Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network.
Kestra is an open-source, event-driven orchestration platform. Prior to versions 1.3.19, 1.2.19, 1.1.19, and 1.0.43, Kestra task `inputFiles` writes rendered file names directly under the task working directory. When a flow forwards untrusted execution or webhook data into an `inputFiles` file name,...
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Edge (Chromium-based) allows an authorized attacker to perform spoofing over a network.
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
Open Redirect Bypass in miniflux-v2
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
Craft CMS: Blind SSRF and Arbitrary JavaScript Injection via Host Header Poisoning in actionResourceJs
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration โ unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels