SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key

Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order

Gitea vulnerable to Cross-site Scripting

Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries

Gitea: anonymous user can visit private user's project

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text

Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

Gitea mishandles authorization for deletion of releases

Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.

Gitea allows attackers to add attachments with forbidden file extensions

Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin

Mattermost doesn't validate user channel membership when attaching Mattermost posts as comments to Jira issues

KEDA has Arbitrary File Read via Insufficient Path Validation in HashiCorp Vault Service Account Credential

Filebeat Beats has Buffer Overflow via Malformed Syslog Message or Malicious Tokenizer Pattern in Dissect Configuration

Elasticsearch Packetbeat has Excessive Allocation of Memory and CPU via Malicious IPv4 Fragments

Amazon S3 Encryption Client has a Key Commitment Issue

Ollama Platform has missing authentication enabling attackers to perform model management operations

Mattermost has an Invite Token Replay Vulnerability via Channel Membership Manipulation

Mattermost fails to check Websocket request for proper UTF-8 format potentially crashing Calls plug-in

Mattermost has CSRF vulnerability via Calls Widget page