PGHoard: Password written to debug log
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
Kirby: `pages.access` permission is not checked in the `site/find` REST API route
Kirby: Access to files of top-level drafts is not protected by permissions
Kirby: External Initialization of the Panel on reverse proxy setups with the `Forwarded` header
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
Kirby: Request header injection in `Http\Remote`
Kirby: Self cross-site scripting (self-XSS) in the writer field
Kirby: `pages.access` permission is not checked in the pages picker for parent pages
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
Grav: Stored CSS injection via Markdown image ?style=โฆ reaches MediaObjectTrait::style() โ incomplete patch of GHSA-r7fx-8g49-7hhr
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Podman: WORKDIR symlink traversal vulnerability
In Eclipse 4diac FORTE versions 3.0.0 to 3.1.0, a specially crafted DELETE connection command to the management interface can lead to a dangling pointer. This allows subsequent commands to access freed memory (use-after-free).
An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be exploited for remote code execution. This vulnerability is associated with the file libavcodec/magicyuv.C. This issue affects FFmpe...
A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricksable for Bricks Builder allows Stored XSS. This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83.