Search HackerFeeds

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection (Formula Injection) in

matched in description · 2026-06-23

Open VSX Registry does not sanitize SVG files uploaded as extension icons prior to storage, and serves them with Content-Type: image/svg+xml without security he

matched in description · 2026-06-23

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 accept protocol-relative paths such as //evil.com in the reloadNuxtApp function; these pass the script-pr

matched in description · 2026-06-22

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-norm

matched in description · 2026-06-22

An unvalidated redirect was contained in Venueless' social login functionality and could be exploited for phishing using trusted domains.

matched in description · 2026-06-22

Capgo before 12.128.2 contains an open redirect vulnerability in the confirm-signup endpoint that allows attackers to redirect users to arbitrary external websi

matched in description · 2026-06-20

Capgo before 12.128.2 contains an open redirect vulnerability in stripe_portal and stripe_checkout endpoints that accept unvalidated callbackUrl, successUrl, an

matched in description · 2026-06-20

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache APISIX. The default configuration of cas-auth in Apache APISIX is vulnerable to phi

matched in description · 2026-06-19

Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter wi

matched in description · 2026-06-19

Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, includin

matched in description · 2026-06-19

Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened

matched in description · 2026-06-17

Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled conte

matched in description · 2026-06-17

The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estima

matched in description · 2026-06-12

Nuxt is an open-source web development framework for Vue.js. Prior to versions 3.21.7 and 4.4.7, <NuxtLink> did not validate the URL scheme of values bound to i

matched in description · 2026-06-12

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not ensure that the "from" parameter in the "Delegate to servlet container" security realm is safe to re

matched in description · 2026-06-10

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains ta

matched in description · 2026-06-10

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains re

matched in description · 2026-06-10

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed t

matched in description · 2026-06-09

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/to

matched in description · 2026-06-05

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly vali

matched in description · 2026-06-04

An open redirect vulnerability existed in MISP UsersController::routeafterlogin() because the value stored in the pre_login_requested_url session key was used a

matched in description · 2026-06-04

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by brows

matched in description · 2026-06-04

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the Redirect module does not validate the URL scheme of adminis

matched in description · 2026-06-03

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the `allow_origin_pat` configuration i

matched in description · 2026-06-03

backpack/crud provides Create, Read, Update & Delete (CRUD) functions for Backpack, a collection of Laravel packages that help users build custom administration

matched in description · 2026-06-03

NamelessMC is website software for Minecraft servers. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in version 2.2.4 in the id parameter o

matched in description · 2026-06-02

The Simple Custom Login Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the color settings fields (Page Background, Form Background,

matched in description · 2026-06-02

WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of

matched in description · 2026-05-27

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooComm

matched in description · 2026-05-27

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks.

matched in description · 2026-05-27

e107 is a content management system (CMS). Prior to 2.3.4, a Host Header Injection vulnerability in the password reset page allows attackers to manipulate the H

matched in description · 2026-05-26

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient se

matched in description · 2026-05-22

Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#re

matched in description · 2026-05-22

Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerabil

matched in description · 2026-05-22

Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the C

matched in description · 2026-05-20

A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user

matched in description · 2026-05-19

A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenti

matched in description · 2026-05-19

A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with adm

matched in description · 2026-05-19

A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated

matched in description · 2026-05-19

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inje

matched in description · 2026-05-16

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a

matched in description · 2026-05-13

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This

matched in description · 2026-05-12

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in t

matched in description · 2026-05-12

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacke

matched in description · 2026-05-11

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contact

matched in description · 2026-05-11

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and

matched in description · 2026-05-11

Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlle

matched in description · 2026-05-11

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notificati

matched in description · 2026-05-11

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered use

matched in description · 2026-05-11

Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script

matched in description · 2026-05-10