Lucene search
+L
VeracodeRecent

38467 matches found

Veracode
Veracode
•added 5 days ago•5 views

Denial Of Service

HashiCorp memberlist is vulnerable to Denial Of Service. The vulnerability is due to improper handling of push/pull state messages, where specially crafted gossip traffic can exhaust memory on a receiving node, allowing attackers with network access to terminate the process...

4.9CVSS6.1AI score0.00251EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/11 10:51 a.m.•5 views

Uncontrolled Resource Consumption (Infinite Loop)

pypdf is vulnerable to Uncontrolled Resource Consumption Infinite Loop. The vulnerability is due to improper handling of crafted PDF files containing threads/articles during the merge operation, which allows an attacker to trigger an infinite loop by supplying a malicious PDF, resulting in a...

6.9CVSS6.1AI score0.00111EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/11 10:51 a.m.•5 views

Out-of-Bounds Write

pymonocypher is vulnerable to Out-of-Bounds Write. The vulnerability is due to the argon2i32 implementation failing to validate the nbblocks buffer size before writing, which allows an attacker to trigger a write past the end of the provided buffer, potentially causing heap corruption and resulti...

6.5AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/11 10:36 a.m.•5 views

Path Traversal

psd-tools is vulnerable to Path Traversal. The vulnerability is due to improper validation and sanitization of attacker-controlled file paths in the SmartObject.save and SmartObject.open APIs, which allows an attacker to write arbitrary files to attacker-chosen locations outside the intended...

6.2AI score
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/11 9:38 a.m.•5 views

Remote Code Execution (RCE)

Joro is vulnerable to Remote Code Execution RCE. The vulnerability is due to the default proxy mode exposing an unauthenticated local API with a wildcard CORS policy, which allows an attacker to use cross-origin JavaScript to upload a malicious native plugin and trigger a restart...

6.2AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/11 8:59 a.m.•5 views

OS Command Injection

Nuclio is vulnerable to OS Command Injection. The vulnerability is due to improper sanitization of event.headers keys and event.body values when constructing curl commands for Kubernetes CronJob containers, which allows an attacker to inject and execute arbitrary shell commands by manipulating...

6.3AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/11 8:54 a.m.•6 views

OS Command Injection

File Browser is vulnerable to OS Command Injection. The vulnerability is due to the Hook Authentication feature interpolating user-supplied username and password into an external shell command without proper sanitization, which allows an unauthenticated remote attacker to inject shell...

9.3CVSS6.3AI score0.00533EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/11 8:24 a.m.•5 views

Missing Authentication

SiYuan is vulnerable to Missing Authentication. The vulnerability is due to the kernel HTTP server unconditionally trusting all chrome-extension:// origins without authentication and the default empty AccessAuthCode on desktop installations, which allows an attacker controlling a malicious or...

9.2CVSS6.1AI score0.00607EPSS
Exploits0References2Affected Software2
Veracode
Veracode
•added 2026/07/10 10:25 a.m.•5 views

Cross-site Scripting (XSS)

Craft CMS is vulnerable to Stored cross-site scripting XSS. The vulnerability is due to improper escaping of entry titles during drag-and-drop operations, where user-controlled titles are decoded and inserted into HTML without proper sanitization, allowing attackers to execute arbitrary JavaScrip...

5.9CVSS6.3AI score0.00412EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/10 10:16 a.m.•5 views

Remote Code Execution

Craft CMS is vulnerable to remote code execution RCE. The vulnerability is due to unsafe rendering of user-controlled data as an unsandboxed Twig template, where the Referer HTTP header is compiled without sandboxing during entry saves, allowing authenticated attackers to execute arbitrary code o...

8.7CVSS6.7AI score0.00293EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/10 9:14 a.m.•7 views

Cross-Site Request Forgery (CSRF)

Leantime is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to missing validation of the OIDC state parameter in the verifyState method, where attacker-controlled authorization callbacks are accepted without verification, allowing attackers to perform session fixation and...

8.6CVSS6.1AI score0.00153EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/07/10 8:21 a.m.•7 views

Improper Authorization

Leantime is vulnerable to Improper Authorization. The vulnerability is due to missing authorization checks in the Users::getUser JSON-RPC API, where authenticated users can retrieve sensitive credential data for arbitrary user accounts, allowing attackers to obtain password hashes, TOTP secrets,...

8.6CVSS6.2AI score0.0025EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/07/10 8:15 a.m.•7 views

Improper Certificate Validation

Coder is vulnerable to Improper Certificate Validation. The vulnerability is due to the AI Bridge Proxy aibridgeproxyd creating a default HTTPS transport with InsecureSkipVerify enabled when no upstream proxy is configured, which allows an on-path man-in-the-middle attacker to present a forged TL...

7.4CVSS6.1AI score0.00258EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2026/07/10 8:14 a.m.•7 views

Improper Input Validation

github.com/coder/coder is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of the scheme and host in external workspace application URLs before substituting the $SESSIONTOKEN placeholder, which allows an attacker controlling a malicious workspace templa...

7.7CVSS6.1AI score0.00336EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/07/10 8:13 a.m.•8 views

Improper Access Control

Coder is vulnerable to Improper Access Control. The vulnerability is due to the tailnet coordinator validating an agent's Addresses but not its AllowedIPs, which allows an authenticated attacker to advertise unauthorized IP prefixes that are propagated to WireGuard peers, potentially enabling...

8.2CVSS6.1AI score0.00405EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/07/10 7:34 a.m.•5 views

Stored Cross Site Scripting

showdown is vulnerable to stored cross-site scripting. The vulnerability is due to a failure to properly escape table header ID attributes in the parseHeaders function, where attackers can inject arbitrary HTML and script-executing SVG elements through double-quote characters in markdown table...

6.1CVSS5.8AI score0.00198EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/07/09 11:19 a.m.•8 views

Sensitive Information Exposure

Apache Camel Undertow Component is vulnerable to Sensitive Information Exposure. The vulnerability is due to improper handling of exception responses, where processing errors return full Java stack traces instead of suppressing them, allowing attackers to obtain sensitive information such as...

5.3CVSS5.9AI score0.00363EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/07/09 10:25 a.m.•8 views

Improper Authorization

github.com/coder/coder is vulnerable to Improper Authorization. The vulnerability is due to insufficient validation in the UpsertWorkspaceApp and insertAgentApp functions, which fail to verify that a supplied application ID belongs to the workspace being built before performing a cross-workspace...

8.7CVSS6AI score0.00508EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/07/09 10:22 a.m.•7 views

Improper Authentication

Apache Camel is vulnerable to Improper Authentication. The vulnerability is due to missing authentication for critical functions, where the KeycloakSecurityPolicy defaults to not verifying the access token, and an invalid token is accepted, allowing unauthenticated access to protected routes...

9.8CVSS6AI score0.00619EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/09 9:55 a.m.•11 views

SSH Configuration Injection

Coder is vulnerable to SSH Configuration Injection. The vulnerability is due to coder config-ssh writing server-supplied HostnameSuffix and SSHConfigOptions into the user's /.ssh/config without properly sanitizing embedded newlines or restricting SSH directives, which allows an attacker controlli...

8.3CVSS6AI score0.00466EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/07/09 9:36 a.m.•5 views

Improper Authorization

Craft CMS is vulnerable to Improper Authorization. The vulnerability is due to insufficient authorization checks after author reassignment in EntriesController::actionSaveEntry, where attacker-controlled author parameters are applied without revalidating permissions, allowing low-privileged users...

7.6CVSS5.9AI score0.00245EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/09 9:4 a.m.•5 views

Improper Privilege Management

github.com/coder/coder is vulnerable to Improper Privilege Management. The vulnerability is due to insufficient authorization checks in the PUT /api/v2/users/user/password endpoint, which allows a privileged user-admin attacker to reset the password of an owner account without requiring the curre...

7.2CVSS5.9AI score0.00615EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2026/07/09 8:18 a.m.•10 views

Improper Authentication

github.com/coder/coder is vulnerable to Improper Authentication. The vulnerability is due to improper OIDC email-based account linking and incorrect handling of the emailverified claim, which allows an attacker to authenticate with a malicious or unverified OIDC identity and take over another...

7.4CVSS6AI score0.00479EPSS
Exploits0References10Affected Software2
Veracode
Veracode
•added 2026/07/08 9:42 a.m.•9 views

Arbitrary Code Injection

Langroid is vulnerable to Arbitrary Code Injection. The vulnerability is due to improper sandboxing of Python eval that fails to remove builtins, which allows an attacker to execute arbitrary operating system commands through crafted LLM-generated tool messages...

10CVSS6.3AI score0.00912EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/07 11:58 a.m.•5 views

Improper Authorization

The CreateSubAgent RPC is vulnerable to improper authorization. The vulnerability is due to the failure to validate the requested app sharing level against the template's maximum allowed sharing level before persisting workspace apps, which allows a workspace owner to exceed the...

5.4CVSS5.9AI score0.00315EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2026/07/07 10:5 a.m.•8 views

Authentication Bypass

Coder is vulnerable to an authentication bypass. The vulnerability is due to improper validation of the emailverified claim in the OIDC callback and an unconditional email-based account fallback, which allows an attacker to take over accounts by supplying a non-boolean or missing emailverified...

7.4CVSS6AI score0.00479EPSS
Exploits0References12Affected Software2
Veracode
Veracode
•added 2026/07/07 9:30 a.m.•10 views

Improper Access Control

Cilium is vulnerable to improper access control. The vulnerability is due to the creation of a world-accessible Envoy admin socket when L7 functionality is enabled, which allows a local attacker to access Envoy administrative endpoints, potentially exposing sensitive information such as TLS...

9.2CVSS5.9AI score0.0017EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/07/07 8:44 a.m.•6 views

Improper Authorization

Keycloak is vulnerable to improper authorization. The vulnerability is due to missing validation that the target user belongs to the caller's realm in certain user read endpoints, which allows a tenant realm administrator to access profile information, client roles, and realm roles of users acros...

6AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/06 6:31 a.m.•7 views

Path Traversal

Horde IMP is vulnerable to path traversal. The vulnerability is due to insufficient validation of img src URLs, where attackers can bypass the stripos prefix validation by appending traversal sequences after the matching prefix, and read sensitive files whose contents are then exfiltrated as MIME...

7.1CVSS5.9AI score0.00379EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2026/07/06 5:43 a.m.•10 views

Cross Site Scripting

MediaWiki Cargo Extension is vulnerable to Cross Site Scripting. The vulnerability is due to improper neutralization of user-supplied input during web page generation, where malicious scripts are stored and later rendered without proper sanitization, allowing attackers to execute arbitrary...

6.9CVSS6.2AI score0.00134EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/07/04 2:58 p.m.•7 views

Improper Authorization

Craft CMS is vulnerable to Improper Authorization. The vulnerability is due to missing authorization checks when deleting asset folders, where the folder deletion operation does not enforce peer asset delete permissions, allowing low-privilege users to delete assets uploaded by other users in...

7.1CVSS6AI score0.00249EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/04 2:54 p.m.•7 views

Mass Assignment

Craft CMS is vulnerable to Mass Assignment. The vulnerability is due to insufficient validation of the newAttributes parameter during bulk duplication, where attackers can override the target element ID and update an existing entry instead of creating a new one, allowing unauthorized modification...

7.1CVSS6AI score0.00253EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/04 2:43 p.m.•8 views

Improper Authorization

Craft CMS is vulnerable to Improper Authorization. The vulnerability is due to missing authorization checks for the source asset during file replacement, where providing both assetId and sourceAssetId bypasses source delete permission validation, allowing authenticated users to delete assets from...

5.3CVSS6AI score0.00265EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/04 12:31 p.m.•6 views

Improper Authorization

Craft CMS is vulnerable to Improper Authorization. The vulnerability is due to insufficient permission checks when moving entries between sections, where only view permission is validated for the destination section instead of save permission, allowing low-privileged users to move entries into...

6CVSS6AI score0.00273EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/07/04 8:29 a.m.•5 views

Path Traversal

LaunchServer is vulnerable to path traversal. The vulnerability is due to insufficient validation of file path traversal sequences in the HTTP file server FileServerHandler, which allows an unauthenticated remote attacker to read arbitrary files, obtain sensitive server secrets including signing...

6.2AI score
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/07/04 8:27 a.m.•6 views

Use Of A Broken Or Risky Cryptographic Algorithm

BC-JAVA bcprov is vulnerable to the Use of a Broken or Risky Cryptographic Algorithm. The vulnerability is due to flaws in the G3413CTRBlockCipher implementation, where the affected cryptographic algorithm can provide weakened cryptographic protection, allowing attackers to compromise the...

9.3CVSS7AI score0.00313EPSS
Exploits0References18Affected Software12
Veracode
Veracode
•added 2026/07/04 7:59 a.m.•10 views

Improper Privilege Management

github.com/rancher/rancher is vulnerable to Improper Privilege Management. The vulnerability is due to improper privilege handling for users with the Project Owner role, which allows an attacker with Project Owner privileges to escalate their privileges by exploiting insufficient privilege...

9.4CVSS6.1AI score0.00319EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/07/04 7:56 a.m.•5 views

OS Command Injection

github.com/rancher/rancher is vulnerable to OS Command Injection. The vulnerability is due to unsanitized YAML parameters in the /v3/import/tokenclusterId.yaml import endpoint, which allows a remote attacker to inject commands, break out of a container image, and execute malicious containers...

9.4CVSS6.2AI score0.01277EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/06/27 8:33 a.m.•8 views

Deserialization Of Untrusted Data

org.openidentityplatform.openam, openam-auth-webauthn is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the WebAuthn authentication module deserializing attacker-controlled data from a storage attribute under certain conditions, which allows an attacker to achieve...

6.6AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/27 7:56 a.m.•6 views

Deserialization Of Untrusted Data

OpenDJ Community Edition is vulnerable to Deserialization of Untrusted Data. The vulnerability is due to the JMX RMI connector reading and processing attacker-controlled serialized data before authentication, which allows an unauthenticated remote attacker to deserialize arbitrary Java objects on...

6.2AI score
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/27 5:58 a.m.•7 views

Information Disclosure

angular/common is vulnerable to information disclosure. The vulnerability is due to the HttpTransferCache utility failing to consider the withCredentials flag and Cookie header when caching HTTP responses during Server-Side Rendering SSR with hydration enabled, which allows an attacker to obtain...

8.2CVSS5.8AI score0.00267EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/06/27 5:53 a.m.•7 views

Cross-Site Scripting (XSS)

DOMPurify is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to DOMPurify skipping the contents of shadow DOM elements inside HTML elements during sanitization, which allows an attacker to embed malicious payloads that execute when the template is cloned and inserted into the pag...

6.3CVSS6.1AI score0.00388EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/06/26 11:50 a.m.•7 views

Session Hijacking

Chainlit is vulnerable to Session Hijacking. The vulnerability is due to missing ownership verification during WebSocket session restoration, where a valid sessionId can be used to restore another user's authenticated session, allowing attackers to gain unauthorized access with the victim's...

8.8CVSS5.8AI score0.00256EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/06/26 9:30 a.m.•8 views

Server-Side Request Forgery

jackson-databind is vulnerable to server-side request forgery SSRF. The vulnerability is due to eager DNS resolution during InetSocketAddress deserialization, where untrusted hostnames are resolved before application-level validation, allowing attackers to trigger arbitrary DNS requests by...

5.3CVSS5.9AI score0.00219EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/06/26 7:8 a.m.•7 views

Open Redirect

Nuxt is vulnerable to Open Redirect. The vulnerability is due to improper validation of protocol-relative URLs in the reloadNuxtApp function, where paths such as //evil.com bypass URL validation and resolve to attacker-controlled domains, allowing attackers to redirect users to malicious websites...

6.1CVSS5.8AI score0.00191EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/06/26 6:50 a.m.•8 views

Cross Site Scripting

Nuxt is vulnerable to cross-site scripting XSS. The vulnerability is due to improper validation of script-capable URLs in the navigateTo open option, where javascript: URLs supplied through user-controlled input are not blocked, allowing attackers to execute arbitrary scripts in the application's...

6.1CVSS5.8AI score0.00234EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/06/25 10:43 a.m.•10 views

Cache Bypass

Undici is vulnerable to Cache Bypass. The vulnerability is due to Undici's cache interceptor incorrectly classifying some responses as cacheable, where the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names, and attackers can exploit this by serving a...

5.9CVSS7.1AI score0.00374EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/06/25 7:15 a.m.•10 views

Improper Authorization

Apache DolphinScheduler is vulnerable to Improper Authorization. The vulnerability is due to incorrect authorization checks when accessing workflow instance information, where users can retrieve workflow details from projects they are not authorized to access...

6.5CVSS5.8AI score0.00312EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/25 5:21 a.m.•10 views

Improper Authorization

Apache DolphinScheduler is vulnerable to Improper Authorization. The vulnerability is due to a missing authorization check in the DataSource API, where requests are not properly validated before returning data source metadata, allowing unauthorized users to disclose sensitive data source...

9.8CVSS5.7AI score0.0039EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/25 5:20 a.m.•8 views

Improper Authorization

Apache DolphinScheduler is vulnerable to Improper Authorization. The vulnerability is due to incorrect authorization checks when deleting task definitions, where users with valid system login privileges can delete task definitions in projects they are not authorized to manage...

4.9CVSS5.8AI score0.00437EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities38467