Lucene search
+L
VeracodeRecent

38468 matches found

Veracode
Veracode
•added 2026/03/31 3:55 a.m.•29 views

Improper Authentication

github.com/1panel-dev/1panel is vulnerable to improper authentication.The vulnerability is due to improper server-side validation of a client-controlled parameter, which allows an unauthenticated attacker to bypass CAPTCHA protections and perform automated login attempts leading to potential...

7.5CVSS7.2AI score0.00405EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/03/30 8:46 a.m.•6 views

Server-Side Request Forgery (SSRF)

github.com/zitadel/zitadel is vulnerable to an unauthenticated full-read Server-Side Request Forgery SSRF. The vulnerability is due to improper trust of the x-zitadel-forward-host header in the Login UI V2, which allows an attacker to force the server to make arbitrary HTTP requests and read...

9.3CVSS7.2AI score0.0046EPSS
Exploits2References3Affected Software1
Veracode
Veracode
•added 2026/03/30 8:39 a.m.•5 views

DOM-Based Cross-Site Scripting (XSS)

github.com/zitadel/zitadel, is vulnerable to DOM-Based Cross-Site Scripting XSS. The vulnerability is due to improper validation of the postlogoutredirect parameter in the /logout endpoint, which allows an unauthenticated remote attacker to execute malicious JavaScript in users’ browsers...

8CVSS6AI score0.00265EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/30 6:49 a.m.•6 views

Race Condition

@auth0/nextjs-auth0 is vulnerable to a race condition. The vulnerability is due to improper lookup handling in the TokenRequestCache during simultaneous requests on the same client, which allows an attacker to exploit inconsistent token responses and potentially interfere with authentication flow...

5.4CVSS5.9AI score0.00178EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/30 4:38 a.m.•7 views

Denial Of Service (DoS)

github.com/quic-go/quic-go is vulnerable to a Denial Of Service DoS. The vulnerability is due to missing limits on the size of decoded HTTP/3 headers from QPACK-encoded HEADERS frames, which allows an attacker to send crafted requests with large header fields to trigger excessive memory allocatio...

5.3CVSS5.9AI score0.00338EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:32 a.m.•16 views

Rails Active Storage Has A Possible DoS Vulnerability In Proxy Mode Via Multi-range Requests

Impact Active Storage's proxy controller does not limit the number of byte ranges in an HTTP Range header. A request with thousands of small ranges causes disproportionate CPU usage compared to a normal request for the same file, possibly resulting in a DoS vulnerability. Releases The fixed...

6.5CVSS5.8AI score0.00434EPSS
Exploits0Affected Software1
Veracode
Veracode
•added 2026/03/28 5:32 a.m.•7 views

Path Traversal

Active Storage is vulnerable to Path Traversal. The vulnerability is due to Active Storage's DiskServicepathfor not validating that the resolved filesystem path remains within the storage root directory, where a blob key containing path traversal sequences e.g. ../ could allow reading, writing, o...

9.8CVSS6AI score0.00567EPSS
Exploits0References10Affected Software1
Veracode
Veracode
•added 2026/03/28 5:32 a.m.•22 views

Arbitrary Code Injection

Langflow is vulnerable to Arbitrary Code Injection. The vulnerability is due to the validation process dynamically executing LLM‑generated Python code via exec, where the validation routine runs the generated code and an attacker who can influence the model output can achieve arbitrary server‑sid...

9.9CVSS6.1AI score0.01426EPSS
Exploits1References17Affected Software1
Veracode
Veracode
•added 2026/03/28 5:31 a.m.•7 views

Remote Code Execution (RCE)

Indico is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of LaTeX input allowing bypass via crafted syntax, which allows an attacker to read local files or execute arbitrary code on the server when LaTeX rendering is enabled...

8.8CVSS6.3AI score0.00782EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/03/28 5:31 a.m.•10 views

Denial Of Service (DoS)

Active Support is vulnerable to Denial of Service. The vulnerability is due to the acceptance of strings containing scientific notation by Active Support number helpers, where the conversion of these strings to extremely large decimal representations can cause excessive memory allocation and CPU...

8.7CVSS5.9AI score0.0061EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/03/28 5:31 a.m.•7 views

Privilege Escalation

Signify is vulnerable to Privilege Escalation. The vulnerability is due to improper Authenticode signature validation in signeddata.py and context.py, where a remote attacker can escalate privileges via these components and exploit the vulnerability to gain elevated access...

8.8CVSS6AI score0.00343EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/03/28 5:31 a.m.•11 views

Cryptography Has Incomplete DNS Name Constraint Enforcement On Peer Names

Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named "bar.example.com" to validate against a wildcard leaf...

6.5CVSS6.7AI score0.00274EPSS
Exploits0Affected Software1
Veracode
Veracode
•added 2026/03/28 5:30 a.m.•4 views

Infinite Loop

pypdf is vulnerable to an Infinite Loop. The vulnerability is due to reading a file in non‑strict mode during dictionary recovery, where the DictionaryObject.readfromstream method can enter an infinite loop and an attacker can craft a PDF to trigger it...

8.2CVSS5.9AI score0.00455EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•13 views

Deserialization Of Untrusted Data

Saloon is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to unsafe use of PHP’s unserialize with allowedclasses enabled when restoring OAuth token state, which allows an attacker to supply malicious serialized objects and trigger execution of arbitrary code via gadget...

9.8CVSS6.3AI score0.00622EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•6 views

Server-side Template Injection

giskard-agents is vulnerable to server-side template injection. The vulnerability is due to the ChatWorkflow.chat method passing its string argument directly to a non‑sandboxed Jinja2 Environment, where the input string is treated as a template by inlineenv.fromstring and an attacker can supply...

8.8CVSS6.2AI score0.00611EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•7 views

Improper Authorization

Langflow is vulnerable to an Improper Authorization. The vulnerability is due to improper access control in the readflow helper, which failed to enforce ownership validation when authentication was enabled, allowing an authenticated attacker to read, modify, or delete flows belonging to other...

8.8CVSS5.9AI score0.00468EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•9 views

Session Hijacking

MCP Ruby SDK is vulnerable to Session Hijacking. The vulnerability is due to insufficient session binding, where an attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data...

8.2CVSS5.7AI score0.00465EPSS
Exploits1References8Affected Software1
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•9 views

Cross Site Scripting

Active Support is vulnerable to Cross Site Scripting. The vulnerability is due to SafeBuffer% not propagating the @htmlunsafe flag to the newly created buffer, where a SafeBuffer is mutated in place and then formatted with % using untrusted arguments, and the result incorrectly reports htmlsafe? ...

6.1CVSS5.8AI score0.00327EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/03/28 5:29 a.m.•13 views

Improper Input Validation

activestorage is vulnerable to Improper Input Validation. The vulnerability is due to unescaped use of blob keys in Dir.glob within DiskServicedeleteprefixed, which allows an attacker to inject glob metacharacters and delete unintended files from the storage directory...

9.1CVSS5.9AI score0.00646EPSS
Exploits0References7Affected Software2
Veracode
Veracode
•added 2026/03/28 5:28 a.m.•7 views

Denial Of Service

Active Storage is vulnerable to Denial of Service. The vulnerability is due to the proxy controller loading the entire requested byte range into memory before sending it, where a request with a large or unbounded Range header could cause the server to allocate memory proportional to the file size...

8.7CVSS5.8AI score0.0061EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/03/28 5:28 a.m.•18 views

Remote Code Execution (RCE)

ruby-lsp is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsanitized interpolation of the rubyLsp.branch setting into a generated Gemfile, which allows an attacker to inject malicious code that executes when a user opens a crafted project...

9.8CVSS6.1AI score0.00479EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/03/28 5:28 a.m.•8 views

Cross-Site Scripting

Home Assistant is vulnerable to Cross-Site Scripting. The vulnerability is due to an authenticated party adding a malicious name to their device entity, where the malicious name allows for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that...

8.8CVSS5.2AI score0.00241EPSS
Exploits1References2Affected Software2
Veracode
Veracode
•added 2026/03/28 5:26 a.m.•8 views

Path Traversal

saloonphp/saloon is vulnerable to Path Traversal. The vulnerability is due to lack of validation of fixture names used in file path construction, which allows an attacker to manipulate paths and read or write arbitrary files outside the intended directory...

9.3CVSS6AI score0.00566EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:25 a.m.•10 views

Server-Side Request Forgery

pyLoad is vulnerable to Server-Side Request Forgery. The vulnerability is due to the download engine accepting arbitrary URLs without validation, where an authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata...

9.3CVSS5.8AI score0.00397EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/03/28 5:23 a.m.•8 views

Environment Variable Leak

changedetection.io is vulnerable to Environment Variable Leak. The vulnerability is due to the use of the jq env builtin in include filter expressions, where an authenticated user can leak sensitive environment variables including SALTEDPASS, PLAYWRIGHTDRIVERURL, HTTPPROXY, and any secrets passed...

8.3CVSS5.7AI score0.00475EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:23 a.m.•8 views

Cross-Site Scripting

Home Assistant is vulnerable to Cross Site Scripting. The vulnerability is due to the lack of output escaping or sanitization in the History-graph card, where an attacker can inject arbitrary tags that execute JavaScript by changing the name of a sensor to a malicious value...

8.8CVSS5.9AI score0.00202EPSS
Exploits1References3Affected Software2
Veracode
Veracode
•added 2026/03/28 5:22 a.m.•7 views

Arbitrary Code Injection

froxlor/froxlor is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper validation of DNS record content in the DomainZones.add endpoint, which allows an attacker to inject malicious directives into zone files and manipulate DNS configuration...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:21 a.m.•26 views

Server-Side Request Forgery (SSRF)

saloonphp/saloon is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of request endpoints allowing absolute URLs to override the base URL, which allows an attacker to redirect requests to malicious hosts and potentially exfiltrate sensitive data such...

8.7CVSS5.9AI score0.0042EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:20 a.m.•10 views

SQL Injection

wwbn/avideo is vulnerable to SQL Injection. The vulnerability is due to improper use of prepared statements where user-controlled input videosid is directly concatenated into the query, which allows an attacker to inject and execute arbitrary SQL commands...

8.8CVSS6.1AI score0.00509EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/03/28 5:17 a.m.•5 views

Cleartext Storage Of Sensitive Information

wwbn/avideo is vulnerable to Cleartext Storage of Sensitive Information. The vulnerability is due to storing video passwords in plaintext without encryption or hashing, which allows an attacker with database access to retrieve all passwords in cleartext...

9.1CVSS5.9AI score0.00152EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:15 a.m.•6 views

SQL Injection

wwbn/avideo is vulnerable to a SQL Injection. The vulnerability is due to direct interpolation of user-controlled input into SQL queries without parameterization in the fixCleanTitle method, which allows an attacker to inject and execute arbitrary SQL commands...

9.8CVSS6.1AI score0.00492EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/03/28 5:14 a.m.•6 views

Denial Of Service

Netty is vulnerable to Denial of Service. The vulnerability is due to the lack of a limit on the number of CONTINUATION frames in Netty's DefaultHttp2FrameReader, where an attacker can send a flood of CONTINUATION frames with zero-byte payloads, bypassing existing size-based mitigations and causi...

8.7CVSS5.9AI score0.01125EPSS
Exploits0References22Affected Software1
Veracode
Veracode
•added 2026/03/28 5:14 a.m.•5 views

OS Command Injection

sbt is vulnerable to OS Command Injection. The vulnerability is due to the lack of validation of the URI fragment, where a malicious fragment can execute arbitrary commands because cmd /c interprets &, |, and ; as command separators...

7.8CVSS6.1AI score0.00304EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/03/28 5:14 a.m.•9 views

Deserialization Of Untrusted Data

io.opentelemetry.javaagent:opentelemetry-javaagent is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to lack of serialization filtering in the RMI instrumentation endpoint, which allows an attacker with network access to send malicious serialized data and execute...

9.8CVSS6.3AI score0.00933EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2026/03/28 5:5 a.m.•9 views

Incorrect Authorization

Apache Artemis is vulnerable to Incorrect Authorization. The vulnerability is due to incorrect authorization, where an authenticated user with the 'createDurableQueue' permission but without the 'createAddress' permission can create a temporary address when attempting to create a non-durable JMS...

4.3CVSS5.2AI score0.0047EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:4 a.m.•7 views

Directory Traversal

Plexus-Utils is vulnerable to Directory Traversal. The vulnerability is due to a flaw in the extractFile method of org.codehaus.plexus.util.Expand, where an attacker can execute arbitrary code by exploiting the Directory Traversal vulnerability...

8.8CVSS6.2AI score0.00663EPSS
Exploits0References26Affected Software1
Veracode
Veracode
•added 2026/03/28 5:4 a.m.•6 views

Deserialization Of Untrusted Data

com.datadoghq:dd-java-agent is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to unsafe deserialization of incoming data by a custom RMI endpoint without applying serialization filters, which allows a network-based attacker to exploit a gadget chain and potentially...

9.8CVSS6.4AI score0.00622EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/28 5:3 a.m.•8 views

Path Traversal

pf4j is vulnerable to Path Traversal. The vulnerability is due to improper handling of zip entry names, where a lack of proper path normalization and validation can allow directory traversal or Zip Slip attacks...

7.5CVSS5.9AI score0.00856EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/03/27 7:33 a.m.•8 views

Interpretation Conflict

github.com/traefik/traefik is vulnerable to Interpretation Conflict. The vulnerability is due to improper path normalization when handling Path, PathPrefix, or PathRegex matchers, which allows an attacker to use URL-encoded characters to bypass middleware and access unintended backend services...

6.9CVSS7.1AI score0.00344EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2026/03/27 5:49 a.m.•7 views

Cross-Site Request Forgery (CSRF)

github.com/1panel-dev/1panel is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protections such as anti-CSRF tokens or Origin/Referer validation, which allows an attacker to craft a malicious webpage that triggers unauthorized panel name changes when a...

5.1CVSS5.9AI score0.00179EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/03/27 5:48 a.m.•7 views

Cross-Site Request Forgery (CSRF)

1Panel is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protections such as anti-CSRF tokens or Origin/Referer validation in the port-change endpoint, which allows an attacker to trick an authenticated user into submitting a malicious request that changes...

7.1CVSS7.1AI score0.0015EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/03/27 5:48 a.m.•6 views

Cross-Site Request Forgery (CSRF)

github.com/1panel-dev/1panel is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protections such as anti-CSRF tokens or Origin/Referer validation, which allows an attacker to trick an authenticated user into submitting a malicious request to change the...

7.1CVSS7.1AI score0.00133EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/03/27 5:30 a.m.•26 views

Denial Of Service (DoS)

github.com/envoyproxy/envoy is vulnerable to a Denial Of Service DoS. The vulnerability is due to a re-entry bug in the JwksFetcherImpl during failed remote JWKS fetching with multiple JWT tokens, which allows an attacker to trigger a crash by sending crafted requests that cause overlapping fetch...

6.5CVSS5.9AI score0.00497EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/03/27 5:16 a.m.•8 views

Cross Site Scripting(XSS)

github.com/xyproto/algernon is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of filename inputs, which allows an attacker to inject a crafted payload and execute arbitrary code...

6.1CVSS6.1AI score0.00401EPSS
Exploits2References6Affected Software1
Veracode
Veracode
•added 2026/03/27 4:59 a.m.•8 views

Denial Of Service (DoS)

github.com/sigstore/timestamp-authority is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient processing of untrusted input using string splitting in request parsing functions, which allows an attacker to send crafted inputs that trigger excessive memory allocations and...

7.5CVSS5.9AI score0.00411EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/26 12:26 p.m.•9 views

Protection Mechanism Failure

github.com/envoyproxy/envoy is vulnerable to Protection Mechanism Failure. The vulnerability is due to accepting and forwarding client data before a successful 2xx response in TCP proxy mode, which allows an attacker to cause desynchronization when upstream proxies reject the CONNECT request...

5.3CVSS5.9AI score0.00282EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/03/26 11:22 a.m.•7 views

Denial Of Service (DoS)

github.com/sigstore/fulcio is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient handling of untrusted input in the extractIssuerURL function, which allows an attacker to supply a token with excessive period characters to trigger high memory allocations and degrade servi...

7.5CVSS6.8AI score0.00191EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/26 11:0 a.m.•7 views

Inadequate Encryption Strength

github.com/cloudflare/gokey is vulnerable to Inadequate Encryption Strength. The vulnerability is due to flawed seed decryption logic that uses only limited entropy from the initialization vector and authentication tag, which allows an attacker with access to the seed file to derive generated...

7.1CVSS5.9AI score0.00145EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/26 10:18 a.m.•6 views

Improper Access Control

mautic/core is vulnerable to Improper Access Control. The vulnerability is due to missing enforcement of update settings restrictions, which allows a low-privileged user to install or remove arbitrary packages and execute malicious code for privilege escalation...

9CVSS6.1AI score0.00215EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/03/26 8:45 a.m.•8 views

Cross-site Scripting (XSS)

Angular is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to internationalization of security-sensitive attributes bypassing Angular’s sanitization when combined with untrusted data binding, which allows an attacker to inject malicious scripts...

9CVSS6AI score0.00339EPSS
Exploits0References8Affected Software2
Total number of security vulnerabilities38468