8.3
CVE-2024-56366 - PhpSpreadsheet vulnerable to unauthorized reflected XSS in the Accounting.php file
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accountinβ¦
8.3
CVE-2024-56365 - PhpSpreadsheet vulnerable to unauthorized reflected XSS in the constructor of the Downloader class
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. Using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` β¦
5.3
CVE-2025-21610 - Trix allows Cross-site Scripting via `javascript:` url in a link
Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbiβ¦
8.7
CVE-2025-21609 - SiYuan has an arbitrary file deletion vulnerability
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulβ¦
5.3
CVE-2024-56514 - Karmada Tar Slips in CRDs archive extraction
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resourcβ¦
8.7
CVE-2024-56513 - Karmada PULL Mode Cluster Privilege Escalation
Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources.β¦
8.3
CVE-2024-56408 - PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which leads to the possibility of a cross-site scripting attack. Vβ¦
2.1
CVE-2024-56324 - GoCD vulnerable to XXE injection via abuse of pipeline XML "snippet" editing by group admins
GoCD is a continuous deliver server. GoCD versions prior to 24.4.0 can allow GoCD "group admins" to abuse ability to edit the raw XML configuration for groups they administer to trigger XML External Entity (XXE) injection on the GoCD server. Theoretically, the XXE vulnerability can result in additiβ¦
2.1
CVE-2024-56322 - GoCD vulnerable to XXE injection via abuse of unused XML configuration repository functionality
GoCD is a continuous deliver server. GoCD versions 16.7.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse a hidden/unused configuration repository (pipelines as code) feature to allow XML External Entity (XXE) injection on the GoCD Server which will be executed when GoCD periodically scanβ¦
3.8
CVE-2024-56321 - GoCD can allow malicious GoCD admins to abuse backup configuration to gain additional host access
GoCD is a continuous deliver server. GoCD versions 18.9.0 through 24.4.0 (inclusive) can allow GoCD admins to abuse the backup configuration "post-backup script" feature to potentially execute arbitrary scripts on the hosting server or container as GoCD's user, rather than pre-configured scripts. Iβ¦