Remote Code Execution

An attacker can exploit a flaw in the Cursor code editor to gain control of the system by manipulating Git settings, allowing them to run harmful commands without any user interaction. This vulnerability affects versions prior to 2.5 and can lead to remote code execution when certain Git hooks are triggered.

An attacker can exploit a critical vulnerability in Hyland OnBase to send malicious requests that allow them to read or write files on the server, potentially leading to remote code execution. This requires the attacker to have network access to the OnBase Workflow Timer Service, which listens on a specific port.

This vulnerability allows attackers to run malicious scripts on the OpenSourcePOS platform, potentially stealing sensitive information from users or manipulating transactions. It occurs when an attacker can inject harmful code into the item management or sales invoice sections, which requires them to have access to those functions in the application.

This vulnerability allows attackers to run malicious scripts on a user's browser by injecting harmful code into the Item Category field when generating barcodes. It requires the attacker to have access to the web interface of OpenSourcePOS, making it important for users to be cautious about input validation and access controls.

This vulnerability allows attackers to run any code they want on the OpenSourcePOS system by sending a specially crafted response through AJAX. It requires the attacker to have access to the system's web interface, making it a serious risk if proper security measures are not in place.

This vulnerability allows attackers to run malicious scripts in a user's browser by injecting harmful code into the Phone Number field in the Customers function of OpenSourcePOS v3.4.1. It requires the attacker to trick a user into visiting a page where this code is executed, potentially leading to data theft or session hijacking.

An attacker can execute malicious code on the Yoke system, potentially gaining control over Kubernetes resources or escalating their privileges to the highest level. This vulnerability requires the attacker to have permissions to create or update resources in the system.

This vulnerability allows an authenticated user to run malicious code on the backend server of the AutoGPT platform, potentially taking full control of the system. It occurs because the platform fails to properly enforce restrictions on a development tool, enabling users to bypass security measures by embedding it in their workflows.

This vulnerability allows an attacker to send requests to internal servers on a network by tricking the system into thinking they are accessing a video from an external URL. Even regular users can exploit this flaw without needing special permissions, making it possible for them to scan and potentially discover sensitive information about the internal network.

An attacker with physical access to a modified Arduino board can exploit a flaw in the Arduino App Lab to inject malicious commands that run on the user's computer, potentially allowing them to take control of the system. This requires the attacker to tamper with the board beforehand and connect it to the app.

An attacker can inject a harmful authentication message into the authentik identity provider, potentially allowing them to impersonate a legitimate user. This can happen if the system is configured to verify the signature of the assertion but not the response, or if it lacks proper encryption settings.

This vulnerability allows an attacker to bypass authentication and gain unauthorized access to systems using the authentik identity provider when it is set up with certain reverse proxies like Traefik or Caddy. This can happen if the attacker sends a specially crafted cookie, allowing them to access resources without proper credentials, but it only affects versions prior to the specified updates.

This vulnerability allows an attacker with specific permissions to run arbitrary code on the authentik server, potentially taking control of the system. It affects versions from 2021.3.1 up to just before 2025.8.6, 2025.10.4, and 2025.12.4, and requires the attacker to have permission to view certain property mappings or policies.

An attacker can exploit this vulnerability to overwhelm a system by repeatedly opening and closing WebTransport streams, which leads to excessive memory use because the system fails to properly clean up closed streams. This issue occurs in versions prior to 0.10.0, so updating to the latest version is essential to prevent this problem.

An attacker can exploit a flaw in the webtransport-go software to send an excessively large message, causing the system to use up all available memory and potentially crash or slow down. This requires the attacker to send a large payload, but since there’s no limit on the size, they can easily overwhelm the system if they have enough bandwidth.

This vulnerability allows an attacker to inject malicious JavaScript into the OpenProject application, potentially compromising other users' accounts. To exploit this, the attacker needs permissions to edit work packages and add attachments, and they could use this to target a System Admin for privilege escalation.

This vulnerability allows an attacker to inject malicious scripts into the website, which could lead to unauthorized actions or data theft from users who visit the affected page. It can be exploited remotely by manipulating a specific input field without needing any special access or credentials.