Lucene search
K
VeracodeRecent

38326 matches found

Veracode
Veracode
•added 2025/03/20 4:36 a.m.•16 views

Timing Side-channel Attacks

postquantumfeldmanvss is vulnerable to Timing side-channel attacks. The vulnerability is due to Python's non-constant-time execution model, which causes execution time variations in the findsecurepivot and securematrixsolve functions, allowing attackers to infer secret information through precise...

5.8CVSS6.5AI score0.00218EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/03/19 6:44 p.m.•5 views

Deserialization Of Untrusted Data

github.com/cosmos/ibc-go is vulnerable to Deserialization Of Untrusted Data. The vulnerability is due to improper deserialization due to non-deterministic behavior when processing acknowledgments, which can halt the chain if exploited by a user opening an IBC channel...

7AI score
Exploits0
Veracode
Veracode
•added 2025/03/19 6:8 p.m.•21 views

Remote Code Execution (RCE)

graphql-ruby is vulnerable to Remote Code Execution RCE. The vulnerability is due to unsafe schema loading due to the ability to execute arbitrary code when processing a malicious schema definition using GraphQL::Schema.fromintrospection or GraphQL::Schema::Loader.load from an untrusted source...

9CVSS8.6AI score0.02865EPSS
Exploits2References15Affected Software1
Veracode
Veracode
•added 2025/03/19 9:13 a.m.•11 views

Out-of-bounds Read

JSON is vulnerable to an out-of-bounds read. The vulnerability is due to improper handling of specially crafted JSON documents, allowing an attacker to cause a crash or leak sensitive memory contents...

7.5CVSS6.4AI score0.00665EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/03/19 8:51 a.m.•10 views

Information Disclosure

net.snowflake, snowflake-jdbc is vulnerable to Information Disclosure. The vulnerability is due to improper logging practices due to the Driver logging the client-side encryption master key locally when the logging level is set to DEBUG during GET/PUT commands, allowing an attacker to retrieve th...

3.3CVSS6.4AI score0.00111EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/19 8:27 a.m.•19 views

Improper Verification Of Cryptographic Signature

net.i2p.crypto, eddsa, net.i2p, i2p is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is due to the implementation not satisfying the SUF-CMA property, allowing an attacker to forge alternative valid signatures for a known message...

4.3CVSS6.5AI score0.00133EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2025/03/19 7:55 a.m.•8 views

Denial Of Service

IBC-Go is vulnerable to Denial Of Service. The vulnerability is due to improper handling of JSON unmarshalling for IBC Acknowledgements, allows an attacker to trigger a denial-of-service DoS condition and leads to non-deterministic behavior that can halt the chain...

7AI score
Exploits0
Veracode
Veracode
•added 2025/03/19 4:54 a.m.•16 views

Authentication Bypass

ruby-saml is vulnerable to Authentication Bypass. The vulnerability is due to inconsistent XML parsing due to differences between ReXML and Nokogiri, allowing attackers to execute a Signature Wrapping attack that can bypass authentication...

9.8CVSS7.1AI score0.19506EPSS
Exploits1References16Affected Software1
Veracode
Veracode
•added 2025/03/19 4:15 a.m.•9 views

Use Of A Cryptographic Primitive With A Risky Implementation

postquantumfeldmanvss is vulnerable to Use of a Cryptographic Primitive with a Risky Implementation. The vulnerability is due to ineffective redundancy checks and timing leaks, allowing an attacker to bypass security mechanisms, extract secret polynomial coefficients, and manipulate commitment...

5.4CVSS6.8AI score0.00178EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/03/19 4:14 a.m.•11 views

Cross-Site Scripting (XSS)

@jitbit/htmlsanitizer is vulnerable to cross-site scripting. The vulnerability is due to improper sanitization caused by the code beautifier running after sanitation when used with a contentEditable element, allows an attacker to inject and execute malicious scripts in a victim’s browser...

5.3CVSS6.5AI score0.00373EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/03/19 4:13 a.m.•11 views

Information Disclosure

parse-git-config is vulnerable to information disclosure. The vulnerability is due to improper handling of key expansion in the expandKeys function, allows an attacker to obtain sensitive information...

7.5CVSS6AI score0.00437EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2025/03/19 4:12 a.m.•7 views

Local Code Execution (LCE)

XPixelGroup BasicSR is vulnerable to local code execution. The vulnerability is due to improper handling of a crafted SLURMNODELIST environment variable when executing "scontrol show hostname", allowing crafted input to influence command execution...

5.3CVSS7.4AI score0.00191EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/18 10:53 a.m.•13 views

Remote Code Execution (RCE)

github.com/plentico/plenti is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of user-supplied file names in the /postLocal endpoint, allowing arbitrary JavaScript execution...

8.8CVSS7.3AI score0.00696EPSS
Exploits1References8Affected Software1
Veracode
Veracode
•added 2025/03/18 8:53 a.m.•11 views

Authentication Bypass

ruby-saml is vulnerable to Authentication Bypass. The vulnerability is due to a parser differential between ReXML and Nokogiri, allowing an attacker to execute a Signature Wrapping attack and potentially gain unauthorized access...

9.8CVSS7.5AI score0.63792EPSS
Exploits1References16Affected Software1
Veracode
Veracode
•added 2025/03/18 7:50 a.m.•14 views

Out-of-Memory (OOM)

io.smallrye, smallrye-fault-tolerance-core is vulnerable to an out-of-memory OOM. The vulnerability is due to uncontrolled object creation in meterMap when calling the metrics URI, allowing an attacker to trigger excessive memory consumption and cause a denial of service DoS condition...

7.5CVSS6.5AI score0.00908EPSS
Exploits0References11Affected Software1
Veracode
Veracode
•added 2025/03/18 2:47 a.m.•7 views

Cross-Site Scripting (XSS)

org.apache.felix, org.apache.felix.http.webconsoleplugin is vulnerable to cross-site scripting XSS. The vulnerability is due to improper neutralization of user input during web page generation, allowing an attacker to inject and execute malicious scripts in a victim’s browser through improperly...

5.6CVSS6.2AI score0.00512EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/18 2:46 a.m.•20 views

Information Disclosure

org.apache.nifi, nifi-mongodb-services is vulnerable to information disclosure. The vulnerability is due to the inclusion of MongoDB authentication credentials in NiFi provenance event records, allowing authorized users to access sensitive information...

6.9CVSS6.5AI score0.01135EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/03/18 2:45 a.m.•8 views

Session Hijacking

flarum/core is vulnerable to Session Hijacking. The vulnerability is due to improper scoping of cookies, allowing an attacker-controlled subdomain to set cookies for the parent domain...

6.8CVSS6.7AI score0.00463EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2025/03/18 2:44 a.m.•12 views

Improper Hostname Validation

golang.org/x/net is vulnerable to improper hostname validation. The vulnerability is due to improper handling of IPv6 zone IDs in host matching against proxy patterns, allowing an attacker to bypass proxy restrictions and potentially send traffic through unintended network paths...

4.4CVSS6.6AI score0.00384EPSS
Exploits2References9Affected Software3
Veracode
Veracode
•added 2025/03/17 5:53 p.m.•12 views

Improper Authentication

Ratify is vulnerable to Improper Authentication. The vulnerability is due to insufficient registry validation due to the Azure authentication providers failing to verify that the target registry is an Azure Container Registry ACR before exchanging an Entra ID EID token, potentially exposing token...

7.2CVSS6.8AI score0.00445EPSS
Exploits0References4Affected Software2
Veracode
Veracode
•added 2025/03/17 5:44 p.m.•13 views

Improper Authorization

Umbraco.Cms.Api.Management is vulnerable to improper access control. The vulnerability is due to insufficient API access restrictions due to low-privilege authenticated users being able to create and update data type information meant for higher-privilege users...

4.3CVSS6.3AI score0.00298EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/03/17 5:1 p.m.•13 views

Incorrect Authorization

Umbraco.Cms.Web.Backoffice is vulnerable to Incorrect Authorization. The vulnerability is due to improper access control due to manipulation of backoffice API URLs, allowing authenticated users to retrieve or delete restricted content...

6.4CVSS6.6AI score0.0028EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/03/17 9:32 a.m.•14 views

Privilege Escalation

ASP.NET is vulnerable to Privilege Escalation. The vulnerability is due to improper authentication mechanisms due to insufficient validation, allowing an unauthorized attacker to elevate privileges over a network...

7CVSS6.8AI score0.00911EPSS
Exploits1References5Affected Software15
Veracode
Veracode
•added 2025/03/17 4:59 a.m.•6 views

Signature Confusion Attack

simplesamlphp/saml2 is vulnerable to a Signature Confusion Attack. The vulnerability is due to improper validation in the HTTP-Redirect binding, which allows an attacker with any signed SAMLResponse to trick the application into accepting an unsigned message...

8.6CVSS6.5AI score0.00296EPSS
Exploits0References7Affected Software2
Veracode
Veracode
•added 2025/03/17 4:54 a.m.•7 views

Path Traversal

Mock API configuration is vulnerable to Path Traversal. The vulnerability is due to improper handling of user input in templating features, which allows attackers to manipulate file paths and access arbitrary files on the mock server filesystem...

7.1AI score
Exploits0
Veracode
Veracode
•added 2025/03/17 4:52 a.m.•28 views

Remote Code Execution (RCE)

promptflowcore is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper isolation caused by a lack of compartmentalization, allowing an unauthorized attacker to execute code over a network...

6.5CVSS8.1AI score0.00492EPSS
Exploits0References5Affected Software2
Veracode
Veracode
•added 2025/03/17 4:51 a.m.•7 views

Arbitrary Code Execution (ACE)

Keras is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to insecure deserialization, where the Model.loadmodel function processes a malicious .keras archive, allowing arbitrary Python modules and functions to be executed by modifying the config.json file...

9.8CVSS7.1AI score0.02803EPSS
Exploits3References6Affected Software1
Veracode
Veracode
•added 2025/03/17 3:59 a.m.•11 views

Remote Denial Of Service (DoS)

ruby-saml is vulnerable to remote Denial of Service DoS. The vulnerability is due to the message size check being performed before decompression, allowing attackers to bypass it using compressed SAML responses...

8.7CVSS6.8AI score0.01359EPSS
Exploits1References14Affected Software1
Veracode
Veracode
•added 2025/03/17 3:58 a.m.•9 views

Account Duplication Via Email Reuse

froxlor/froxlor is vulnerable to Account duplication via email reuse. The vulnerability is due to improper validation of email uniqueness, allowing authenticated users to create multiple accounts with the same email address as existing accounts, potentially leading to security issues...

7.8CVSS7AI score0.00272EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2025/03/17 3:55 a.m.•3 views

HTML Injection

froxlor/froxlor is vulnerable to HTML Injection. The vulnerability is due to lack of proper input sanitization and output encoding, allowing malicious HTML payloads to be injected and executed in the customer account portal...

6.8AI score
Exploits0
Veracode
Veracode
•added 2025/03/17 3:52 a.m.•7 views

Regular Expression Denial Of Service (ReDoS)

Babel is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to quadratic complexity in the .replace method polyfill when compiling regular expression named capturing groups, allowing an attacker to cause excessive processing time with crafted input...

6.2CVSS6.5AI score0.00478EPSS
Exploits0References3Affected Software6
Veracode
Veracode
•added 2025/03/13 7:32 p.m.•7 views

XML External Entity (XXE) Injection

io.github.robothy:local-s3-rest is vulnerable to XML External Entity XXE Injection. The vulnerability is due to improper XML parsing due to the service resolving external entities in the CreateBucketConfiguration XML document, allowing attackers to perform server-side request forgery SSRF and lea...

6.9CVSS6.7AI score0.00497EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2025/03/13 1:24 p.m.•26 views

Path Equivalence

Apache Tomcat is vulnerable to Path Equivalence. The vulnerability is due to improper handling of internal dot notation in file names due to inadequate validation in the Default Servlet, allowing remote code execution, information disclosure, or unauthorized file modifications when specific...

10CVSS9.2AI score0.99945EPSS
Exploits46References15Affected Software2
Veracode
Veracode
•added 2025/03/13 10:4 a.m.•10 views

Arbitrary Code Execution (ACE)

PickleScan is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to PickleScan failing to detect malicious pickle files when specific ZIP file flag bits are modified, allowing attackers to embed harmful pickle files that remain unnoticed while still being loaded by PyTorch’s...

9.8CVSS7AI score0.00512EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2025/03/13 9:33 a.m.•11 views

SQL Injection

pimcore/pimcore is vulnerable to SQL injection. The vulnerability is due to improper input sanitization and lack of parameterized queries, allowing an attacker to manipulate database queries, extract sensitive data, modify records, or escalate privileges...

8.8CVSS7.7AI score0.00449EPSS
Exploits0References5
Veracode
Veracode
•added 2025/03/13 8:19 a.m.•12 views

Origin Validation Error

Rembg is vulnerable to Origin Validation Error. The vulnerability is due to improper CORS middleware configuration, which reflects all origins and sets allowcredentials to True, allowing any website to send authenticated cross-site requests to the Rembg server...

8.7CVSS6.8AI score0.00179EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2025/03/13 8:7 a.m.•13 views

Server Side Request Forgery (SSRF)

Rembg is vulnerable to Server Side Request Forgery SSRF. The vulnerability is due to insufficient validation of user-supplied URLs, allowing an attacker to request internal network resources via the /api/remove endpoint...

7.5CVSS7AI score0.00485EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2025/03/13 6:5 a.m.•11 views

Insertion Of Sensitive Information Into Log File

github.com/hashicorp/nomad is vulnerable to Insertion of Sensitive Information into Log File. The vulnerability is due to improper logging practices due to workload identity and client secret tokens being recorded in audit logs...

6.5CVSS6.6AI score0.00449EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2025/03/13 5:11 a.m.•8 views

Cross-site Scripting (XSS)

Concrete CMS is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper input sanitization due to the "Add Folder" functionality allowing a rogue admin to inject XSS payloads as folder names...

4.8CVSS5.5AI score0.003EPSS
Exploits0References5Affected Software1
Veracode
Veracode
•added 2025/03/13 3:28 a.m.•9 views

Insufficient Verification Of Data Authenticity

PickleScan is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to a discrepancy in filename handling due to differences between ZIP header filenames and directory listing filenames, which allows an attacker to bypass detection by causing PickleScan to crash...

6.5CVSS6.6AI score0.00307EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2025/03/13 3:24 a.m.•8 views

Stored Cross-site Scripting (XSS)

github.com/lf-edge/ekuiper is vulnerable to Stored Cross-site Scripting XSS. The vulnerability is due to improper input validation in the rule id parameter, allowing an attacker with modification rights to inject a malicious payload that executes in the victim's browser when the rule is modified...

5.4CVSS6AI score0.00313EPSS
Exploits0References10Affected Software1
Veracode
Veracode
•added 2025/03/13 3:23 a.m.•7 views

Repository Takeover

github.com/go-vela/server is vulnerable to Repository Takeover. The vulnerability is due to improper validation of webhook headers and body data, allowing an attacker to forge requests and transfer repository ownership along with its secrets...

8.5CVSS6.7AI score0.00246EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/03/13 3:22 a.m.•5 views

Remote Code Execution (RCE)

plotai is vulnerable to Remote Code Execution RCE. The vulnerability is due to a lack of validation of LLM-generated output, which allows an attacker to execute arbitrary Python code...

9.8CVSS7.9AI score0.00952EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/03/12 10:46 a.m.•11 views

Authentication Bypass

github.com/fleetdm/fleet is vulnerable to Authentication Bypass. The vulnerability is due to insufficient validation of SAML authentication assertions, allowing an attacker to forge responses and create unauthorized accounts if Just-In-Time JIT provisioning or MDM enrollment is enabled...

9.3CVSS6.9AI score0.00623EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/12 10:37 a.m.•11 views

Path Traversal

Rack is vulnerable to Path Traversal. The vulnerability is due to improper input validation due to Rack::Static not correctly sanitizing user-supplied paths, allowing encoded path traversal sequences to access files outside the intended static file directory...

7.5CVSS6.6AI score0.01068EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2025/03/12 10:34 a.m.•16 views

Cross-Site Request Forgery (CSRF)

org.jenkins-ci.main, jenkins-core is vulnerable to Cross-site request forgery CSRF. The vulnerability is due to improper request validation, which allows unauthorized state changes in Jenkins' UI when a user unknowingly triggers a malicious request...

5.4CVSS6.6AI score0.0041EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/12 10:23 a.m.•4 views

Server-Side Request Forgery (SSRF)

Axios is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of absolute URLs, which causes axios to send requests directly to the specified absolute URL instead of respecting the baseURL, potentially leading to SSRF and exposing sensitive credentials...

8.7CVSS6.2AI score0.00759EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2025/03/12 10:20 a.m.•8 views

Open Redirect

org.jenkins-ci.main, jenkins-core is vulnerable to Open redirect. The vulnerability is due to improper URL validation, allowing redirects starting with backslash characters, which browsers interpret as scheme-relative redirects, enabling phishing attacks...

4.3CVSS6.6AI score0.00581EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2025/03/12 9:9 a.m.•11 views

Prototype Pollution

Vue I18n is vulnerable to Prototype Pollution. The vulnerability is due to improper input handling in the handleFlatJson function, allowing an attacker to modify the global prototype chain, potentially leading to denial of service DoS or more severe injection-based attacks...

9.3CVSS6.5AI score0.00557EPSS
Exploits0References10Affected Software6
Veracode
Veracode
•added 2025/03/12 8:52 a.m.•11 views

Improper Verification Of Cryptographic Signature

dotnet-debugger-extensions, dotnet-dump and dotnet-sos are vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is due to insufficient validation mechanisms, allowing an authorized attacker to execute code over a network...

7.5CVSS7.1AI score0.00851EPSS
Exploits0References5Affected Software3
Total number of security vulnerabilities38326