Zae-Limiter versions up to 0.10.1 is affected by allocation of resources without limits or throttling (CVSS 4.3).
WP Recipe Maker (WordPress plugin) is affected by authorization bypass through user-controlled key (CVSS 4.3).
Protected post metadata injection in Post Duplicator plugin for WordPress allows authenticated contributors and higher-privileged users to arbitrarily set sensitive meta keys like _wp_page_template on duplicated posts by bypassing WordPress's standard metadata protection mechanisms. The vulnerability exists in versions up to 3.0.8 due to direct database insertion instead of using WordPress's protected metadata validation function. Attackers can exploit this through the customMetaData parameter in the REST API endpoint to manipulate post properties and potentially compromise site functionality.
The Disable Admin Notices - Hide Dashboard Notifications WordPress plugin up to version 1.4.2 lacks proper CSRF protection in its `showPageContent()` function, allowing unauthenticated attackers to inject arbitrary URLs into the blocked redirects list by tricking site administrators into clicking a malicious link. This could enable an attacker to redirect site traffic or manipulate administrator settings without explicit authorization. No patch is currently available for this medium-severity vulnerability.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have allowed an unauthorized user with Developer-role permissions to set pipeline variables for manually triggered jobs under certain conditions. [CVSS 4.3 MEDIUM]
Unauthorized modification of protected Conan packages in GitLab EE allows Developer-role users to bypass package protection controls under specific conditions. Affected versions include 17.11 through 18.7.4, 18.8.0 through 18.8.4, and 18.9.0 before 18.9.1. An attacker with Developer privileges could alter protected package contents despite insufficient permissions to do so.
Teamcity versions up to 2025.11.3 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).
Insufficient authorization checks in JetBrains TeamCity before version 2025.11.3 permit project developers to modify build configuration parameters without proper access controls. An authenticated attacker with developer privileges could inject malicious parameters into build configurations, potentially altering build behavior or exposing sensitive information. No patch is currently available for this vulnerability.
LangChain's RecursiveUrlLoader in @langchain/community versions prior to 1.1.18 fails to validate redirect targets, allowing authenticated attackers to bypass SSRF protections by redirecting from whitelisted URLs to internal or metadata endpoints. An attacker with user credentials can exploit this to access sensitive internal resources or cloud metadata services through automatic redirect following. Affected applications should upgrade to version 1.1.18, which disables automatic redirects and re-validates each redirect destination.
Kruise provides automated management of large-scale applications on Kubernetes. Prior to versions 1.8.3 and 1.7.5, PodProbeMarker allows defining custom probes with TCPSocket or HTTPGet handlers.
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. [CVSS 3.8 LOW]
A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to v...
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]
Improper access control in the Role Handler component of fosrl Pangolin up to version 1.15.4-s.3 allows authenticated remote attackers to bypass role and API key verification checks. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to gain unauthorized access to protected functionality. Users should upgrade to version 1.15.4-s.4 or later to remediate this issue.
Path traversal in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta allows authenticated remote attackers to read arbitrary files by manipulating the templateName parameter in the /api/admin/common/download/templates endpoint. Public exploit code exists for this vulnerability. Users should upgrade to version 1.3.3-beta or later, which implements proper path validation checks.
ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability could enable an unauthenticated user, in certain circumstances, to execute code within the ServiceNow Sandbox.
LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's `i18n-update-pull` GitHub Actions workflow is vulnerable to JavaScript injection.
The Angular SSR is a server-rise rendering tool for Angular applications. Versions prior to 21.2.0-rc.1, 21.1.5, 20.3.17, and 19.2.21 have a Server-Side Request Forgery (SSRF) vulnerability in the Angular SSR request handling pipeline. The vulnerability exists because Angular’s internal URL reconstruction logic directly trusts and consumes user-controlled HTTP headers specifically the Host and `X-Forwarded-*` family to determine the application's base origin without any validation of the dest...
The Angular SSR is a server-rise rendering tool for Angular applications. An Open Redirect vulnerability exists in the internal URL processing logic in versions on the 19.x branch prior to 19.2.21, the 20.x branch prior to 20.3.17, and the 21.x branch prior to 21.1.5 and 21.2.0-rc.1. The logic normalizes URL segments by stripping leading slashes; however, it only removes a single leading slash. When an Angular SSR application is deployed behind a proxy that passes the `X-Forwarded-Prefix` hea...
Improper Resource Shutdown or Release vulnerability in KrakenD, SLU KrakenD-CE (CircuitBreaker modules), KrakenD, SLU KrakenD-EE (CircuitBreaker modules). This issue affects KrakenD-CE: before 2.13.1; KrakenD-EE: before 2.12.5.
An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored.