Gogs's write-level collaborators can mutate admin-only repository settings via API
Gogs has DOM-based XSS via Milestone Name on New Issue Page
Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge
Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft
Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation
Gogs has an Open Redirect via redirect_to
Gogs has the ability to import local repositories via Mirror Settings
Gogs Vulnerable to CSRF Leading to Organization Owner Takeover
Gogs Missing Authorization in Attachment Download
Gogs has Stored XSS in `.ipynb` Preview
Gogs has DoS in rendering issue index pattern
@actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override
@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens
Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials
Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials
Budibase has an Account Impersonation Issue โ Chat Identity Link Hijacking via Missing Consent & CSRF
zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet