CVSS Score: 8.2 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-6mp4-q625-mxjp

A deep dive into a Reflected Cross-Site Scripting (XSS) vulnerability in the popular YOURLS URL shortener. By exploiting legacy JSONP implementations in the API, attackers can execute arbitrary JavaScript in the context of the administrator's session.

CVSS Score: 8.1 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-xphh-5v4r-r3rx

A critical Path Traversal vulnerability in PsiTransfer allows attackers to weaponize the 'Download Archive' feature. By uploading files with malicious filenames, attackers can generate archives that perform arbitrary file overwrites on the victim's machine upon extraction.

CVSS Score: 9.8 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-46h3-79wf-xr6c

A critical bypass in the picklescan security scanner allowing remote code execution via the Python C-implementation module '_operator'.

CVSS Score: 6.6 Published: 2022-04-01 Full Report: https://cvereports.com/reports/GHSA-C3G4-W6CV-6V7H

A logic flaw in Buildah and Moby (Docker Engine) allowed containers to start with a non-empty Inheritable capability set. This subtle misconfiguration permits attackers to 'resurrect' privileges that were intended to be restricted, bypassing container hardening measures by leveraging file capabilities.

CVSS Score: 8.2 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-6mp4-q625-mxjp

A deep dive into a Reflected Cross-Site Scripting (XSS) vulnerability in the popular YOURLS URL shortener. By exploiting legacy JSONP implementations in the API, attackers can execute arbitrary JavaScript in the context of the administrator's session.

CVSS Score: 8.1 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-xphh-5v4r-r3rx

A critical Path Traversal vulnerability in PsiTransfer allows attackers to weaponize the 'Download Archive' feature. By uploading files with malicious filenames, attackers can generate archives that perform arbitrary file overwrites on the victim's machine upon extraction.

CVSS Score: 9.8 Published: 2025-12-30 Full Report: https://cvereports.com/reports/GHSA-46h3-79wf-xr6c

A critical bypass in the picklescan security scanner allowing remote code execution via the Python C-implementation module '_operator'.

CVSS Score: 7.2 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-P4F6-H8JJ-VFVF

The mccutchen/go-httpbin framework, a popular tool for inspecting HTTP requests, contained a classic Reflected Cross-Site Scripting (XSS) vulnerability. By allowing attackers to control the Content-Type response header and reflect unescaped payloads in the response body, the /response-headers and /base64 endpoints could be turned against users. This flaw allowed for arbitrary JavaScript execution in the context of a victim's browser, leading to session hijacking, data theft, and other client-side attacks.

CVSS Score: 6.1 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-528q-4pgm-wvg2

A classic tale of a feature becoming a bug. The popular debugging tool go-httpbin allowed users to control both the reflected content and the Content-Type header, creating a trivial path to Cross-Site Scripting (XSS).

CVSS Score: 5.4 Published: 2026-01-02 Full Report: https://cvereports.com/reports/GHSA-JMR4-P576-V565

listmonk, a self-hosted newsletter manager, contains a classic Stored Cross-Site Scripting (XSS) vulnerability that allows a low-privileged user to achieve full administrative control. By embedding malicious JavaScript into a campaign or template, an attacker can execute code in a Super Admin's browser context. The vulnerability is made more severe by a 'no-click' attack vector through the public archive feature, where an admin simply visiting a link can trigger a full account takeover. The provided patch only partially addresses the issue, leaving a potential attack vector wide open.