【高危】Anki's local HTTP server does not sufficiently validate requests
Anki's local HTTP server does not sufficiently validate requests
【中危】SurrealDB: Denial of Service via deep operator chains
SurrealDB: Denial of Service via deep operator chains
【中危】SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
【中危】SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
【高危】SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
【中危】SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch
【中危】pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file rea
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
【高危】Lokka: Azure Resource Manager URL path validation issue
Lokka: Azure Resource Manager URL path validation issue
【高危】@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing
【高危】LangSmith SDK TracingMiddleware: Arbitrary server-side file read
LangSmith SDK TracingMiddleware: Arbitrary server-side file read
【高危】githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow
githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow
【中危】Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions
Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions
【中危】Zeep: Server-Side Request Forgery (SSRF)
Zeep: Server-Side Request Forgery (SSRF)
【中危】Anki: User scripts in iframes have access to the internal Anki API
Anki: User scripts in iframes have access to the internal Anki API
【中危】ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
【严重】OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
【高危】appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
【高危】EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id
EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id
【高危】Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
【高危】stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)