Security Vulnerabilities
Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality. Unsanitized user input in the "note" and "text" fields of the "/api/recipes/{recipe_name}" endpoint is rendered in the frontend without proper escaping leading to persistent XSS.
CVSS Score
9.0
EPSS Score
0.0
Published
2025-09-29
IBM License Metric Tool 9.2.0 through 9.2.40
could allow an authenticated user to bypass access controls in the REST API interface and perform unauthorized actions.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-09-29
IBM License Metric Tool 9.2.0 through 9.2.40 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-09-29
The openml/openml.org web application version v2.0.20241110 uses incremental user IDs and insufficient email ownership verification during email update workflows. An authenticated attacker controlling a user account with a lower user ID can update their email address to that of another user with a higher user ID without proper verification. This results in the victim's email being reassigned to the attacker's account, causing the victim to be locked out immediately and unable to log in. The vulnerability leads to denial of service via account lockout but does not grant the attacker direct access to the victim's private data.
CVSS Score
3.5
EPSS Score
0.0
Published
2025-09-29
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via
improperly neutralized inputs used in an SQL command using a well-known token.
CVSS Score
9.8
EPSS Score
0.106
Published
2025-09-29
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in multiple services via improperly neutralized inputs used in an SQL command.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-09-29
Reflected cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows malicious scripts (XSS) to be executed in “/html/<filename>.html”.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-09-29
Reflected Cross-site scripting (XSS) in Apt-Cacher-NG v3.2.1. The vulnerability allows an attacker to execute malicious scripts (XSS) in the web management application. The vulnerability is caused by improper handling of GET inputs included in the URL in “/acng-report.html”.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameters 'name' and 'address' at the endpoint 'admin/leads/lead'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29
HTML injection vulnerability in Perfex CRM v3.2.1 consisting of a
stored HTML injection due to lack of proper validation of user input by
sending a POST request in the parameters 'subject' at the endpoint 'knoewledge_base/article'.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-29