Worry Proof Backup <= 0.2.4 - Authenticated (Subscriber+) Path Traversal via Backup Upload

bearsthemes Worry Proof Backup

Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users

fleetdm fleet fleetdm fleet

Fleet: Authorization Bypass in certificate template batch deletion for team administrators

fleetdm fleet fleetdm fleet

Fleet: Device lock PIN can be predicted if lock time is known

fleetdm fleet fleetdm fleet

Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

fleetdm fleet fleetdm fleet

Ajenti has a potential Remote Code Execution

ajenti ajenti ajenti ajenti

User Registration & Membership <= 5.1.2 - Authentication Bypass

wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion

wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)

advplyr audiobookshelf-app

Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

advplyr audiobookshelf audiobookshelf audiobookshelf

Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)

advplyr audiobookshelf advplyr audiobookshelf-app

Angular i18n vulnerable to Cross-Site Scripting (XSS)

angular angular angular angular +5个

Packistry accepts expired access tokens

packistry packistry packistryphp packistry

Langflow has Remote Code Execution in CSV Agent

langflow-ai langflow langflow langflow

Vitess users with backup storage access can write to arbitrary file paths on restore

vitessio vitess vitessio vitess +1个

Vitess users with backup storage access can gain unauthorized access to production deployment environments

vitessio vitess vitessio vitess +1个

Koa has Host Header Injection via `ctx.hostname`

koajs koa koajs koa +1个

LiveHelperChat has department-level authorization bypass in holdaction, blockuser, and transferchat endpoints

LiveHelperChat livehelperchat livehelperchat live_helper_chat

Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE

Agenta-AI agenta agentatech agenta

Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)

Agenta-AI agenta-api agentatech agenta