zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command ex
Description: VMware NSX contains a username enumeration vulnerability. An unauthenticated malicious actor may exploit this to enumerate valid usernames, potentially leading to unauthorized access atte
The Sprig Plugin for Craft CMS is a reactive Twig component framework for Craft CMS. Starting in version 2.0.0 and prior to versions 2.15.2 and 3.15.2, admin users, and users with explicit permission
An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic d
There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause Memory
Froxlor is open source server administration software. Version 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However,
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_template() allows reading files with .jin
GNU Mailman 2.1.39, as bundled in cPanel (and WHM), allows unauthenticated attackers to create lists via the /mailman/create endpoint. NOTE: multiple third parties report that they are unable to repro
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API `getUsers` endpoint in StudioCMS uses the attacker-controlled `rank` query parameter
In Splunk Enterprise versions below 9.3.1, 9.2.3, and 9.1.6 and Splunk Cloud Platform versions below 9.2.2403.107, 9.1.2312.204, and 9.1.2312.111, a low-privileged user that does not hold the "admin"
A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argumen
OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors. Attackers with workspace access can redirect runtime
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script
telnet in GNU inetutils through 2.7 allows servers to read arbitrary environment variables from clients via NEW_ENVIRON SEND USERVAR.
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted
A vulnerability has been found in Gosuncn Technology Group Audio-Visual Integrated Management Platform 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the
An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials wh
In OpenStack Ironic before 35.0.2 (in a certain non-default configuration), instance_info['ks_template'] is rendered without sandboxing.
In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the