Page 90 of 35344 results (0.171 seconds)

CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0

Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. • https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: -EXPL: 0

This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server. • https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229 • CWE-20: Improper Input Validation •

CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0

Specifically, the load_chat_history function in modules/models/base_model.py allows arbitrary file uploads, potentially leading to remote code execution (RCE). The get_history_names function in utils.py permits arbitrary directory creation. • https://github.com/gaizhenbiao/chuanhuchatgpt/commit/952fc8c3cbacead858311747cddd4bedcb4721d7 https://huntr.com/bounties/5d5c5356-e893-44d1-b5ca-642aa05d96bb • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L13 https://plugins.trac.wordpress.org/changeset/3149878 https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0

A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Online%20DJ%20Booking/DJ%20online%20Cross%20Site%20Scripting%20%20u.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •