Lucene search
+L
VeracodeRecent

38467 matches found

Veracode
Veracode
•added 2026/06/08 8:42 a.m.•4 views

Remote Code Execution (RCE)

Apache ActiveMQ is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper input validation in the Jolokia JMX-HTTP bridge /api/jolokia/, where attacker-controlled input reaches BrokerService.addNetworkConnectorString and triggers the VM transport's brokerConfig parameter...

8.1CVSS6.6AI score0.00546EPSS
Exploits2References2Affected Software3
Veracode
Veracode
•added 2026/06/06 8:26 a.m.•13 views

Cross-Site Scripting (XSS)

Drupal Ignition Error Pages is vulnerable to Cross-Site Scripting XSS.The vulnerability is due to improper neutralization of user-controlled input during web page generation, which allows an attacker to inject and execute malicious scripts in a user's browser through crafted input...

6.1CVSS5.5AI score0.00242EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/06 8:21 a.m.•7 views

SQL Injection

BillaBear is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of user-controlled metric filter names and aggregation properties that are directly interpolated into SQL queries, which allows an authenticated attacker with ROLEACCOUNTMANAGER permissions to execute...

8.8CVSS6.2AI score0.00365EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/06/06 8:3 a.m.•8 views

Improper Authorization

Shopper is vulnerable to Improper Authorization. The vulnerability is due to missing and improperly enforced authorization checks in the team settings, which allows an authenticated attacker to create roles, modify permissions, escalate privileges to administrator, and remove legitimate...

9.9CVSS5.9AI score0.00321EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/06 6:37 a.m.•6 views

SQL Injection

XWiki is vulnerable to SQL Injection. The vulnerability is due to an incomplete fix for the LiveTableResults endpoint that still permits parameter manipulation, which allows an attacker to extract user password salts and hashes one bit at a time through repeated requests...

6AI score0.0004EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/06/06 6:5 a.m.•4 views

Sensitive Information Disclosure

Mattermost is vulnerable to Sensitive Information Disclosure. The vulnerability is due to improper sanitization of sensitive configuration fields in the Mattermost Calls plugin, which allows an attacker with access to a support packet to obtain plaintext TURN server credentials...

7.6CVSS5.9AI score0.00256EPSS
Exploits0References2Affected Software2
Veracode
Veracode
•added 2026/06/05 12:41 p.m.•13 views

Denial Of Service (DoS)

Spring Cloud Function is vulnerable to Denial of Service DoS. The vulnerability is due to infinite recursion in the routing layer, where specially crafted routing configurations or requests can trigger unbounded recursive processing, leading to excessive memory consumption and potentially causing...

6.5CVSS5.4AI score0.00211EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/05 12:14 p.m.•11 views

Denial Of Service (DoS)

Spring Cloud Function is vulnerable to Denial of Service DoS. The vulnerability is due to insufficient restrictions on function registration within the Function Registry, allowing an attacker to register an unbounded number of functions and trigger excessive memory consumption, potentially...

6.5CVSS5.5AI score0.00211EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/06/04 9:20 a.m.•11 views

Stored Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of crafted data-mce- attributes in the media plugin, which allows an attacker to inject malicious scripts into stored content that are executed when the content is rendered...

8.7CVSS5.8AI score0.00264EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/06/04 8:58 a.m.•13 views

Cross-site Scripting

TinyMCE is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper SVG namespace scope handling in the sanitizer, where crafted nested SVG elements can bypass attribute sanitization and execute arbitrary JavaScript, resulting in cross-site scripting attacks...

8.7CVSS5.9AI score0.00191EPSS
Exploits0References1Affected Software2
Veracode
Veracode
•added 2026/06/04 8:38 a.m.•11 views

Stored Cross-Site Scripting

TinyMCE is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of data-mce- attributes such as data-mce-href, data-mce-src, and data-mce-style, allowing attackers to inject malicious values that override validated attributes during content...

8.7CVSS6AI score0.00281EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/06/03 9:56 a.m.•12 views

Cross-Site Scripting (XSS)

drupal/googletag is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of user-supplied input during web page generation, which allows an attacker to inject and execute malicious scripts in a victim's browser through crafted input...

4.8CVSS5.5AI score0.00218EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/30 8:55 a.m.•12 views

Missing Authorization

Drupal Authenticator Login is vulnerable to Missing Authorization. The vulnerability is due to improper authorization checks in the Authenticator Login component, which allows an attacker to perform forceful browsing and access restricted functionality or resources without proper authorization...

9.8CVSS5.4AI score0.00401EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/30 8:52 a.m.•4 views

Missing Authorization

Pimcore is vulnerable to Missing Authorization. The vulnerability is due to missing authentication and permission checks in the WebDAV MOVE operation, which allows an unauthenticated attacker to delete assets or authenticated low-privileged users to perform unauthorized asset move and overwrite...

8.1CVSS5.3AI score0.00141EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/30 8:51 a.m.•6 views

Path Traversal

SimpleSAMLphp-casserver is vulnerable to Path Traversal. The vulnerability is due to improper validation of user-controlled ticket identifiers when constructing file paths, where path traversal sequences can access and deserialize arbitrary files outside the ticket directory, allowing attackers t...

8.6CVSS6.1AI score0.00422EPSS
Exploits0References3
Veracode
Veracode
•added 2026/05/30 8:49 a.m.•8 views

Insecure Direct Object Reference

phpMyFAQ is vulnerable to Insecure Direct Object Reference. The vulnerability is due to missing authorization checks in the admin API password update endpoint, where authenticated administrators can modify the userId parameter to change any user's password, allowing privilege escalation to...

8.8CVSS5.9AI score0.00303EPSS
Exploits0References2Affected Software2
Veracode
Veracode
•added 2026/05/30 8:47 a.m.•7 views

OS Command Injection

AVideo is vulnerable to OS command injection. The vulnerability is due to improper sanitization of user-controlled values when constructing shell commands, where shell metacharacters are concatenated into the command without proper escaping, allowing attackers to execute arbitrary operating syste...

8.8CVSS6.2AI score0.00318EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/05/30 8:47 a.m.•7 views

Authentication Bypass

phpMyFAQ is vulnerable to Authentication Bypass. The vulnerability is due to missing token verification and email confirmation in the password reset endpoint, where attackers can reset arbitrary user passwords without authentication, allowing complete account takeover, including administrative...

8.8CVSS6AI score0.00324EPSS
Exploits0References2Affected Software2
Veracode
Veracode
•added 2026/05/30 8:45 a.m.•7 views

Path Traversal

WWBN AVideo is vulnerable to Path Traversal. The vulnerability is due to improper validation of attacker-controlled URLs in aVideoEncoderReceiveImage.json.php, where crafted same-origin /videos/... requests bypass path restrictions and expose server-local files, allowing authenticated attackers t...

7.6CVSS5.8AI score0.00412EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/30 8:35 a.m.•6 views

Sensitive Information Disclosure

Grav is vulnerable to Sensitive Information Disclosure. The vulnerability is due to an overly permissive Twig sandbox allow-list, where users with the admin.pages role can invoke config.toArray to expose the site's merged configuration, allowing attackers to retrieve sensitive information such as...

7.7CVSS5.8AI score0.00276EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/30 8:32 a.m.•7 views

Deserialization Of Untrusted Data

Pimcore is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to the use of PHP's unserialize function on data from database columns and filesystem files without the allowedclasses restriction, which allows an attacker to inject malicious serialized objects if they can...

8CVSS6AI score0.00202EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/30 8:30 a.m.•8 views

Server-Side Request Forgery (SSRF)

WWBN AVideo is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to an incomplete fix in objects/aVideoEncoder.json.php that allows attacker-controlled downloadURL values with common media and archive file extensions to bypass SSRF validation, which allows an authenticated...

7.1CVSS6AI score0.00206EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/05/30 8:20 a.m.•8 views

User Enumeration

phpMyFAQ is vulnerable to an User Enumeration. The vulnerability is due to missing token validation in the user password update API endpoint, which allows an attacker to enumerate valid username and email pairs and send crafted PUT requests to the /api/index.php/user/password/update endpoint to...

8.8CVSS5.9AI score0.00241EPSS
Exploits0References1Affected Software2
Veracode
Veracode
•added 2026/05/30 8:20 a.m.•8 views

Server-Side Request Forgery (SSRF)

Koel is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of podcast episode URLs before they are fetched by the server, which allows an attacker to supply a crafted RSS feed that causes the server to make arbitrary HTTP requests to internal...

7.7CVSS6.1AI score0.00263EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/30 8:7 a.m.•8 views

SQL Injection

pimcore/pimcore is vulnerable to SQL injection. The vulnerability is due to improper sanitization of user-supplied SQL configuration in the columnConfigAction endpoint, which is concatenated into database queries, allowing an attacker with the reportsconfig permission to execute arbitrary SELECT ...

8.7CVSS6.2AI score0.00027EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/05/30 7:26 a.m.•8 views

Path Traversal

compliance-trestle is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths, which allows an attacker to exploit path traversal and write arbitrary files to unintended locations on the filesystem...

5.9AI score0.0005EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/30 7:19 a.m.•4 views

Missing Authentication

org.xwiki.platform, xwiki-platform-rest-server is vulnerable to Missing Authentication. The vulnerability is due to the POST /wikis/wikiName API executing a XAR import without performing authentication or authorization checks, which allows an unauthenticated attacker to create or update documents...

9.3CVSS7.1AI score0.00594EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/30 7:9 a.m.•12 views

Path Traversal

lsfusion.platform, web-client is vulnerable to Path Traversal. The vulnerability is due to improper validation of the sid argument in the UploadFileRequestHandler component, which allows a remote attacker to perform path traversal by manipulating the parameter and accessing files outside the...

9.8CVSS7.2AI score0.00574EPSS
Exploits1References6Affected Software1
Veracode
Veracode
•added 2026/05/30 7:8 a.m.•7 views

Improper Privilege Management

Capsule is vulnerable to Improper Privilege Management. The vulnerability is due to improper handling of cluster-scoped resources in the TenantResource RawItems processing logic, which allows a tenant administrator to exploit the Capsule Controller's cluster-admin privileges to create unauthorize...

9.1CVSS5.8AI score0.0043EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/30 6:54 a.m.•7 views

Improper Authorization

github.com/fission/fission is vulnerable to improper authorization. The vulnerability is due to the storagesvc component exposing archive CRUD endpoints without performing authentication or authorization checks, which allows an attacker with access to the storagesvc service to enumerate archive...

8.8CVSS6AI score0.00344EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/30 6:48 a.m.•7 views

Path Traversal

github.com/xyproto/algernon is vulnerable to Path Traversal. The vulnerability is due to DirPage traversing parent directories beyond the configured server root while searching for a handler.lua file, which allows an attacker who can place a malicious handler.lua in an ancestor directory to achie...

9CVSS6.5AI score0.00437EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/30 6:45 a.m.•7 views

Uncontrolled Resource Consumption

go.opentelemetry.io/obi is vulnerable to Uncontrolled Resource Consumption. The vulnerability is due to inefficient processing of BPF probe run-count deltas during histogram observation replay, which allows an attacker to trigger excessive CPU consumption on busy systems, leading to a...

7.5CVSS5.8AI score0.00319EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/29 4:37 a.m.•16 views

Stored Cross-Site Scripting (XSS)

TinyMCE is vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of forged mce:protected comments, which allows an attacker to bypass content sanitization and inject malicious scripts that execute when the protected content is restored...

8.7CVSS5.9AI score0.00281EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2026/05/27 1:36 p.m.•13 views

Arbitrary Code Injection

Contour is vulnerable to Arbitrary Code Injection. The vulnerability is due to insufficient sanitization of user-controlled values in cookieRewritePolicies.pathRewrite.value, where values are interpolated into Envoy HTTP Lua filter code using Go text/template, allowing attackers with HTTPProxy...

8.1CVSS6.1AI score0.00481EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2026/05/27 9:11 a.m.•18 views

Improper Access Control

@delmaredigital/payload-puck is vulnerable to Improper Access Control. The vulnerability is due to the use of Payload's local API with overrideAccess: true in /api/puck/ CRUD endpoints, which allows an attacker to bypass collection-level access controls and perform unauthorized actions...

9.8CVSS5.8AI score0.00376EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/23 6:21 a.m.•5 views

Server-Side Template Injection (SSTI)

Formie is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to unsafe evaluation of user-supplied values in Hidden fields as Twig templates during submission handling, which allows an unauthenticated attacker to inject malicious template code and potentially compromise t...

9.8CVSS5.8AI score0.00475EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/23 6:21 a.m.•22 views

Cross-site Scripting (XSS)

phpMyFAQ is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of malformed URLs in Utils::parseUrl, which allows an attacker to inject malicious JavaScript through comments and steal admin session cookies when affected pages are viewed...

8.3CVSS5.8AI score0.00215EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/05/23 6:20 a.m.•6 views

Information Exposure

Composer is vulnerable to Information Exposure. The vulnerability is due to improper validation of GitHub OAuth token formats that causes invalid tokens to be written to standard error, which allows an attacker to obtain sensitive authentication tokens from logs when validation fails...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References11Affected Software1
Veracode
Veracode
•added 2026/05/23 6:13 a.m.•15 views

Cross-site Scripting (XSS)

ci4-cms-erp/ci4ms is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization and escaping of user-supplied page content before rendering, which allows an attacker to inject malicious scripts that execute in the browsers of visitors and administrators viewing the...

5.9AI score0.00062EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/23 6:7 a.m.•20 views

Directory Traversal

Python Liquid is vulnerable to Directory Traversal. The vulnerability is due to insufficient validation of absolute file paths in the FileSystemLoader and CachingFileSystemLoader, which allows a malicious template author to load and render arbitrary files outside the configured search paths using...

8.2CVSS5.9AI score0.00335EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/23 6:1 a.m.•12 views

Path Traversal

.NET Core is vulnerable to Path Traversal. The vulnerability is due to improper handling of specially crafted files, which allows an attacker to write arbitrary files and directories to unintended locations on a vulnerable system...

4.3CVSS5.9AI score0.00711EPSS
Exploits0References3Affected Software4
Veracode
Veracode
•added 2026/05/23 5:59 a.m.•11 views

Path Traversal

Open WebUI is vulnerable to Path Traversal. The vulnerability is due to improper validation and sanitization of uploaded file names derived from HTTP upload requests, which allows an attacker to upload files with crafted dot-segments and traverse outside the intended uploads directory, potentiall...

9.8CVSS5.8AI score0.00336EPSS
Exploits1References1Affected Software1
Veracode
Veracode
•added 2026/05/23 5:57 a.m.•9 views

Improper Resource Shutdown Or Release

UltraJSON is vulnerable to Improper Resource Shutdown or Release. The vulnerability is due to failure to release the serialized JSON string object when a write operation raises an exception in ujson.dump, which allows an attacker to repeatedly trigger failed writes and cause memory exhaustion,...

8.7CVSS5.8AI score0.00421EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/23 5:55 a.m.•14 views

Denial Of Service (DoS)

Wire is vulnerable to Denial of Service DoS. The vulnerability is due to improper validation of negative lengths in protobuf group-skipping logic, which allows an attacker to trigger an unchecked runtime exception and crash applications processing crafted protobuf payloads...

7.5CVSS5.8AI score0.00055EPSS
Exploits0References10Affected Software2
Veracode
Veracode
•added 2026/05/23 5:55 a.m.•6 views

Improper Integrity Verification

Amazon SageMaker Python SDK is vulnerable to improper integrity verification. The vulnerability is due to missing integrity verification in the Triton inference handler, which allows an authenticated attacker with S3 write access to replace model artifacts with a specially crafted pickle payload...

7.2CVSS6.5AI score0.0039EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/23 5:51 a.m.•5 views

Cross-Site Scripting (XSS)

github.com/argoproj/argo-cd is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper URL validation in link.argocd.argoproj.io/ annotations, which allows an attacker with developer-level access to inject a javascript: URI using the pipe-separator trick and execute arbitrary...

7.3CVSS6.1AI score0.00312EPSS
Exploits0References8Affected Software3
Veracode
Veracode
•added 2026/05/23 5:51 a.m.•16 views

Improper Input Validation

com.ibeetl:beetl-spring-classic is vulnerable to Improper Input Validation. The vulnerability is due to improper neutralization of special elements in expression language statements within the SpELFunction component, which allows an attacker to inject and execute malicious expressions remotely...

7.5CVSS7.2AI score0.00406EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2026/05/23 5:47 a.m.•6 views

Improper Authorization

Open WebUI is vulnerable to improper authorization. The vulnerability is due to improper validation of authorized user roles in the API, which allows a pending user account to bypass intended access restrictions and gain unauthorized access to the web application...

7.3CVSS5.8AI score0.0023EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/23 5:41 a.m.•7 views

Command Injection

go-git is vulnerable to Command Injection. The vulnerability is due to improper escaping of single quotes in repository paths when constructing SSH remote execution commands, where specially crafted repository paths can break out of the quoted command, allowing attackers to inject and execute...

9.6CVSS6.2AI score0.00365EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/23 5:41 a.m.•5 views

Integer Overflow

github.com/iskorotkov/avro is vulnerable to integer overflow. The vulnerability is due to improper handling of attacker-controlled 64-bit values, integer truncation, and overflow-prone arithmetic in multiple decoder paths, which allows an attacker to exploit untrusted Avro streams to trigger...

8.7CVSS5.9AI score0.00426EPSS
Exploits0References8Affected Software1
Total number of security vulnerabilities38467