🚨 CVE-2022-46161
pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.
🎖@cveNotify
pdfmake is an open source client/server side PDF printing in pure JavaScript. In versions up to and including 0.2.5 pdfmake contains an unsafe evaluation of user controlled input. Users of pdfmake are thus subject to arbitrary code execution in the context of the process running the pdfmake code. There are no known fixes for this issue. Users are advised to restrict access to trusted user input.
🎖@cveNotify
GitHub
pdfmake/dev-playground/server.js at 802813970ac6de68a0bd0931b74150b33da0dd18 · bpampuch/pdfmake
Client/server side PDF printing in pure JavaScript - bpampuch/pdfmake
🚨 CVE-2025-11362
Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition.
🎖@cveNotify
Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition.
🎖@cveNotify
GitHub
fixed `DoS via repeatedly redirect URL in file embedding` · bpampuch/pdfmake@7411696
Client/server side PDF printing in pure JavaScript - fixed `DoS via repeatedly redirect URL in file embedding` · bpampuch/pdfmake@7411696
🚨 CVE-2025-55200
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.
🎖@cveNotify
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.
🎖@cveNotify
🚨 CVE-2025-61601
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
🎖@cveNotify
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
🎖@cveNotify
GitHub
fix (gql-actions): Add validation for mutation `pollSubmitUserVote` by gustavotrott · Pull Request #23662 · bigbluebutton/bigbluebutton
Prevent users from voting multiple times for the same option in the pollSubmitUserVote mutation.
🚨 CVE-2025-61602
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
🎖@cveNotify
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
🎖@cveNotify
GitHub
refactor: remove emoji id from chat reactions by ramonlsouza · Pull Request #23651 · bigbluebutton/bigbluebutton
What does this PR do?
removes reactionEmojiId from all chat reaction-related mutations and components, reducing code complexity
How to test
join a meeting with chat reactions enabled
send a messag...
removes reactionEmojiId from all chat reaction-related mutations and components, reducing code complexity
How to test
join a meeting with chat reactions enabled
send a messag...
🚨 CVE-2025-11586
A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
🎖@cveNotify
A vulnerability was determined in Tenda AC7 15.03.06.44. This affects an unknown function of the file /goform/setNotUpgrade. This manipulation of the argument newVersion causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.
🎖@cveNotify
GitHub
IoT-vulnerable/Tenda/AC7/setNotUpgrade.md at main · noahze01/IoT-vulnerable
Contribute to noahze01/IoT-vulnerable development by creating an account on GitHub.
🚨 CVE-2025-11588
A vulnerability was identified in CodeAstro Gym Management System 1.0. This impacts an unknown function of the file /customer/index.php. Such manipulation of the argument fullname leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
🎖@cveNotify
A vulnerability was identified in CodeAstro Gym Management System 1.0. This impacts an unknown function of the file /customer/index.php. Such manipulation of the argument fullname leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.
🎖@cveNotify
🚨 CVE-2025-62361
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, an Open Redirect vulnerability was identified in the control.php endpoint of the WeGIA application, specifically in the nextPage parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This vulnerability is fixed in 3.5.0.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, an Open Redirect vulnerability was identified in the control.php endpoint of the WeGIA application, specifically in the nextPage parameter (metodo=listarTodos nomeClasse=AlmoxarifeControle). This vulnerability allows attackers to redirect users to arbitrary external domains, enabling phishing campaigns, malicious payload distribution, or user credential theft. This vulnerability is fixed in 3.5.0.
🎖@cveNotify
GitHub
Resolução de Open Redirect no método excluir de AlmoxarifeControle.ph… · LabRedesCefetRJ/WeGIA@2b53003
…p [Security https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m99c-77f2-gpjx]
🚨 CVE-2024-36829
Incorrect access control in Teldat M1 v11.00.05.50.01 allows attackers to obtain sensitive information via a crafted query string.
🎖@cveNotify
Incorrect access control in Teldat M1 v11.00.05.50.01 allows attackers to obtain sensitive information via a crafted query string.
🎖@cveNotify
Gist
CVE-2024-36829
CVE-2024-36829. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2024-50848
An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.
🎖@cveNotify
An XML External Entity (XXE) vulnerability in the Import object and Translation Memory import functionalities of WorldServer v11.8.2 to access sensitive information and execute arbitrary commands via supplying a crafted .tmx file.
🎖@cveNotify
GitHub
GitHub - 1mhr4b/CVE-2024-50848
Contribute to 1mhr4b/CVE-2024-50848 development by creating an account on GitHub.
🚨 CVE-2024-50849
A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code.
🎖@cveNotify
A Stored Cross-Site Scripting (XSS) vulnerability in the "Rules" functionality of WorldServer v11.8.2 allows a remote authenticated attacker to execute arbitrary JavaScript code.
🎖@cveNotify
GitHub
GitHub - 1mhr4b/CVE-2024-50849
Contribute to 1mhr4b/CVE-2024-50849 development by creating an account on GitHub.
🚨 CVE-2024-56734
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue.
🎖@cveNotify
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue.
🎖@cveNotify
GitHub
fix: enforce origin checker for GET methods · better-auth/better-auth@deb3d73
The most comprehensive authentication framework for TypeScript - fix: enforce origin checker for GET methods · better-auth/better-auth@deb3d73
🚨 CVE-2025-62177
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
GitHub
Resolução de SQL Injection [Security https://github.com/LabRedesCefet… · LabRedesCefetRJ/WeGIA@017fdd7
…RJ/WeGIA/security/advisories/GHSA-4wrg-g9cj-hjcx]
🚨 CVE-2025-62178
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the idatendido parameter. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /html/atendido/cadastro_atendido_parentesco_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the idatendido parameter. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
GitHub
Resolução XSS em cadastro_atendido_parentesco_pessoa_nova.php [Securi… · LabRedesCefetRJ/WeGIA@e39390f
…ty https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-fj32-779r-28qv]
🚨 CVE-2025-62179
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint, specifically in the cpf parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/cadastro_funcionario_pessoa_existente.php endpoint, specifically in the cpf parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
GitHub
Resolução SQL Injection no parâmetro CPF em cadastro_funcionario_pess… · LabRedesCefetRJ/WeGIA@885972c
…oa_existente [Security https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-x36x-x5j4-wfjf]
🚨 CVE-2025-62358
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, the log parameter in configuracao_geral.php is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject arbitrary JavaScript, which executes in the victim’s browser. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.1, the log parameter in configuracao_geral.php is vulnerable to Reflected Cross-Site Scripting (XSS). An attacker can inject arbitrary JavaScript, which executes in the victim’s browser. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
GitHub
Resolução XSS em configuracao_geral.php [Security https://github.com/… · LabRedesCefetRJ/WeGIA@eddb9b1
…LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g6hr-2rhx-f8q4]
🚨 CVE-2025-62359
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /pet/profile_pet.php?id_pet= endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_pet parameter. This vulnerability is fixed in 3.5.0.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Prior to 3.5.0, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the /pet/profile_pet.php?id_pet= endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_pet parameter. This vulnerability is fixed in 3.5.0.
🎖@cveNotify
GitHub
Resolução SQL Injection [Security https://github.com/LabRedesCefetRJ/… · LabRedesCefetRJ/WeGIA@1767335
…WeGIA/security/advisories/GHSA-8963-9833-gpx7]
🚨 CVE-2025-62360
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_documento.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users.Prior to 3.5.1, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_documento.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.5.1.
🎖@cveNotify
GitHub
Resolução de SQL Injection em dependente_documento.php [Security http… · LabRedesCefetRJ/WeGIA@7abbffd
…s://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-m4j6-q5m4-x24g]
🚨 CVE-2025-56219
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accounts are created.
🎖@cveNotify
Incorrect access control in SigningHub v8.6.8 allows attackers to arbitrarily add user accounts without any rate limiting. This can lead to a resource exhaustion and a Denial of Service (DoS) when an excessively large number of user accounts are created.
🎖@cveNotify
Ascertia
High-trust PKI & Digital Signature Solutions | Ascertia
High-trust PKI and digital signature software solutions powered by Ascertia. Learn more about our full product range for enterprise, government and TSPs:
🚨 CVE-2025-56223
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
🎖@cveNotify
A lack of rate limiting in the component /Home/UploadStreamDocument of SigningHub v8.6.8 allows attackers to cause a Denial of Service (DoS) via uploading an excessive number of files.
🎖@cveNotify
Ascertia
High-trust PKI & Digital Signature Solutions | Ascertia
High-trust PKI and digital signature software solutions powered by Ascertia. Learn more about our full product range for enterprise, government and TSPs:
🚨 CVE-2025-56224
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.
🎖@cveNotify
A lack of rate limiting in the One-Time Password (OTP) verification endpoint of SigningHub v8.6.8 allows attackers to bypass verification via a bruteforce attack.
🎖@cveNotify
Ascertia
High-trust PKI & Digital Signature Solutions | Ascertia
High-trust PKI and digital signature software solutions powered by Ascertia. Learn more about our full product range for enterprise, government and TSPs: