LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft...
Cockpit CMS before release 364 contains a path traversal and local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files or execute PHP files by including unvalidated PATH_INFO derived from REQUEST_URI in filesystem path construction without containment checks. A...
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is emp...
A flaw was found in GIMP's PSP file format parser. A double-free condition occurs in the read_layer_block() function when processing a specially crafted PSP file. This could allow an attacker to cause memory corruption, potentially leading to denial of service or arbitrary code execution.
Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component
Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document (into a text element) without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a UR...
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip
Craft CMS is a content management system (CMS). Versions 5.0.0-RC1 and above, prior to 5.9.21 and versions 4.0.0-RC1 and above prior to 4.17.14 contain an authorization issue where a forced folder move can delete a conflicting destination folder without destination delete permission. Function craft\...
Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The dupli...
Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block
zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser
Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache
zebrad has mempool transaction admission denial via single-peer inbound queue saturation
zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate
electerm has Command Injection in File System Operations (rmrf, mv, cp)
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth