Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
•added 2025/04/16 6:17 a.m.•7 views

Prototype Pollution

tarteaucitron.js is vulnerable to prototype pollution. The vulnerability is due to improper input validation in the addOrUpdate function within the file tarteaucitron.js, which allowed manipulation of JavaScript object prototypes...

6.6CVSS6.6AI score0.003EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/16 6:16 a.m.•5 views

Clickjacking

tarteaucitronjs is vulnerable to clickjacking. The vulnerability is due to improper validation of user-controlled CSS inputs for element dimensions, allowing attackers to overlay the viewport with malicious elements...

6.6CVSS6.7AI score0.00233EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/16 6:15 a.m.•6 views

Arbitrary Code Execution (ACE)

Tarteaucitron.js is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to insufficient URL validation, allowing a user with high privileges to input a URL with an insecure scheme, such as javascript:alert, which could lead to arbitrary JavaScript execution when clicked...

4.8CVSS7.1AI score0.00307EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/16 6:14 a.m.•7 views

Authentication Bypass

org.graylog2, graylog2-server is vulnerable to Authentication Bypass. The vulnerability is due to HTTP Inputs not correctly rejecting messages when a specified header is missing or has an incorrect value, allowing the message to be ingested despite returning a 401 HTTP response...

6.5CVSS6.7AI score0.00289EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/16 3:12 a.m.•7 views

Unsafe Deserialization

picklescan is vulnerable to Unsafe deserialization. The vulnerability is due to the ability to exploit built-in functions in the NumPy library that indirectly invoke dangerous functions like exec, allowing execution of arbitrary Python or OS commands...

7.3AI score
Exploits0
Veracode
Veracode
•added 2025/04/16 3:12 a.m.•8 views

Deserialization Attack

Picklescan is vulnerable to Deserialization Attack. The vulnerability is due to insecure deserialization by Picklescan's failure to detect malicious pickles, which allows an attacker to exfiltrate sensitive information via DNS...

6.7AI score
Exploits0
Veracode
Veracode
•added 2025/04/16 3:5 a.m.•7 views

Server Side Request Forgery (SSRF)

LNbits is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of callback URLs in the LNURL authentication handling functionality, allowing attackers to access internal resources by specifying internal network addresses...

9.3CVSS6.9AI score0.00604EPSS
Exploits2References4Affected Software1
Veracode
Veracode
•added 2025/04/15 10:22 a.m.•10 views

Remote Code Execution (RCE)

Picklescan is vulnerable to Remote Code Execution RCE. The vulnerability is due to insufficient detection of dangerous deserialization behavior due to bypassing security checks by invoking benign built-in functions like timeit.timeit in the reduce method, which are not blacklisted and allow...

8.4AI score
Exploits0
Veracode
Veracode
•added 2025/04/15 7:19 a.m.•14 views

SQL Injection

apache-airflow-providers-common-sql is vulnerable to SQL Injection. The vulnerability is due to improper input sanitization due to unescaped input in the partitionclause parameter of SQLTableCheckOperator, allowing authenticated users to inject arbitrary SQL when triggering DAGs...

8.8CVSS7AI score0.00776EPSS
Exploits0References8Affected Software1
Veracode
Veracode
•added 2025/04/15 7:10 a.m.•10 views

Missing Authentication For Critical Function

Langflow is vulnerable to Missing Authentication for Critical Function. The vulnerability is due to improper input validation due to unsanitized user input being passed to the /api/v1/validate/code endpoint, allowing arbitrary code execution...

9.8CVSS7.2AI score0.99968EPSS
Exploits33References9Affected Software2
Veracode
Veracode
•added 2025/04/15 6:26 a.m.•5 views

Denial Of Service (DoS)

@apeleghq/asn1-der is vulnerable to Denial of ServiceDoS. The vulnerability is due to incorrect arithmetic in the numBitLen function due to the use of the operator causing negative results for values between 2³¹ and 2³²-1, and attackers can exploit this to trigger an infinite loop and cause a...

6.9CVSS6.6AI score0.00209EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2025/04/15 3:58 a.m.•10 views

Incorrect Authorization

api-platform/core is vulnerable to Incorrect Authorization. The vulnerability is due to improper access control caused by the use of the Relay special node type, which allows bypassing the configured security on an operation...

7.5CVSS6.8AI score0.00409EPSS
Exploits0References9Affected Software2
Veracode
Veracode
•added 2025/04/15 3:56 a.m.•7 views

Command Injection

jupyterlabgit is vulnerable to Command Injection. The vulnerability is due to improper handling of shell command substitution in directory names when using cd through the shell, which allows an attacker to execute arbitrary commands without user consent...

7.4CVSS7.7AI score0.00543EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/04/15 3:55 a.m.•6 views

Cross-Site Request Forgery (CSRF)

concrete5/concrete5 is vulnerable to Cross-Site Request Forgery CSRF. The vulnerability is due to insufficient sanitization and addresses not being properly sanitized in the output when a country is not specified. It allows an attacker with limited permissions to glean restricted information,...

6.5CVSS6.6AI score0.00155EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/04/15 3:41 a.m.•11 views

Insecure Deserialization

lmdeploy is vulnerable to Insecure Deserialization. The vulnerability is due to unsafe handling in the loadweightckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler, allowing local attackers to exploit it...

7.8CVSS6.5AI score0.00279EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2025/04/15 3:40 a.m.•9 views

Remote Code Execution (RCE)

generator-jhipster-entity-audit is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe reflection caused by using Javers as the Entity Audit Framework, which allows malicious classes on the classpath to be exploited through exposed REST endpoints...

7.6CVSS7.3AI score0.00457EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/15 3:40 a.m.•10 views

Improper Cache Key Handling

api-platform/core is vulnerable to Improper cache key handling. The vulnerability is due to the isCacheKeySafe method not effectively preventing caching when followed by the parent::normalize call, which may allow an attacker to access unauthorized data...

7.5CVSS6.6AI score0.00411EPSS
Exploits0References8Affected Software2
Veracode
Veracode
•added 2025/04/15 3:40 a.m.•13 views

Cross-Site Scripting (XSS)

pgadmin4 is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to lack of input/output encoding when rendering query results, which allows an attacker to execute arbitrary HTML or JavaScript in the victim's browser...

9.1CVSS6.4AI score0.00302EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/14 10:58 a.m.•15 views

Remote Code Execution (RCE)

pgAdmin4 is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe use of Python's eval function due to unsanitized input in the querycommitted and highavailability parameters on two POST endpoints...

9.9CVSS7.4AI score0.39067EPSS
Exploits7References4Affected Software1
Veracode
Veracode
•added 2025/04/14 10:49 a.m.•178 views

Improper Verification Of Cryptographic Signature

github.com/minio/minio is vulnerable to authorization bypass. The vulnerability is due to improper signature verification due to the ability to use arbitrary secrets to upload objects if the attacker has prior WRITE permissions and access to the access key and bucket name...

8.7CVSS6.5AI score0.02327EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/14 10:28 a.m.•9 views

Remote Code Execution (RCE)

BentoML is vulnerable to Remote Code Execution RCE. The vulnerability is due to insecure deserialization due to an unsafe code segment in serde.py that allows arbitrary code execution by unauthenticated users...

9.8CVSS8.2AI score0.44358EPSS
Exploits5References4Affected Software1
Veracode
Veracode
•added 2025/04/14 8:0 a.m.•6 views

Cross-Site Scripting (XSS)

react-draft-wysiwyg is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper input sanitization or escaping of user-provided data in the Embedded button functionality, allowing malicious payloads to be executed when the data is saved in the tag...

6.1CVSS6.3AI score0.00214EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2025/04/14 7:48 a.m.•7 views

Prototype Pollution

expand-object is vulnerable to Prototype Pollution. The vulnerability is due to improper input validation in the expand function in index.js, which expands strings into objects without filtering out sensitive properties like proto, and allows attackers to manipulate object prototypes, potentially...

7.3CVSS6.7AI score0.00364EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/14 7:35 a.m.•6 views

Buffer Overflow

bigint-bufferr is vulnerable to Buffer Overflow. The vulnerability is due to improper bounds checking in the toBigIntLE function, which allows attackers to cause a buffer overflow and potentially crash the application...

8.7CVSS7.1AI score0.00526EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/14 7:9 a.m.•6 views

Server Side Request Forgery (SSRF)

spatie/browsershot is vulnerable to Server-side Request Forgery SSRF. The vulnerability is due to a missing restriction on user input in the setUrl function, allowing attackers to access localhost and list its directories...

8.8CVSS6.7AI score0.00302EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/14 5:35 a.m.•4 views

Missing Authorization

goalgorilla/opensocial is vulnerable to Missing Authorization. The vulnerability is due to missing authorization due to insufficient access control checks that allow unauthorized users to access restricted resources...

8.1CVSS6.6AI score0.00355EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/04/14 4:10 a.m.•11 views

Information Disclosure

api-platform/core is vulnerable to Information disclosure. The vulnerability is due to improper handling of exception messages, where non-HTTP exceptions are not sanitized and are directly included in the JSON error response, allows potentially sensitive internal information to be exposed to...

5.3CVSS6.2AI score0.00332EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/04/14 4:9 a.m.•7 views

Cross-Site Scripting (XSS)

drupal/core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of input during web page generation, allowing malicious scripts to be executed in the context of a user's browser...

6.1CVSS6.1AI score0.00267EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/14 4:8 a.m.•5 views

Missing Authorization

goalgorilla/opensocial is vulnerable to Missing Authorization. The vulnerability is due to insufficient access control mechanisms in Open Social, which fail to properly enforce user authorization, allows unauthorized users to bypass restrictions and access sensitive resources through forceful...

9.1CVSS6.5AI score0.00338EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/04/14 4:6 a.m.•7 views

Denial Of Service (DoS)

image-size is vulnerable to a Denial of Service vulnerability. The vulnerability is due to an infinite loop due to processing image boxes with size 0, which allows an attacker to cause the application to hang...

6.9AI score
Exploits0
Veracode
Veracode
•added 2025/04/11 11:32 a.m.•11 views

Improper Authorization

Jenkins is vulnerable to Improper authorization. The vulnerability is due to missing permission checks in an HTTP endpoint, allowing attackers with only Computer/Create permission to copy an agent and gain unauthorized access to its configuration...

4.3CVSS6.6AI score0.00375EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/11 9:10 a.m.•14 views

Denial Of Service (DoS)

Django is vulnerable to Denial of Service DoS. The vulnerability is due to inefficient Unicode normalization due to slow NFKC normalization on Windows, which allows attackers to send specially crafted inputs with a large number of Unicode characters to exhaust server resources...

7.5CVSS7AI score0.00928EPSS
Exploits1References11Affected Software1
Veracode
Veracode
•added 2025/04/11 6:26 a.m.•5 views

Deserialization Of Untrusted Data

io.jooby, jooby-pac4j is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to insecure deserialization logic in the SessionStoreImplget method, which allows processing of untrusted input...

8.8CVSS6.6AI score0.0057EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/04/11 6:12 a.m.•5 views

Server Side Request Forgery (SSRF)

shopxo/shopxo is vulnerable to Server Side Request Forgery SSRF. The vulnerability is due to insufficient input validation and sanitization in multiple places, allowing unauthorized requests and script injection...

6.5CVSS6.7AI score0.00212EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/04/11 5:19 a.m.•7 views

Remote Code Execution

@tauri-apps/plugin-shell is vulnerable to Remote Code Execution. The vulnerability is due to insufficient input validation in the /console/dashboard/executorCount?zkClusterKey component, allowing a remote attacker to execute arbitrary code...

9.8CVSS7.7AI score0.00885EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2025/04/11 5:9 a.m.•8 views

SQL Injection

com.vip.saturn, saturn-console is vulnerable to SQL injection. The vulnerability is due to SQL injection due to insufficient input validation in the /console/dashboard/executorCount?zkClusterKey component, allowing remote attackers to execute arbitrary code...

9.8CVSS8.5AI score0.29125EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/11 3:29 a.m.•6 views

Privilege Escalation

github.com/rancher/rancher is vulnerable to Privilege Escalation. The vulnerability is due to improper access control that allows Restricted Administrators to change the passwords of higher-privileged users without having the Manage Users permission...

9.1CVSS6.6AI score0.00408EPSS
Exploits0
Veracode
Veracode
•added 2025/04/11 3:25 a.m.•2 views

Server Side Request Forgery (SSRF)

shopxo/shopxo is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of user-supplied URLs in the Email Settings feature, allows attackers to manipulate the server into making arbitrary requests to internal or external resources...

6.3CVSS7.1AI score0.00265EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/04/11 3:24 a.m.•6 views

Server Side Request Forgery (SSRF)

shopxo/shopxo is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of user-supplied URLs in the image upload function, allowing attackers to craft requests that the server executes on their behalf...

6.3CVSS6.7AI score0.00265EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/04/11 3:22 a.m.•19 views

Arbitrary Code Execution (ACE)

org.apache.parquet, parquet-avro is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsafe deserialization during schema parsing in the parquet-avro module, which allows bad actors to execute arbitrary code...

10CVSS7.5AI score0.3884EPSS
Exploits9References12Affected Software1
Veracode
Veracode
•added 2025/04/10 5:55 p.m.•9 views

Authorization Bypass

org.apache.activemq:artemis-server is vulnerable to Authorization Bypass. The vulnerability is due to improper permission enforcement due to users being able to augment the routing-type of an address without having the necessary createAddress permission, potentially allowing unauthorized message...

4.3CVSS6.5AI score0.0054EPSS
Exploits0References7Affected Software1
Veracode
Veracode
•added 2025/04/10 7:59 a.m.•7 views

Host Header Injection

@react-router/express, @remix-run/express is vulnerable to Host header injection. The vulnerability exists due to improper validation of the Host and X-Forwarded-Host headers, allowing attackers to spoof the request URL by injecting a pathname into the port section of the header...

7.5CVSS7.4AI score0.01128EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2025/04/10 7:26 a.m.•15 views

Object Injection

drupal/core is vulnerable to Object Injection. The vulnerability is due to improperly controlled modification of dynamically-determined object attributes, which allows attackers to inject and manipulate objects within the application...

7.5CVSS7.1AI score0.005EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/10 7:21 a.m.•9 views

Authentication Bypass

Apache Pinot is vulnerable to Authentication Bypass. The vulnerability is due to improper request path validation due to the application's failure to enforce authentication when the request path contains a semicolon ; and lacks a forward slash /, allowing unauthorized user creation...

9.8CVSS7AI score0.7819EPSS
Exploits0References7Affected Software4
Veracode
Veracode
•added 2025/04/10 6:55 a.m.•13 views

Cross-Site Scripting (XSS)

drupal/core is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper neutralization of user-supplied input during web page generation, which allows malicious scripts to be executed in the context of a user's browser...

5.4CVSS6AI score0.00425EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/04/10 6:36 a.m.•9 views

Private Data Structure Returned From A Public Method

github.com/apache/answer, is vulnerable to Private Data Structure Returned From A Public Method. The vulnerability is due to the application allowing external content to be loaded without restriction, allowing an attacker to track or identify users by collecting their IP addresses through...

6.5CVSS6.6AI score0.00811EPSS
Exploits0References9Affected Software1
Veracode
Veracode
•added 2025/04/10 5:47 a.m.•25 views

Path Traversal

YesWiki is vulnerable to Path Traversal. The vulnerability is due to insufficient input validation due to improper sanitization of the squelette parameter, allowing unauthorized file read access on the server...

8.6CVSS6.4AI score0.05401EPSS
Exploits6References4Affected Software1
Veracode
Veracode
•added 2025/04/10 5:24 a.m.•7 views

Incorrect Authorization

drupal/core package is vulnerable to Incorrect Authorization. The vulnerability is due to insufficient access controls. This allows forceful browsing in certain core versions, enabling attackers to access restricted resources...

4.6CVSS6.5AI score0.00272EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/04/10 4:39 a.m.•9 views

IP Address Spoofing

github.com/phires/go-guerrilla is vulnerable to IP address spoofing. The vulnerability is due to improper enforcement of the PROXY protocol due to the server accepting multiple PROXY commands, allowing clients to override the original IP address...

5.3CVSS6.6AI score0.00332EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/04/10 4:38 a.m.•3 views

Remote Code Execution (RCE)

github.com/jaredallard/archives is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper archive parsing due to insufficient validation of specially crafted archive files, which allows an attacker to execute arbitrary code or modify files in the context of the user running...

8.5AI score
Exploits0
Total number of security vulnerabilities38326