Traefik is an HTTP reverse proxy and load balancer. Versions prior to 2.11.6, 3.0.4, and 3.1.0-rc3 have a vulnerability that allows bypassing IP allow-lists via HTTP/3 early data requests in QUIC 0-RTT handshakes sent with spoofed IP addresses. Versions 2.11.6, 3.0.4, and 3.1.0-rc3 contain a patch for this issue. No known workarounds are available.

A cross-site scripting (XSS) vulnerability in the Publish Article function of yzmcms v7.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a published article.

Mastodon is a self-hosted, federated microblogging platform. Starting in version 2.6.0 and prior to versions 4.1.18 and 4.2.10, by crafting specific activities, an attacker can extend the audience of a post they do not own to other Mastodon users on a target server, thus gaining access to the contents of a post not intended for them. Versions 4.1.18 and 4.2.10 contain a patch for this issue.

MyPower vc8100 V100R001C00B030 was discovered to contain an arbitrary file read vulnerability via the component /tcpdump/tcpdump.php?menu_uuid.

vditor v.3.9.8 and before is vulnerable to Arbitrary file read via a crafted data packet.

Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request.

Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component.

Cross Site Scripting vulnerability in Eskooly Web Product v.3.0 and before allows a remote attacker to execute arbitrary code via the message sending and user input fields.

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism.

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the HTTP Response Header Settings component.

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the User Account Mangemnt component in the authentication mechanism.

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the Sin-up process function in the account settings.

An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the authentication mechanism.

SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the requestmanager.php component.

Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application.

Insecure permissions in 14Finger v1.1 allow attackers to escalate privileges from normal user to Administrator via a crafted POST request.

14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id.

Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server that the attacker controls.

Volmarg Personal Management System 1.4.64 is vulnerable to stored cross site scripting (XSS) via upload of a SVG file with embedded javascript code.

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue.