SandboxJS prior to 0.8.31 has yet another sandbox escape via prototype pollution, the sixth distinct escape technique discovered.
A device has a stack-based buffer overflow in HTTP SESSION cookie processing allowing unauthenticated remote code execution.
GitLab AI Gateway's Duo Workflow Service has a CVSS 9.9 server-side template injection enabling code execution through the AI workflow system.
A device has a stack-based buffer overflow in cookie parsing (including TRACKID) enabling unauthenticated remote code execution.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — second of seven critical PlaciPy vulnerabilities.
PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.
Yokogawa FAST/TOOLS has a second web server vulnerability involving improper cryptographic handling that weakens the security of SCADA communications.
PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.
A device stores user credentials using AES-ECB encryption with a hard-coded key, allowing any attacker to decrypt all stored passwords.
Yokogawa FAST/TOOLS SCADA has a vulnerability in its web server component enabling unauthorized access to the industrial control monitoring system.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
An SQL injection vulnerability in a product allows unauthenticated database compromise through unsanitized input.
Yokogawa FAST/TOOLS has a third vulnerability involving improper encoding of output that could enable injection attacks against the SCADA web interface.
Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.
HGiga C&Cm@il email system has a missing authentication vulnerability allowing unauthenticated remote access to email server functions.
PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.
PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.
PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.
my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.
FreeRDP prior to 3.22.0 has a heap buffer overflow in the URBDRC USB redirection client enabling RCE through malicious RDP servers.
FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentials.