Stored Cross-site Scripting (XSS)

org.glassfish.main.admingui, console-common is vulnerable to Stored Cross-site Scripting XSS. The vulnerability is due to improper handling of user input in the configuration file, which allows an attacker to inject and store malicious scripts in the application through modifications in the...

Open Redirect

github.com/grafana/grafana is vulnerable to open redirect. The vulnerability is due to improper validation of redirect URLs, which allows an attacker to chain it with path traversal issues to perform cross-site scripting XSS attacks...

Cross-site Scripting (XSS)

org.glassfish.main.admingui:console-cluster-plugin is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization caused by the Administration Console accepting and storing malicious user input, which is later rendered without adequate escaping...

Improper Access Control

github.com/grafana/grafana is vulnerable to Improper Access Control. The vulnerability is due to insufficient permission checks in the Grafana Alerting DingDing integration, which allows an attacker with Viewer permissions to access or interact with alerting configurations...

Cross-site Scripting (XSS)

org.glassfish.main.admingui:console-cluster-plugin and org.glassfish.main.admingui:console-common are vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization caused by the Administration Console failing to adequately validate user-supplied input, enabling t...

Cross-site Scripting (XSS)

@nuxtjs/mdc is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of Markdown content caused by allowing injection of a tag, which can alter relative URL resolution and enable loading of external attacker-controlled resources, leading to arbitrary JavaScript...

Brute Force Attack

org.glassfish.main.admingui, console-common is vulnerable to Login Brute Force attack. The vulnerability is due to the lack of limitation on the number of failed login attempts, which allows an attacker to repeatedly try different credentials to gain unauthorized access...

Server Side Request Forgery (SSRF)

org.glassfish.main.admingui, console-common is vulnerable to Server-Side Request Forgery. The vulnerability is due to insufficient validation of user-supplied URLs in specific endpoints, which allows an attacker to make arbitrary requests to internal or external systems on behalf of the server...

Stored Cross-site Scripting (XSS)

org.glassfish.main.admingui, console-common is vulnerable to Stored Cross-site Scripting XSS. The vulnerability is due to improper input sanitization in the Administration Console, which allows an attacker to inject and store malicious scripts that execute in the context of users accessing the...

Regular Expression Denial Of Service (ReDoS)

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression handling in the parseJSONLikeConfig API's input parsing, which allows an attacker to trigger excessive backtracking...

Directory Traversal

simogeo/filemanager is vulnerable to Directory Traversal. The vulnerability is due to improper input validation caused by the filemanager.php endpoint failing to sanitize user input in crafted HTTP requests, allowing attackers to traverse directories...

Improper File Permissions

chainguard.dev/melange is vulnerable to improper file permissions. The vulnerability is due to SBOM files in APKs being generated with file system permissions mode 666, which allows an attacker to tamper with the SBOMs...

Improper File Permissions

apko is vulnerable to Improper File Permissions. The vulnerability is due to critical files being inadvertently set with world-writable permissions 0666, which allows an attacker to likely escalate privileges to root...

Directory Traversal

github.com/juju/juju is vulnerable to Directory Traversal. The vulnerability is due to insufficient authorization checks caused by the /charms endpoint allowing any authenticated user to upload charms without proper validation, enabling attackers to exploit a Zip Slip vulnerability and gain acces...

Open Redirect

@dirac-grid/diracx-web-components is vulnerable to Open Redirect. The vulnerability is due to insufficient validation of redirect URIs caused by the login page accepting arbitrary unverified URLs in the redirect field, which can be abused with parameter pollution to conceal malicious destinations...

Remote Code Execution (RCE)

livewire/livewire is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of component property hydration caused by insecure logic in how certain component properties are updated, allowing unauthenticated attackers to execute commands in specific configurations...

Improper Handling Of HTTP Headers

on-headers is vulnerable to Improper Handling of HTTP Headers. The vulnerability is due to unexpected header modification caused by incorrect processing when an array is passed to response.writeHead, potentially altering response headers unintentionally...

Out-of-bounds Read

@openzeppelin/contracts and @openzeppelin/contracts-upgradeable are vulnerable to Out-of-bounds Read. The vulnerability is due to improper bounds checking caused by the lastIndexOf function in Bytes.sol accessing uninitialized memory when given an empty buffer and a non-maximum position,...

Denial Of Service (DoS)

Multer is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of malformed multipart/form-data upload requests, which allows an attacker to trigger an unhandled exception and crash the process...

Denial Of Service (DoS)

org.apache.cxf, cxf-core is vulnerable to Denial Of Service DoS. The vulnerability is due to a bug where large stream-based messages stored as temporary files are fully read into memory and logged, which allows an attacker to exploit this behavior to cause a denial-of-service DoS via an...

Denial Of Service (DoS)

github.com/filebrowser/filebrowser is vulnerable to Denial of Service DoS. The vulnerability is due to the server loading entire file content into memory without size checks during read operations on the /files/file-name endpoint, which allows an attacker to upload a large file and trigger...

Improper Session Expiration

github.com/filebrowser/filebrowser is vulnerable to Improper Session Expiration.The vulnerability is due to the authentication system issuing long-lived JWT tokens that remain valid even after user logout, which allows an attacker to reuse tokens and gain unauthorized access to user sessions...

Malicious Code

This package contains malicious code and should be removed immediately!...

Remote Code Execution (RCE)

github.com/juju/juju is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient authorization checks caused by allowing any authenticated controller user to upload arbitrary agent binaries to any model or the controller without verifying model membership or permissions...

Cross-site Scripting (XSS)

Vue I18n is vulnerable to Cross-site Scripting XSS. The vulnerability is due to incomplete escaping of interpolated parameters caused by the failure of the escapeParameterHtml: true option to prevent tag-based payload execution when rendered using v-html, even with minor HTML in translation strin...

Sensitive Information Disclosure

io.projectreactor.netty:reactor-netty-http is vulnerable to Sensitive Information Disclosure. The vulnerability is due to credential leakage caused by the HTTP client leaking credentials during chained redirects when explicitly configured to follow redirects...

Incorrect Permission Assignment For Critical Resource

org.apache.apisix:apisix-plugin-runner is vulnerable to Incorrect Permission Assignment for Critical Resource. The vulnerability is due to improper file permission settings caused by insecure local listening file permissions, allowing a local attacker to elevate privileges...

Path Traversal

Measured is vulnerable to Path Traversal. The vulnerability is due to insufficient input validation when initializing the class, which allows an attacker to manipulate inputs and instruct the library to read arbitrary files...

Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to improper handling of user data in the "Log to Console" operation within Directus Flows, which allows an attacker with admin privileges to log and access sensitive data of other users during create or update events...

Improper Access Control

Directus is vulnerable to Improper Access Control. The vulnerability is due to manual trigger Flows not validating user permissions for the payload items, which allows an attacker to execute unauthorized tasks or access restricted collections/items without proper authentication or access rights...

Command Injection

@sunwood-ai-labs/github-kanban-mcp-server is vulnerable to command injection. The vulnerability is due to the use of the unsafe exec API with untrusted user input in the addcomment tool, which allows an attacker to execute arbitrary system commands through crafted input...

XML External Entity (XXE) Injection

org.dspace, dspace-api is vulnerable to XML External Entity XXE injection. The vulnerability is due to improper handling of XML input during archive import and interaction with external services, which allows an attacker to craft malicious XML payloads that may lead to sensitive file disclosure o...

Denial Of Service (DoS)

resolv library is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient validation of the length of a decompressed domain name in a DNS packet, which allows an attacker to craft a maliciously compressed DNS packet that consumes excessive CPU during name decompression...

Information Disclosure

Directus is vulnerable to information disclosure. The vulnerability is due to the exact Directus version number being exposed as the OpenAPI Spec version at the /server/specs/oas endpoint without authentication, which allows an attacker to identify the running version and target known...

Arbitrary Code Injection

pyLoad-ng is vulnerable to Arbitrary Code Injection. The vulnerability is due to unsafe JavaScript evaluation caused by insecure CAPTCHA processing logic that allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially on the backend server...

Information Disclosure

Directus is vulnerable to information exposure. The vulnerability is due to logging all incoming request details, including sensitive data like access and refresh tokens when using WebHook triggers in Flows, which allows an attacker with log access to hijack user sessions within the token...

Cross-site Scripting (XSS)

org.opennms:opennms is vulnerable to Cross-site Scripting XSS. The vulnerability is due to stored XSS caused by unsanitized parameters on multiple nodes, allowing attackers to inject malicious HTML or JavaScript into database entries that are rendered on user-facing pages...

Path Traversal

github.com/google/osv-scalibr is vulnerable to path traversal. The vulnerability is due to path traversal caused by improper validation of file paths when using the unpack function with the --remote-image flag on untrusted container images, allowing arbitrary file writes on the host system as the...

SQL Injection

pg-promise is vulnerable to SQL Injection. The vulnerability is due to improper handling of negative numbers, which allows an attacker to manipulate SQL queries by injecting malicious input...

Improper Input Validation

github.com/grafana/grafana is vulnerable to Improper Input Validation. The vulnerability is due to improper input validation caused by the failure to handle excessively long dashboard titles or panel names, which can cause Chromium browsers to become unresponsive...

Open Redirect

urllib3 is vulnerable to Open Redirect. The vulnerability is due to the ability to disable redirects globally via PoolManager configuration, which allows an attacker to bypass intended redirect restrictions...

SQL Injection

OpenNMS is vulnerable to SQL Injection. The vulnerability is due to improper neutralization of special elements in SQL commands caused by insufficient sanitization of user-supplied input in Horizon and Meridian applications...

Open Redirect

urllib3 is vulnerable to Open Redirect. The vulnerability is due to urllib3 not properly controlling redirect behavior when used in Pyodide environments, which allows an attacker to exploit browser or Node.js runtime redirect handling, potentially bypassing expected security mechanisms...

Improper Certificate Validation

couchbasenetclient is vulnerable to improper certificate validation. The vulnerability is due to improper configuration defaults and lack of hostname verification in TLS connections, defaulting to IP addresses instead of hostnames, which allows an attacker to perform man-in-the-middle MitM attack...

Information Disclosure

github.com/openbao/openbao is vulnerable to information disclosure. The vulnerability is due to improper handling of malformed data, which allows an attacker to potentially access sensitive information through exposed logs...

Information Disclosure

org.elasticsearch.client, elasticsearch-rest-client is vulnerable to memory disclosure. The vulnerability is due to error messages leaking uninitialized buffer data when handling malformed queries, which allows an attacker to access sensitive information such as documents or authentication detail...

Cross-Site Scripting (XSS)

ag-grid is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of grid contents, which allows an attacker to execute arbitrary JavaScript when user input is rendered in the grid...

Improper Authorization

authentik is vulnerable to Improper Authorization. The vulnerability is due to missing session validation for single-use tokens in RAC endpoints, which allows an attacker to reuse a valid token from a shared URL to access another user’s session...

Access Control Bypass

Apache HTTP Server modssl is vulnerable to Access control bypass. The vulnerability is due to improper handling of TLS 1.3 session resumption across multiple virtual hosts with different trusted client certificate configurations, which allows an attacker with a trusted certificate for one virtual...

Improper Input Validation

git is vulnerable to improper input validation. The vulnerability is due to improper handling of carriage return CR characters in configuration and submodule paths, which allows an attacker to exploit the altered path and potentially trigger unintended execution of a submodule’s post-checkout hoo...