https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Mon, 01 Jun 2026 10:08:45 +0000 https://vulnerability.circl.lu/sighting/ab5176e2-4a17-47af-89e8-c1f0ff866c99/export {"uuid": "ab5176e2-4a17-47af-89e8-c1f0ff866c99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39261", "type": "seen", "source": "https://t.me/cibsecurity/50591", "content": "\u203c CVE-2022-39261 \u203c\n\nTwig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-28T18:34:22.000000Z"} {"uuid": "ab5176e2-4a17-47af-89e8-c1f0ff866c99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39261", "type": "seen", "source": "https://t.me/cibsecurity/50591", "content": "\u203c CVE-2022-39261 \u203c\n\nTwig is a template language for PHP. Versions 1.x prior to 1.44.7, 2.x prior to 2.15.3, and 3.x prior to 3.4.3 encounter an issue when the filesystem loader loads templates for which the name is a user input. It is possible to use the `source` or `include` statement to read arbitrary files from outside the templates' directory when using a namespace like `@somewhere/../some.file`. In such a case, validation is bypassed. Versions 1.44.7, 2.15.3, and 3.4.3 contain a fix for validation of such template names. There are no known workarounds aside from upgrading.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-28T18:34:22.000000Z"} https://vulnerability.circl.lu/sighting/ab5176e2-4a17-47af-89e8-c1f0ff866c99/export Wed, 28 Sep 2022 18:34:22 +0000 https://vulnerability.circl.lu/sighting/ee482c53-bb43-47cd-9495-c4247493f787/export {"uuid": "ee482c53-bb43-47cd-9495-c4247493f787", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39263", "type": "seen", "source": "https://t.me/cibsecurity/50636", "content": "\u203c CVE-2022-39263 \u203c\n\n`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T00:34:44.000000Z"} {"uuid": "ee482c53-bb43-47cd-9495-c4247493f787", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39263", "type": "seen", "source": "https://t.me/cibsecurity/50636", "content": "\u203c CVE-2022-39263 \u203c\n\n`@next-auth/upstash-redis-adapter` is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. Applications that use `next-auth` Email Provider and `@next-auth/upstash-redis-adapter` before v3.0.2 are affected by this vulnerability. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The vulnerability is patched in v3.0.2. A workaround is available. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T00:34:44.000000Z"} https://vulnerability.circl.lu/sighting/ee482c53-bb43-47cd-9495-c4247493f787/export Thu, 29 Sep 2022 00:34:44 +0000 https://vulnerability.circl.lu/sighting/f3699d42-ce6c-4e21-bb95-9866013259c2/export {"uuid": "f3699d42-ce6c-4e21-bb95-9866013259c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39264", "type": "seen", "source": "https://t.me/cibsecurity/50643", "content": "\u203c CVE-2022-39264 \u203c\n\nnheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T02:34:30.000000Z"} {"uuid": "f3699d42-ce6c-4e21-bb95-9866013259c2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39264", "type": "seen", "source": "https://t.me/cibsecurity/50643", "content": "\u203c CVE-2022-39264 \u203c\n\nnheko is a desktop client for the Matrix communication application. All versions below 0.10.2 are vulnerable homeservers inserting malicious secrets, which could lead to man-in-the-middle attacks. Users can upgrade to version 0.10.2 to protect against this issue. As a workaround, one may apply the patch manually, avoid doing verifications of one's own devices, and/or avoid pressing the request button in the settings menu.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T02:34:30.000000Z"} https://vulnerability.circl.lu/sighting/f3699d42-ce6c-4e21-bb95-9866013259c2/export Thu, 29 Sep 2022 02:34:30 +0000 https://vulnerability.circl.lu/sighting/1ad2da66-cc8c-4d97-bff0-77dd54f25db8/export {"uuid": "1ad2da66-cc8c-4d97-bff0-77dd54f25db8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39266", "type": "seen", "source": "https://t.me/cibsecurity/50740", "content": "\u203c CVE-2022-39266 \u203c\n\nisolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. As of time of publication, there are no known fixed versions or workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T22:35:20.000000Z"} {"uuid": "1ad2da66-cc8c-4d97-bff0-77dd54f25db8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39266", "type": "seen", "source": "https://t.me/cibsecurity/50740", "content": "\u203c CVE-2022-39266 \u203c\n\nisolated-vm is a library for nodejs which gives the user access to v8's Isolate interface. In versions 4.3.6 and prior, if the untrusted v8 cached data is passed to the API through CachedDataOptions, attackers can bypass the sandbox and run arbitrary code in the nodejs process. As of time of publication, there are no known fixed versions or workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-29T22:35:20.000000Z"} https://vulnerability.circl.lu/sighting/1ad2da66-cc8c-4d97-bff0-77dd54f25db8/export Thu, 29 Sep 2022 22:35:20 +0000 https://vulnerability.circl.lu/sighting/35f3a756-5774-41fa-9929-629069e9a53e/export {"uuid": "35f3a756-5774-41fa-9929-629069e9a53e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39262", "type": "seen", "source": "https://t.me/cibsecurity/52513", "content": "\u203c CVE-2022-39262 \u203c\n\nGLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-03T17:20:53.000000Z"} {"uuid": "35f3a756-5774-41fa-9929-629069e9a53e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-39262", "type": "seen", "source": "https://t.me/cibsecurity/52513", "content": "\u203c CVE-2022-39262 \u203c\n\nGLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Free Asset and IT Management Software package, GLPI administrator can define rich-text content to be displayed on login page. The displayed content is can contains malicious code that can be used to steal credentials. This issue has been patched, please upgrade to version 10.0.4.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-03T17:20:53.000000Z"} https://vulnerability.circl.lu/sighting/35f3a756-5774-41fa-9929-629069e9a53e/export Thu, 03 Nov 2022 17:20:53 +0000 https://vulnerability.circl.lu/sighting/00f2d703-5519-4199-a966-f406e4ca2046/export {"uuid": "00f2d703-5519-4199-a966-f406e4ca2046", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-3926", "type": "seen", "source": "https://t.me/cibsecurity/54004", "content": "\u203c CVE-2022-3926 \u203c\n\nThe WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-05T20:40:08.000000Z"} {"uuid": "00f2d703-5519-4199-a966-f406e4ca2046", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-3926", "type": "seen", "source": "https://t.me/cibsecurity/54004", "content": "\u203c CVE-2022-3926 \u203c\n\nThe WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client ID\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-05T20:40:08.000000Z"} https://vulnerability.circl.lu/sighting/00f2d703-5519-4199-a966-f406e4ca2046/export Mon, 05 Dec 2022 20:40:08 +0000