Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

fleetdm fleet fleetdm fleet

Ajenti has a potential Remote Code Execution

ajenti ajenti ajenti ajenti

User Registration & Membership <= 5.1.2 - Authentication Bypass

wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

User Registration & Membership <= 5.1.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion

wpeverest User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder

Audiobooksheld VUlnerable to Stored XSS in WrappingMarquee.js via Audiobook Metadata (Mobile App Audio Player)

advplyr audiobookshelf-app

Audiobookshelf has Stored XSS in Tooltip.vue via Audiobook Metadata

advplyr audiobookshelf audiobookshelf audiobookshelf

Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)

advplyr audiobookshelf advplyr audiobookshelf-app

Angular i18n vulnerable to Cross-Site Scripting (XSS)

angular angular angular angular +5个

Packistry accepts expired access tokens

packistry packistry packistryphp packistry

Langflow has Remote Code Execution in CSV Agent

langflow-ai langflow langflow langflow

Vitess users with backup storage access can write to arbitrary file paths on restore

vitessio vitess vitessio vitess +1个

Vitess users with backup storage access can gain unauthorized access to production deployment environments

vitessio vitess vitessio vitess +1个

Koa has Host Header Injection via `ctx.hostname`

koajs koa koajs koa +1个

LiveHelperChat has department-level authorization bypass in holdaction, blockuser, and transferchat endpoints

LiveHelperChat livehelperchat livehelperchat live_helper_chat

Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE

Agenta-AI agenta agentatech agenta

Agenta has Python Sandbox Escape, Leading to Remote Code Execution (RCE)

Agenta-AI agenta-api agentatech agenta

Copyparty vulnerable to eflected cross-site scripting via setck parameter

9001 copyparty 9001 copyparty

OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership

openemr openemr open-emr openemr

Custom Logo <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Logo Path Setting

tgrk Custom Logo

Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' and 'value' Shortcode Attributes

livemesh Livemesh Addons for Beaver Builder