Gogs has the ability to import local repositories via Mirror Settings
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
Gogs Missing Authorization in Attachment Download
Gogs has Stored XSS in `.ipynb` Preview
Gogs has DoS in rendering issue index pattern
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials
Budibase has an Account Impersonation Issue โ Chat Identity Link Hijacking via Missing Consent & CSRF
zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet
scimPatch vulnerable to prototype pollution via unfiltered keys in patch
Gogs has SSRF in webhook deliveries
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the ImageColumn and ImageEntry components render raw database values without escaping HTML. Where the data passed to these components isn't validated, an attacker could plan...
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether an ...
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().
picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip._run_pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip._run_pip calls in __reduce__ methods bypass picklescan detecti...