Path Traversal

yt-dlp is vulnerable to Path Traversal. The vulnerability is due to unrestricted file extensions of downloaded files resulting in arbitrary filenames and path traversal on Windows, which could allows an attacker to execute arbitrary code...

Prototype Pollution

requirejs is vulnerable to Prototype Pollution. The vulnerability is due to the config function which allows attackers to inject arbitrary prototype properties, which potentially allows an attacker to execute arbitrary code or cause a Denial of Service DoS...

SQL Injection

typo3/cms is vulnerable to SQL Injection. The vulnerability is due to improperly user input neutralization, allowing user with a valid frontend account to potentially execute SQL queries...

Improper Privilege Management

typo3/cms is vulnerable to Improper Privilege Management. The vulnerability is due to a link potentially allowing certain editing permissions if the admin panel is configured to be shown,which requires a valid preview link to exploit...

Insecure Deserialization

typo3/cms is vulnerable to Insecure Deserialization. The vulnerability is due to improper validation of incoming import data in the Import/Export component, which requires a valid backend user account to exploit...

Prototype Pollution

@agreejs/shared is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in the mergeInternalComponents function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

che3vinci c3/utils-1 is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in assign function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

@cahil/utils is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in the set function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

@cafebazaar/hod is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in the request function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

fast-loops is vulnerable to Prototype Pollution. The vulnerability is due to missing checks in the objectMergeDeep function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

2o3t-utility is vulnerable to Prototype Pollution. The vulnerability is due to failing to properly handle inputs in the extend function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

@amoy/common is vulnerable to prototype pollution. The vulnerability is due to setValue function, potentially allowing attackers to execute arbitrary code or cause a Denial of Service DoS by injecting arbitrary properties...

Prototype Pollution

@jsonic/jsonic-next is vulnerable to Prototype Pollution. The vulnerability is due to the functions empty, util.clone, util.prop, util.deep, and make not properly handling inputs containing the special property proto. Attackers can exploit this to modify the built-in Object.prototype, potentially...

Prototype Pollution

ag-grid-community and ag-grid-enterprise are vulnerable to prototype pollution. The vulnerability is due to the .mergeDeep function, allowing attackers to execute arbitrary code or cause a Denial of Service DoS via injecting arbitrary properties...

Prototype Pollution

ag-grid-enterprise is vulnerable to Prototype Pollution. The vulnerability is due to the functions .mergeDeep, ModuleSupport.jsonApply, ModuleSupport.setPath, and Util.jsonApply accepting arguments that include the built-in property proto. Attackers can exploit this by passing specially crafted...

Prototype Pollution

adolphdudu/ratio-swiper is vulnerable to Prototype Pollution. The vulnerability is due to by passing crafted arguments with the proto property using functions like extendDefaults and parse. The vulnerability allows attackers to alter the behavior of all objects inheriting from the affected...

Sensitive Information Disclosure

IBM MQ is vulnerable to Sensitive Information Disclosure. The vulnerability is due to a detailed technical error message being returned in the browser. The attacker can use this information in further attacks against the system...

Prototype Pollution

@cat5th/key-serializer is vulnerable to Prototype Pollution. The vulnerability is due to passing crafted arguments with the proto property using functions like query, set, default.query, and default.set. The vulnerability allows attackers to alter the behavior of all objects inheriting from the...

SQL Injection

parse-server is vulnerable to SQL Injection. The vulnerability is due to improper handling of user-supplied input when configured with the PostgreSQL database, allowing malicious SQL queries to be executed...

Prototype Pollution

requirejs is vulnerable to Prototype Pollution. The vulnerability is due to missing prototype checks in the config, s.contexts..configure, and parse functions, which allows an attackers to modify the built-in Object.prototype by passing arguments containing the special proto key, which results in...

Prototype Pollution

@abip/sp-common is vulnerable to Prototype Pollution. The vulnerability is due to the function mergeDeep, which allows attackers to inject arbitrary properties. The attacker can execute arbitrary code or cause a Denial of Service DoS as a result...

Prototype Pollution

@airvertco/frappejs is vulnerable to Prototype Pollution. The vulnerability is due to passing the function registerView with an argument containing a special property proto to pollute the object, which allows attackers to alter the behavior of all objects inheriting from the affected prototype...

Prototype Pollution

@amoy/common is vulnerable to Prototype Pollution. The vulnerability is due to functions like extend and setValue, which can be exploited by passing crafted arguments with a proto property. This allows attackers to alter the behavior of all objects inheriting from the affected prototype...

Denial Of Service (DoS)

github.com/gorilla/schema is vulnerable to Denial of Service DoS. The vulnerability is caused due to unrestricted memory allocation triggered by manipulating the slice index idx beyond the configured maxSize. This allows an attacker to exhaust system resources and potentially crash the applicatio...

Prototype Pollution

@jsonic/jsonic-next is vulnerable to Prototype Pollution. The vulnerability is due to several functions including empty, util.clone, util.prop, util.deep, and make, which can be exploited by passing crafted arguments with the proto property. This allows attackers to alter the behavior of all...

Path Traversal

Weblate is vulnerable to Path Traversal. The vulnerability is caused due to a lack of proper normalization and validation of filenames when restoring project backups. This could allow an attacker to use a crafted ZIP file containing arbitrary paths to gain unauthorized access to files on the serv...

Code Injection

Gradio is vulnerable to Code Injection. The vulnerability is caused due to improper input validation in the gradio/componentmeta.py. This flaw allows an attacker to execute arbitrary code via a crafted input...

Improper Access Control

github.com/goauthentik/authentik is vulnerable to Improper Access Control. The vulnerability is due to access restrictions not being properly checked in the OAuth2 Device code flow, allowing users without correct authorization to obtain OAuth tokens and potentially access applications...

Denial Of Service (DoS)

MIT Kerberos 5 is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient validation of length fields in message tokens, allowing an attacker to cause invalid memory reads by sending tokens with invalid length values...

Plaintext Modification

libkrb5.so is vulnerable to a Plaintext Modification attack. The vulnerability is due to improper modifications in the plaintext Extra Count field of a confidential GSS krb5 wrap token, allowing an attacker to make an unwrapped token appear truncated to the application...

Cross-site Scripting (XSS)

TYPO3 is vulnerable to Cross-site Scripting. The vulnerability is due to failing to properly encode user input in some backend components...

Cross Site Scripting(XSS)

zenml is vulnerable to Cross-Site Scripting XSS . The vulnerability is due to improper input neutralization during web page generation within the survey redirect parameter, which allows an attacker to execute arbitrary JavaScript code in the context of the user's browser session...

Authentication Bypass

TYPO3 is vulnerable to Authentication Bypass. The vulnerability is due to the default authentication service failing to invalidate empty strings as passwords...

Improper Input Validation

github.com/gin-contrib/cors is vulnerable to Improper Input Validation. The vulnerability is caused due to improper handling of wildcards in origin strings in the parseWildcardRules function within the cors.go file. This allows an attacker to bypass origin restrictions by using similar but...

Denial Of Service (DoS)

IBM MQ is vulnerable to Denial Of Service DoS. The vulnerability is due to an error applying configuration changes, which an attacker could exploit to cause a Denial Of Service DoS...

Sensitive Information Disclosure

IBM MQ is vulnerable to Sensitive Information Disclosure. The vulnerability is due to a detailed technical error message being returned in the browser. An attacker can use this information in further attacks against the system...

Denial Of Service (DoS)

IBM MQ is vulnerable to Denial Of Service DoS. The vulnerability is due to an error processing messages when an API Exit using MQBUFMH is used. The attacker can exploit this to cause a denial of service in certain configurations...

Privilege Escalation

IBM MQ is vulnerable to Privilege Escalation. The vulnerability is due to incorrect privilege assignments, which allows an attacker to escalate their privileges under certain configurations...

Remote Code Execution

nltk is vulnerable to Remote Code Execution. The vulnerability is due to models containing pickled Python code, which could allow an attacker to execute arbitrary code. An attacker would need to preform a man-in-the-middle attack to modify the packaged pickles such as the averagedperceptrontagger...

Improper Certificate Validation

phpseclib/phpseclib is vulnerable to Improper Certificate Validation. The vulnerability is due to some characters in Subject Alternative Name fields in TLS certificates that are allowed to have a special meaning in regular expressions, leading to name confusion in X.509 certificate host...

Remote Code Execution (RCE)

torch is vulnerable to Remote Code Execution RCE. The vulnerability is caused by a lack of restriction on function calls when a worker node sends a PythonUDF to the master node, which then executes the function without proper validation within the torch.distributed.rpc framework. This allows...

Cross-site Scripting (XSS)

org.opencms: opencms-core is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper validation of .svg files, allowing users with the roles of gallery editor or VFS resource manager to upload images containing JavaScript code, which will be executed when another user accesse...

Cross-site Scripting (XSS)

zendframework/zendframework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to view helpers using escapeHtml instead of escapeHtmlAttr to escape HTML attributes, which can lead to potential XSS attack vectors when user data or JavaScript is used...

Session Fixation

zendframework/zendframework is vulnerable to Session Fixation. The vulnerability is due to session validators not working as expected if set prior to the start of a session...

Heap Buffer Overflow

Libde265 is vulnerable to a Heap Buffer Overflow. The vulnerability is due to improper handling of a crafted payload that can cause a crash via the interceptormemcpy function, allowing an attacker to exploit the system...

Heap Buffer Overflow

Libde265 is vulnerable to a Heap Buffer Overflow. The vulnerability is due to a crafted payload in the display444as420 function at sdl.cc, which can allow attackers to crash the application...

Cross Site Scripting(XSS)

@zenuml/core is vulnerable to Cross-site Scripting XSS. The vulnerability is due to unsanitized Markdown comments in the file Comment.vue, allowing attackers to inject malicious JavaScript payloads...

Cross-site Scripting (XSS)

zendframework/zendframework is vulnerable to Cross-site Scripting XSS. The vulnerability is due to not using context-appropriate escaping mechanisms with Zend\Escaper when escaping HTML, HTML attributes, and/or URLs, which could potentially be exploited to perform XSS attacks...

Use After Free

@fastly/js-compute is vulnerable to Use After Free. The vulnerability is due to re-use of previously freed memory in the FetchEvent.client and certain CacheEntry.prototype and Device.lookup functions. This issue could allow for an unintended data leak and often results in a Compute service crash...

Denial Of Service (DoS)

github.com/golang/image is vulnerable to Denial of Service DoS. The vulnerability is due to invalid color indices in a corrupt or crafted image. An attacker could exploit the lack of color index checks by providing an image with invalid color indices which triggers a crash...