerable to Missing Authentication For Critical Function. The vulnerability is due to missing authentication validation in the /terminal/ws WebSocket endpoint, which allows an attacker to establish a shell and execute arbitrary system commands without authentication...

9.8CVSS8.1AI score0.95645EPSS
Exploits11References6Affected Software1
Veracode
Veracode
•added 2026/04/11 5:35 a.m.•13 views

MLflow Is Vulnerable To An Authorization Bypass Affecting The AJAX Endpoint

MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...

5.3CVSS5.8AI score0.00362EPSS
Exploits2Affected Software1
Veracode
Veracode
•added 2026/04/11 5:34 a.m.•14 views

Authentication Bypass

GenieACS is vulnerable to Authentication Bypass. The vulnerability is due to missing authentication checks in the NBI API endpoint, which allows an attacker to access the API without proper authorization...

7.5CVSS5.8AI score0.00438EPSS
Exploits2References3Affected Software1
Veracode
Veracode
•added 2026/04/11 5:33 a.m.•7 views

Authentication Bypass

ajenti.plugin.core is vulnerable to Authentication Bypass. The vulnerability is due to improper enforcement of password authentication when 2FA is enabled, which allows an attacker to bypass login controls and gain unauthorized access...

9.3CVSS5.8AI score0.00329EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/04/11 5:30 a.m.•13 views

Ajenti.plugin.core Has Race Conditions In 2FA

Impact If the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. Patches This is fixed in the version 0.112. Users should upgrade to this version as soon as possible...

9.1CVSS5.8AI score0.00232EPSS
Exploits0Affected Software1
Veracode
Veracode
•added 2026/04/11 5:30 a.m.•6 views

Server-Side Request Forgery (SSRF)

pyLoad is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to missing validation of redirect targets during URL fetching, which allows an attacker to supply a crafted URL that redirects to internal resources and bypass SSRF protections...

9.3CVSS5.8AI score0.00279EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/04/11 5:30 a.m.•12 views

Arbitrary Code Execution

Lupa is vulnerable to Arbitrary Code Execution. The vulnerability is due to inconsistent enforcement of attributefilter when attributes are accessed via built-in functions like getattr and setattr, allowing attackers to bypass restrictions and potentially achieve arbitrary code execution...

10CVSS6.1AI score0.00613EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2026/04/11 5:26 a.m.•14 views

Pypdf: Manipulated XMP Metadata Entity Declarations Can Exhaust RAM

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata. Patches This has been fixed in "pypdf==6.10.0" https://github.com/py-pdf/pypdf/releases/tag/6.10.0. Workarounds If you cannot upgrade yet, consider applying th...

6.9CVSS5.7AI score0.00423EPSS
Exploits0Affected Software1
Veracode
Veracode
•added 2026/04/11 5:22 a.m.•6 views

Improper Output Handling

Apache Log4j is vulnerable to Improper Output Handling. The vulnerability is due to JsonTemplateLayout generating invalid JSON when processing non-finite floating-point values e.g., NaN, Infinity, which are not compliant with RFC 8259, allowing attacker-controlled data in log events to produce...

7.5CVSS5.8AI score0.00555EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/04/11 5:13 a.m.•7 views

Denial Of Service (DoS)

Apache Cassandra is vulnerable to Denial Of Service DoS. The vulnerability is due to inefficient handling of repeated password change operations, which allows an attacker to trigger increased query latency and degrade system performance...

6.5CVSS5.8AI score0.00533EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/04/11 5:12 a.m.•6 views

Sensitive Information Disclosure

Apache Cassandra is vulnerable to Sensitive Information Disclosure. The vulnerability is due to storing sensitive data such as passwords in plaintext within the cqlsh history file, which allows an attacker with local access to read and retrieve sensitive information...

5.5CVSS5.8AI score0.00162EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities38468