Path Traversal

Werkzeug is vulnerable to Path Traversal. The vulnerability is due to the safejoin function allowing Windows special device names as filenames if preceded by other path segments, where the function sendfromdirectory uses safejoin to safely serve files at user-specified paths under a directory and...

Deserialization Of Untrusted Data

Apache Camel is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the DefaultLevelDBSerializer class deserializing data using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions, which allows an attacker to inject a crafted...

SQL Injection

LibreNMS is vulnerable to SQL Injection. The vulnerability is due to improper input sanitization and lack of parameterization in the IPv6 address search logic, where the prefix value is directly concatenated into the SQL query string without validation, and attackers can inject arbitrary SQL...

Authentication Bypass

Apache Tomcat is vulnerable to Authentication Bypass. The vulnerability is due to improper validation between the TLS SNI hostname and the HTTP Host header, allowing a client to send mismatched hostnames and bypass client certificate authentication in configurations with multiple virtual hosts...

Remote Code Execution (RCE)

mchange-commons-java is vulnerable to Remote Code Execution RCE. The vulnerability is due to its independent JNDI dereferencing implementation allowing remote factoryClassLocation values, which can cause the application to download and execute attacker-controlled code when processing a malicious...

Missing Cryptographic Key Commitment

Amazon.Extensions.S3.Encryption is vulnerable to Missing Cryptographic Key Commitment. The vulnerability is due to lack of cryptographic key commitment when storing encrypted data keys in instruction files instead of S3 metadata, which allows an attacker with write access to the bucket to introdu...

Denial Of Service (DoS)

org.bitbucket.bc:jose4j is vulnerable to a Denial-of-Service DoS. The vulnerability is due to improper handling of highly compressed JSON Web Encryption JWE tokens, which allows an attacker to supply a malicious token with an excessive compression ratio that triggers significant memory allocation...

Improper Configuration Control

weblate is vulnerable to improper configuration control. The vulnerability is due to the ability to remotely overwrite Git configuration, which allows an attacker to modify repository behavior and potentially manipulate project operations...

XML External Entity (XXE)

biopython is vulnerable to XML External Entity XXE. The vulnerability is due to improper handling of XML doctype declarations, which allows an attacker to inject malicious external entities and potentially read local files or access internal resources...

Arbitrary File Read

Weblate is vulnerable to arbitrary file read. The vulnerability is due to improper handling of crafted symbolic links in repositories, which allows an attacker to read arbitrary files from the server file system...

Denial Of Service (DoS)

Nodemailer is vulnerable to a denial of service DoS. The vulnerability is due to improper handling of a crafted email address header that triggers infinite recursion in the address parser, which allows an attacker to exhaust resources and disrupt service availability...

Unauthorized Code Execution

nbconvert is vulnerable to unauthorized code execution. The vulnerability is due to improper handling of SVG-to-PDF conversion on Windows where a malicious inkscape.bat file in the working directory can be executed, which allows an attacker to run arbitrary code when a user performs the conversio...

Time-of-Check-Time-of-Use (TOCTOU) Race Condition

filelock is vulnerable to a Time-of-Check-Time-of-Use TOCTOU race condition. The vulnerability is due to improper file existence checking before opening lock files with truncation, which allows an attacker to exploit a symlink race and corrupt or truncate arbitrary files...

Cross-site Scripting (XSS)

Orejime is vulnerable to cross-site scripting XSS. The vulnerability is due to Orejime converting data- attributes into active attributes e.g., data-href → href without sanitization, which allows an attacker to execute malicious javascript: code if they can inject HTML into the page...

Regular Expression Denial Of Service (ReDoS)

@fedify/fedify is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to nested quantifiers in the HTML parsing regex within the document loader, which allows an attacker to trigger catastrophic backtracking by sending specially crafted HTML responses...

Regular Expression Denial Of Service (ReDoS)

PyMdown Extensions is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression processing in the pymdownx.blocks.caption extension, which allows an attacker to supply crafted input that triggers excessive processing time and causes the...

OS Command Injection

systeminformation is vulnerable to OS Command Injection. The vulnerability is due to direct concatenation of the user-supplied drive parameter into a PowerShell command in the fsSize function without proper sanitization, which allows an attacker to execute arbitrary commands on Windows systems wh...

Server-Side Request Forgery (SSRF)

Parse Server is vulnerable to Server-Side Request ForgerySSRF. The vulnerability is due to allowing clients to supply a custom apiURL parameter in the Instagram authentication adapter, which allows an attacker to redirect authentication requests to malicious endpoints and potentially bypass...

Prototype Pollution

@trpc/server is vulnerable to Prototype Pollution. The vulnerability is due to improper handling of FormData field names in the formDataToObject function, which allows an attacker to submit specially crafted fields that pollute Object.prototype and potentially cause authorization bypass or denial...

Server-Side Request Forgery (SSRF)

local-deep-research is vulnerable to Server-Side Request ForgerySSRF. The vulnerability is due to the download service using raw requests.get without applying SSRF protections, which allows an attacker to submit malicious URLs to access internal services, cloud metadata endpoints, or perform...

Arbitrary File Upload

Cadmium CMS is vulnerable to an Arbitrary File Upload. The vulnerability is due to insufficient validation and restriction in the /admin/content/filemanager/uploads functionality, which allows an attacker to upload malicious files and potentially execute arbitrary code on the server...

Remote Code Execution (RCE)

Apache Airflow is vulnerable to Remote Code ExecutionRCE. The vulnerability is due to improper validation in the /api/v2/dagReports endpoint, which allows an attacker to execute DAG code in the context of the API server when DAG files are accessible in the deployment environment...

Directory Traversal

homeassistant is vulnerable to Directory Traversal. The vulnerability is due to insufficient validation of file paths during concatenation in the Downloader integration, which allows an attacker to manipulate paths and access unintended files...

Arbitrary File Upload

httparty is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper request validation which allows an attacker to manipulate requests and access internal services or expose sensitive data such as API keys...

Insecure Direct Object Reference (IDOR)

pretix is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper authorization checks on file access endpoints, which allows an attacker to retrieve sensitive files of other users by supplying a known UUID...

Server-Side Request Forgery (SSRF)

Cowrie is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the wget and curl emulation making real outbound HTTP requests without rate limiting, which allows an attacker to repeatedly trigger requests and abuse the honeypot to generate denial-of-service traffic toward...

XML External Entity (XXE)

fast-xml-parser is vulnerable to XML External Entity XXE. The vulnerability is due to improper restriction of entity expansion in the XML parser, which allows an attacker to supply a crafted XML with excessive entity definitions causing resource exhaustion and denial of service by forcing the...

Insecure Direct Object Reference (IDOR)

spreeapi is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper ownership validation in the guest checkout flow, which allows an attacker to manipulate address ID parameters and bind arbitrary guest addresses to their order...

Pretix Unsafely Evaluates Variables In Emails

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when "name" is used in an email template, it will be replaced with the buyer's name for the final email. This mechanism contained two security-relevant bugs: - It was possible to exfiltrate...

Authorization Bypass

askbot is vulnerable to Authorization Bypass. The vulnerability is due to an incomplete permissions check, where an attacker authenticated with normal user permissions can modify the profile picture of other application users...

Subgroup Attack

cryptography is vulnerable to a Subgroup Attack. The vulnerability is due to missing validation of the point belonging to the expected prime-order subgroup of the curve, where an attacker can provide a public key point P from a small-order subgroup and this can lead to security issues in various...

Out-of-bounds Write

Pillow is vulnerable to Out-of-Bounds Write. The vulnerability is due to improper handling of specially crafted PSD image files, which allows an attacker to trigger memory corruption during image processing...

Server-Side Request Forgery

Indico is vulnerable to Server-Side Request Forgery. The vulnerability is due to Indico making outgoing requests to user-provided URLs in various places, where users can access special targets such as localhost or cloud metadata endpoints, and attackers can exploit this to access sensitive data...

Keras Has A Local File Disclosure Via HDF5 External Storage During Keras Weight Loading

Summary TensorFlow / Keras continues to honor HDF5 “external storage” and "ExternalLink" features when loading weights. A malicious ".weights.h5" or a ".keras" archive embedding such weights can direct "loadweights" to read from an arbitrary readable filesystem path. The bytes pulled from that pa...

Cross Site Scripting

distributed is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper handling of user-controlled input in the Dask dashboard when accessed via Jupyter Lab and jupyter-server-proxy, allowing attackers to craft a malicious URL that triggers script execution and results in...

Remote Code Execution (RCE)

agpt Platform is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper validation in block execution endpoints that allow execution of disabled blocks by UUID without checking the disabled flag, which allows an authenticated attacker to execute the BlockInstallationBlock,...

Infinite Loop

pypdf is vulnerable to Infinite Loop. The vulnerability is due to an infinite loop vulnerability that is present in versions prior to 6.6.2, where an attacker can craft a PDF which leads to an infinite loop by accessing the outlines/bookmarks...

Remote Code Execution (RCE)

craftcms/cms is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sanitization of user-supplied configuration data in the assembleLayoutFromPost function before passing it to Craft::createObject, which allows an authenticated administrator to inject malicious Yii2...

Cross-site Request Forgery (CSRF)

alextselegidis/easyappointments is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to CSRF protection being enforced only for POST requests while state-changing actions accept GET parameters, which allows an attacker to perform unauthorized administrative actions through...

LDAP Injection

Moonraker is vulnerable to LDAP search filter injection. The vulnerability is due to the lack of proper input validation in the login endpoint, where an attacker can inject malicious LDAP search filters, allowing for brute force methods to discover LDAP entries on the server such as user IDs and...

Path Traversal

Umbraco Forms is vulnerable to Path Traversal. The vulnerability is due to insufficient validation of file paths, where an authenticated backoffice-user can enumerate and traverse paths/files on the system's filesystem and read their contents, particularly on Mac/Linux Umbraco installations using...

Arbitrary Code Execution

logback-core is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to unsafe configuration file processing that allows instantiation of arbitrary classes present on the application classpath, where an attacker with write access to the logback configuration file can cause malicio...

XML External Entity (XXE)

org.assertj, assertj-core is vulnerable to XML External Entity XXE. The vulnerability is due to the DocumentBuilderFactory in org.assertj.core.util.xml.XmlStringPrettyFormatter.toXmlDocumentString being initialized with default settings without disabling DTDs or external entities, which allows an...

Unsafe Deserialization

Scapy is vulnerable to unsafe deserialization. The vulnerability is due to insecure handling of serialized session files, which allows an attacker to execute arbitrary code by tricking a user into loading a malicious session file via the -s option...

Cross Site Scripting (XSS)

Agora is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input handling of the topicName parameter in client/agora/public/js/editorManager.js, which allows an attacker to inject malicious scripts that execute in a user’s browser...

Cross Site Scripting (XSS)

Agora is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient file type validation in profile picture uploads, which allows an attacker to upload malicious content that executes scripts when rendered...

Cross Site Scripting (XSS)

Agora is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization in the tag handling within client/agora/public/js/editorManager.js, which allows an attacker to inject malicious scripts that execute in a user’s browser...

CRLF Injection

Litestar is vulnerable to CRLF Injection. The vulnerability is due to unescaped URL paths during exception logging, which allows an attacker to inject newline characters and forge or manipulate log entries...

Command Injection

Apache Airflow is vulnerable to Command Injection. The vulnerability is due to a non-validated parameter in the exampledagdecorator example DAG, which allows an attacker to redirect execution to a malicious server and execute arbitrary code on a worker when example DAGs are enabled...

Cross-site Request Forgery (CSRF)

fastapi-sso is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing persistence and verification of the OAuth state parameter, which allows an attacker to supply a malicious callback URL and link their account to a victim’s session...