Monthly
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.
SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.
The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Information disclosure while accessing and modifying the PIB file of a remote device via powerline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in Dradis (CVSS 3.5). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in MyBB (CVSS 5.3) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Tandoor Recipes versions prior to 2.6.0 fail to strip EXIF metadata from WebP and GIF image uploads, exposing sensitive information such as GPS coordinates, timestamps, and camera details to all users viewing shared recipes. This information disclosure vulnerability affects any user uploading recipe photos, particularly those using modern smartphones that default to WebP format. The vulnerability is fixed in version 2.6.0.
SINEC Security Monitor versions before 4.9.0 expose sensitive metadata including contributor information and email addresses on the SSM Server, allowing authenticated attackers to obtain confidential data. The vulnerability requires valid credentials to exploit and poses a low-severity information disclosure risk with no availability or integrity impact.
The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.
Information disclosure while accessing and modifying the PIB file of a remote device via powerline. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A security vulnerability in Dradis (CVSS 3.5). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in MyBB (CVSS 5.3) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
In berriai/litellm version v1.52.1, an issue in proxy_server.py causes the leakage of Langfuse API keys when an error occurs while parsing team settings. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.