A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. [CVSS 3.3 LOW]
Improper authentication in Chia Blockchain 2.1.0's RPC Credential Handler (_authenticate function) allows remote attackers to bypass credential validation with high complexity exploitation. Public exploit code exists for this vulnerability, and the vendor dismissed the report as a design choice placing responsibility on users for host security. Affected systems may experience confidentiality, integrity, and availability impacts through unauthorized RPC access.
Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871a14c192d1fb8146cdbc76f29f27c1cf48, the Talishar application lacks Cross-Site Request Forgery (CSRF) protections on critical state-changing endpoints, specifically within `SubmitChat.php` and other game interaction handlers. [CVSS 2.6 LOW]
Unrestricted file uploads in Sz Boot Parent versions up to 1.3.2-beta allow authenticated remote attackers to upload malicious files via the /api/admin/sys-file/upload API endpoint. Public exploit code exists for this vulnerability, which has been patched in version 1.3.3-beta through the addition of file extension and MIME type whitelisting controls. Immediate upgrade to the patched version is strongly recommended.
Website Link Extractor versions up to 1.0 is affected by server-side request forgery (ssrf) (CVSS 6.3).
SQL injection in itsourcecode College Management System 1.0's teacher management interface allows authenticated attackers to manipulate the teacher_id parameter in /admin/display-teacher.php and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling remote exploitation by users with administrative access. The vulnerability remains unpatched and carries medium severity with potential for data confidentiality, integrity, and availability compromise.
College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).
Improper authorization in Sz Boot Parent up to version 1.3.2-beta allows authenticated attackers to reset arbitrary user passwords by manipulating the userId parameter in the password reset API endpoint. Public exploit code exists for this vulnerability, enabling remote password reset attacks against any user account. Upgrade to version 1.3.3-beta or later to remediate.
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).
Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).
Libvips up to version 8.18.0 contains a heap buffer overflow in the CSV parsing function that allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code is available for this vulnerability, and a patch has been released to address the issue.
Stack-based buffer overflow in CodeAstro Food Ordering System 1.0 allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code, with public exploit code currently available. The vulnerability affects food_ordering.exe through an undocumented function and requires local access to exploit. No patch is currently available for affected systems.
A vulnerability was detected in Chia Blockchain 2.1.0. Impacted is an unknown function of the file /send_transaction. [CVSS 3.1 LOW]
Chia Blockchain 2.1.0's RPC Server Master Passphrase Handler lacks proper authentication in the send_transaction and get_private_key functions, allowing authenticated local attackers to bypass security controls with public exploit code available. An attacker with local access and existing privileges could manipulate these functions to gain unauthorized access to sensitive blockchain operations, though exploitation requires high complexity and the vendor considers this a user responsibility issue. A patch is not currently available.
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users. [CVSS 3.8 LOW]
A weakness has been identified in feiyuchuixue sz-boot-parent up to 1.3.2-beta. This vulnerability affects unknown code of the file /api/admin/common/files/download. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be executed remotely. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. Upgrading to v...
A time-of-create-to-time-of-use (TOCTOU) vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. [CVSS 2.6 LOW]
In JetBrains TeamCity before 2025.11.3 disabling versioned settings left a credentials config on disk [CVSS 2.3 LOW]
Improper access control in the Role Handler component of fosrl Pangolin up to version 1.15.4-s.3 allows authenticated remote attackers to bypass role and API key verification checks. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to gain unauthorized access to protected functionality. Users should upgrade to version 1.15.4-s.4 or later to remediate this issue.
Path traversal in feiyuchuixue sz-boot-parent versions up to 1.3.2-beta allows authenticated remote attackers to read arbitrary files by manipulating the templateName parameter in the /api/admin/common/download/templates endpoint. Public exploit code exists for this vulnerability. Users should upgrade to version 1.3.3-beta or later, which implements proper path validation checks.