Lucene search
+L
VeracodeRecent

38467 matches found

Veracode
Veracode
added 2026/05/16 5:22 a.m.11 views

Mass Assignment

Flowise is vulnerable to Mass Assignment. The vulnerability is due to missing server-side validation and authorization checks in the assistant update endpoint, which allows an authenticated attacker to manipulate server-controlled properties such as workspaceId and reassign assistants to arbitrar...

9.6CVSS5.9AI score0.00274EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:22 a.m.12 views

OS Command Injection

github.com/kubeai-project/kubeai is vulnerable to OS Command Injection. The vulnerability is due to the ollamaStartupProbeScript function constructing a shell command with unsanitized model URL components ref and modelParam and executing it via bash -c, which allows an attacker with permission to...

8.8CVSS5.9AI score0.00448EPSS
Exploits3References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:22 a.m.8 views

Improper Access Control

github.com/distribution/distribution is vulnerable to Improper Access Control. The vulnerability is due to stale repository-scoped blob membership data remaining after a blob deletion when Redis blob descriptor caching and delete functionality are enabled, which allows an attacker to regain...

7.5CVSS5.8AI score0.00455EPSS
Exploits1References12Affected Software1
Veracode
Veracode
added 2026/05/16 5:22 a.m.13 views

Server-Side Request Forgery (SSRF)

FrontMCP is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to unsafe dereferencing of $ref pointers in OpenAPI specifications without URL restrictions, which allows an attacker to trigger requests to internal network resources or read local files through malicious OpenAP...

7.5CVSS5.8AI score0.00319EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/16 5:21 a.m.7 views

Arbitrary File Read

github.com/hahwul/dalfox/v2 is vulnerable to Arbitrary File Read. The vulnerability is due to unsafe deserialization of the attacker-controlled custom-payload-file parameter in REST API server mode, which allows an unauthenticated attacker to read arbitrary files accessible to the dalfox process...

7.5CVSS6AI score0.00251EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:21 a.m.6 views

Denial Of Service (DoS)

github.com/gofiber/fiber is vulnerable to Denial Of Service DoS. The vulnerability is due to unvalidated MsgPack deserialization of the fiberflash cookie, which allows an unauthenticated attacker to supply a crafted cookie value that triggers excessive memory allocation, resulting in a...

7.5CVSS5.8AI score0.00396EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:21 a.m.13 views

Improper Input Validation

mppx is vulnerable to improper input validation. The vulnerability is due to improper validation in the cooperative close handler, where the close voucher amount was checked using “” instead of “=” against the on-chain settled amount, which allows an attacker to submit a close voucher equal to th...

7.5CVSS5.8AI score0.00359EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:21 a.m.7 views

Path Traversal

zrok is vulnerable to Path Traversal. The vulnerability is due to failure to prevent symlink traversal in the WebDAV drive backend, which allows a remote attacker to access symbolic links pointing outside the shared root and read or, where permitted, modify arbitrary files on the host filesystem...

8.7CVSS6AI score0.0033EPSS
Exploits0References3Affected Software2
Veracode
Veracode
added 2026/05/16 5:21 a.m.17 views

Improper Restriction Of Outbound Network Requests (SSRF)

Flowise is vulnerable to improper restriction of outbound network requests SSRF. The vulnerability is due to multiple tool implementations directly importing and invoking raw HTTP clients instead of using the secured wrapper, which allows an attacker to perform unauthorized server-side requests...

9.8CVSS5.8AI score0.00396EPSS
Exploits1References4Affected Software2
Veracode
Veracode
added 2026/05/16 5:20 a.m.7 views

Denial Of Service (DoS)

github.com/go-jose/go-jose is vulnerable to Denial Of Service DoS. The vulnerability is due to improper validation of JWE objects during decryption when the alg field indicates a key wrapping algorithm and the encryptedkey field is empty, which allows an attacker to trigger a runtime panic via...

7.5CVSS7.3AI score0.00651EPSS
Exploits0References123Affected Software3
Veracode
Veracode
added 2026/05/16 5:20 a.m.7 views

Arbitrary File Write

github.com/hahwul/dalfox/v2 is vulnerable to Arbitrary File Write. The vulnerability is due to unsafe deserialization of attacker-controlled logging configuration fields in REST API server mode, which allows an unauthenticated attacker to supply arbitrary file paths that are then used by the...

8.2CVSS6.1AI score0.00243EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:20 a.m.15 views

Information Disclosure

strapi/strapi is vulnerable to information disclosure. The vulnerability is due to insufficient sanitization of relational query parameters in the where filter, which allows an unauthenticated attacker to perform a boolean-oracle attack against restricted adminusers table fields and potentially...

9.2CVSS5.8AI score0.00612EPSS
Exploits5References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:19 a.m.6 views

Missing Authorization

github.com/minio/minio is vulnerable to IMissing Authorization. The vulnerability is due to insufficient validation of user-supplied X-Minio-Replication- headers in the extractMetadataFromMime function, which allows an authenticated attacker with s3:PutObject permissions to inject internal...

7.1CVSS5.9AI score0.00124EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:19 a.m.58 views

Server-Side Request Forgery (SSRF)

n8n-mcp is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of webhook trigger tools, the n8n API client N8NAPIURL, and per-request URLs supplied through the x-n8n-url header in multi-tenant HTTP mode, which allows an authenticated attacker to send...

9.1CVSS5.8AI score0.00235EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:19 a.m.7 views

Improper Authorization

Flowise is vulnerable to Improper Authorization. The vulnerability is due to missing authentication and permission checks on the OpenAI Assistants Vector Store CRUD endpoints, which allows an attacker with API key access to perform unauthorized operations on vector store resources...

8.8CVSS6AI score0.00327EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:19 a.m.17 views

Remote Code Execution (RCE)

@nocobase/plugin-workflow-javascript is vulnerable to Remote Code Execution. The vulnerability is due to improper sandbox isolation in the Workflow Script Node, where the exposed console object allows access to host-realm WritableWorkerStdio stream objects via console.stdout and console.stderr,...

9.9CVSS6.4AI score0.36503EPSS
Exploits7References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:18 a.m.6 views

Server-Side Request Forgery (SSRF)

monetr is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of user-supplied URLs in the Lunch Flow integration, which allows an authenticated attacker to force the monetr server to send HTTP GET requests to arbitrary destinations and potentially...

8.3CVSS6AI score0.00331EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:18 a.m.14 views

Server-Side Request Forgery

magicmirror is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation in the /cors endpoint, allowing unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external services, while environment variable expansion...

9.2CVSS5.9AI score0.01623EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:18 a.m.13 views

Integrity Check Bypass

Striae is vulnerable to Integrity Check Bypass. The vulnerability is due to reliance on hash-only validation in the digital confirmation workflow, where attackers could modify both package contents and corresponding manifest hash fields, allowing tampered confirmation packages to pass integrity...

8.2CVSS5.2AI score0.00118EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:18 a.m.15 views

Sandbox Bypass

OpenClaude is vulnerable to Improper Access Control. The vulnerability is due to a logic flaw in bashToolHasPermission within src/tools/BashTool/bashPermissions.ts, where the sandbox auto-allow path returns success before checkPathConstraints is evaluated, allowing attackers to use path traversal...

8.4CVSS5.8AI score0.00232EPSS
Exploits2References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:18 a.m.17 views

Path Traversal

OpenClaw is vulnerable to Path Traversal. The vulnerability is due to insufficient path validation in isLikelyLocalPath and isValidMedia, where attackers can exploit incomplete checks and the allowBareFilename bypass to access files outside the intended sandbox, leading to disclosure of sensitive...

8.7CVSS5.8AI score0.00688EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:17 a.m.16 views

Authorization Bypass

StudioCMS is vulnerable to Improper Access Control. The vulnerability is due to missing await handling for the asynchronous isAuthorized function in the S3 storage manager, where authorization checks in the POST and PUT handlers always evaluate as successful because unresolved Promise objects are...

7.6CVSS5.8AI score0.00183EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:16 a.m.12 views

Arbitrary Code Execution

GitHub Copilot CLI is vulnerable to Command Injection. The vulnerability is due to improper safety assessment of shell commands in the shell tool, where dangerous Bash parameter expansion patterns such as $var@P, $!var, $var:=value, and nested $cmd expressions are incorrectly classified as...

7.8CVSS6AI score0.00363EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:16 a.m.6 views

Improper Handling Of The HTTP Connection Header

@fastify/reply-from and @fastify/http-proxy are vulnerable to Improper Handling of the HTTP Connection Header. The vulnerability is due to processing the client-supplied Connection header after proxy-added headers have been inserted, which allows an attacker to selectively remove security, routin...

9CVSS5.8AI score0.00441EPSS
Exploits1References9Affected Software2
Veracode
Veracode
added 2026/05/16 5:14 a.m.7 views

Cryptographic Failure

electerm is vulnerable to Cryptographic Failure. The vulnerability is due to the use of deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC for synced bookmark/profile data, which allows an attacker to crack common passwords across installations and perform undetected...

9.1CVSS5.9AI score0.00105EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:14 a.m.7 views

Code Injection

claude-code-cache-fix is vulnerable to code injection. The vulnerability is due to tools/quota-statusline.sh directly interpolating Claude Code hook stdin payloads into a Python triple-quoted string literal without proper sanitization, which allows an attacker to inject a ''' sequence and execute...

8.6CVSS6.2AI score0.00188EPSS
Exploits1References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:12 a.m.13 views

Command Injection

mcp-server-semgrep is vulnerable to Command Injection. The vulnerability is due to improper sanitization of the ID argument in multiple MCP interface functions, which allows an attacker to inject and execute arbitrary OS commands remotely...

7.5CVSS7.3AI score0.01394EPSS
Exploits0References8Affected Software1
Veracode
Veracode
added 2026/05/16 5:12 a.m.10 views

Arbitrary Code Execution

GitHub Copilot CLI is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsafe handling of Git repository configuration during repository discovery, where a malicious nested bare Git repository can define executable configuration options that are automatically invoked during Git...

8.5CVSS7.3AI score0.0035EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:10 a.m.14 views

OS Command Injection

@siteboon/claude-code-ui is vulnerable to OS Command Injection. The vulnerability is due to the use of execAsync with string interpolation of user-controlled Git parameters such as file, branch, message, and commit, which allows an authenticated attacker to execute arbitrary OS commands...

9.1CVSS6.1AI score0.00437EPSS
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/05/16 5:10 a.m.8 views

Improper Authorization

@fastify/express is vulnerable to Improper Authorization. The vulnerability is due to inconsistent URL normalization between Fastify and Express middleware, which allows an unauthenticated attacker to manipulate URL paths using duplicate slashes or semicolon delimiters to bypass path-based...

9.1CVSS5.8AI score0.00483EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:8 a.m.22 views

Command Injection

Godot MCP is vulnerable to Command Injection. The vulnerability is due to passing user-controlled input directly to exec without sanitization, which allows an attacker to inject shell commands and achieve remote code execution...

7.8CVSS6.1AI score0.00853EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2026/05/16 5:8 a.m.6 views

Improperly Controlled Modification Of Dynamically-Determined Object Attributes

Flowise is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. The vulnerability is due to missing server-side validation and authorization checks in the variable update endpoint, which allows an authenticated attacker to modify server-controlled properti...

9.6CVSS5.9AI score0.00254EPSS
Exploits1References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:8 a.m.6 views

Privilege Escalation

OpenClaw is vulnerable to privilege escalation. The vulnerability is due to improper authorization in the node reconnection process, which allows an attacker using a previously paired node to bypass re-pairing authentication and execute privileged commands on the local assistant system...

7.8CVSS6AI score0.00131EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/16 5:7 a.m.6 views

Local Code Execution

electerm is vulnerable to Local Code Execution. The vulnerability is due to insufficient validation of messages received over the single-instance IPC socket/pipe, where any process running under the same user can send crafted JSON payloads to create tabs and spawn attacker-controlled local...

9.3CVSS5.8AI score0.00114EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/16 5:5 a.m.22 views

Use After Free

Electron is vulnerable to Use After Free. The vulnerability is due to improper handling of child windows in offscreen rendering mode after the parent WebContents is destroyed, which allows an attacker to trigger memory corruption or application crashes through crafted child window interactions...

8.1CVSS5.8AI score0.00444EPSS
Exploits0References5Affected Software1
Veracode
Veracode
added 2026/05/16 5:4 a.m.7 views

Privilege Escalation

OpenClaw is vulnerable to Privilege Escalation. The vulnerability is due to improper permission enforcement in the gateway plugin HTTP authentication mechanism, where operator.read requests are incorrectly granted operator.write runtime permissions, allowing attackers to perform unauthorized writ...

7.1CVSS5.8AI score0.00239EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/15 9:28 p.m.49 views

Information Disclosure

Zabbix is vulnerable to an information disclosure. The vulnerability is due to the reuse of JavaScript Duktape contexts in Zabbix Server/Proxy, which allows a regular non-super administrator to leak sensitive data from hosts they are not authorized to access through shared global JavaScript...

7.1CVSS5.8AI score0.00154EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/15 9:12 p.m.10 views

Improper Input Validation

zabbix is vulnerable to Improper Input Validation. The vulnerability is due to improper regex validation running in multiline mode, which allows an authenticated attacker to bypass ^ and $ anchor checks using injected newline characters and execute shell command injection...

7.7CVSS5.9AI score0.00248EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/15 9:9 p.m.14 views

Blind SQL Injection

Zabbix is vulnerable to blind SQL injection. The vulnerability is due to improper sanitization of the sortfield parameter in include/classes/api/CApiService.php, which allows a low-privileged user with API access to execute arbitrary SQL select queries and exfiltrate database data through...

8.7CVSS6.2AI score0.0024EPSS
Exploits0References3Affected Software1
Veracode
Veracode
added 2026/05/15 7:39 p.m.21 views

Incorrect Authorization

Clerk is vulnerable to Incorrect Authorization. The vulnerability is due to improper request matching in createRouteMatcher, which allows an attacker to craft requests that bypass middleware protection and access downstream handlers...

9.1CVSS5.8AI score0.00323EPSS
Exploits0References2Affected Software4
Veracode
Veracode
added 2026/05/15 7:24 p.m.15 views

Improper Neutralization Of Special Elements In Data Query Logic

Dgraph is vulnerable to Improper Neutralization of Special Elements in Data Query Logic. The vulnerability is due to improper sanitization of the user-controlled cond field in upsert mutations, which allows an attacker to inject arbitrary DQL query blocks and gain unauthorized read access to...

9.1CVSS5.9AI score0.00424EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/15 6:49 p.m.15 views

Path Traversal

github.com/dgraph-io/dgraph is vulnerable to Path Traversal. The vulnerability is due to improper validation of the dagRunId request field passed into filepath.Join, which allows an attacker to exploit directory traversal using values such as .. and trigger unintended deletion of system temporary...

9.1CVSS5.8AI score0.00338EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/15 6:2 p.m.13 views

Information Exposure

Dgraph is vulnerable to Information Exposure. The vulnerability is due to exposure of process command-line arguments through the unauthenticated /debug/vars endpoint, which allows an attacker to obtain sensitive admin tokens and gain unauthorized access to admin-only endpoints...

9.8CVSS5.8AI score0.02187EPSS
Exploits1References3Affected Software3
Veracode
Veracode
added 2026/05/15 5:47 p.m.18 views

Path Traversal

github.com/charmbracelet/wish is vulnerable to Path Traversal. The vulnerability is due to improper validation of SCP filenames containing traversal sequences, which allows an attacker to read, write, or create files and directories outside the configured root directory...

9.6CVSS5.8AI score0.00393EPSS
Exploits1References5Affected Software2
Veracode
Veracode
added 2026/05/15 11:37 a.m.15 views

Improper Network Access Control

github.com/ctfer-io/fullchain is vulnerable to improper network access control. The vulnerability is due to a misconfigured inter-namespace NetworkPolicy, which allows a malicious actor to pivot from a compromised application to Pods outside the original namespace...

9.8CVSS6.4AI score0.00501EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2026/05/15 11:11 a.m.17 views

Cross-Site Scripting (XSS)

github.com/siyuan-note/siyuan is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to incomplete SVG sanitization and improper handling of user-controlled input in the /api/icon/getDynamicIcon endpoint, which allows an attacker to inject malicious SVG content and execute JavaScript...

9.3CVSS6.4AI score0.00302EPSS
Exploits1References5Affected Software1
Veracode
Veracode
added 2026/05/15 11:2 a.m.16 views

Authentication Bypass

Milvus is vulnerable to Authentication Bypass. The vulnerability is due to unauthenticated exposure of the management port 9091 and use of a weak predictable token for the /expr debug endpoint, allowing attackers to access REST API operations, execute arbitrary expressions, and perform unauthoriz...

9.8CVSS6.1AI score0.34346EPSS
Exploits1References4Affected Software1
Veracode
Veracode
added 2026/05/15 10:15 a.m.17 views

Authentication Bypass

Unity Catalog is vulnerable to Authentication Bypass. The vulnerability is due to improper validation of the iss claim in JWT tokens, where the token exchange endpoint dynamically fetches JWKS data based on attacker-controlled issuer values without verifying trusted identity providers, allowing...

9.1CVSS5.8AI score0.00183EPSS
Exploits0References2Affected Software1
Veracode
Veracode
added 2026/05/15 9:49 a.m.17 views

Improper Authentication

github.com/openbao/openbao is vulnerable to improper authentication. The vulnerability is due to missing user confirmation during JWT/OIDC authentication when using callbackmode=direct, which allows an attacker to initiate a malicious authentication request and trick a victim into automatically...

9.6CVSS6.4AI score0.00411EPSS
Exploits0References7Affected Software1
Veracode
Veracode
added 2026/05/15 9:28 a.m.7 views

Memory-Safety Vulnerability

GitHub repository github.com/jackc/pgx/v5 is vulnerable to a memory-safety vulnerability. The vulnerability is due to improper memory handling within the library, which allows an attacker to exploit memory corruption conditions and potentially cause application crashes, denial of service, or...

9.8CVSS5.8AI score0.00605EPSS
Exploits0References24Affected Software2
Total number of security vulnerabilities38467