- Rediscovering argument injection when using VCS tools - git and mercurial
- JavaScript type confusion: Bypassed input validation (and how to remediate)
- Damn Vulnerable Defi - solutions | write-ups
- EVM Puzzles - solutions | write-ups
- Offensive Vyper - solutions | write-ups
| # | Reference | Vulnerability | Project | Language |
|---|---|---|---|---|
| 72 | CVE-2024-3817 | Command Injection | hashicorp/go-getter | Go |
| 71 | CVE-2023-26148 | CRLF Injection | libhv | C/C++ |
| 70 | CVE-2023-26147 | HTTP Response Splitting | libhv | C/C++ |
| 69 | CVE-2023-26146 | Cross-Site Scripting (XSS) | libhv | C/C++ |
| 68 | CVE-2023-26142 | HTTP Response Splitting | Crow | C/C++ |
| 67 | CVE-2023-26138 | CRLF Injection | drogon | C/C++ |
| 66 | CVE-2023-26137 | HTTP Response Splitting | drogon | C/C++ |
| 65 | CVE-2022-25883 | Regular Expression Denial of Service (ReDoS) | semver | JavaScript |
| 64 | CVE-2023-26131 | Cross-Site Scripting (XSS) | xyproto/algernon | Go |
| 63 | CVE-2023-26130 | CRLF Injection | cpp-httplib | C/C++ |
| 62 | CVE-2023-26103 | Regular Expression Denial of Service (ReDoS) | deno | Rust |
| 61 | CVE-2023-0040 | CRLF Injection | async-http-client | Swift |
| 60 | CVE-2022-3918 | CRLF Injection | apple/swift-corelibs-foundation | Swift |
| 59 | CVE-2022-3215 | HTTP Response Splitting | apple/swift-nio | Swift |
| 58 | CVE-2022-24065 | Command Injection | cookiecutter | Python |
| 57 | CVE-2022-26945 | Command Injection | hashicorp/go-getter | Go |
| 56 | CVE-2022-25878 | Prototype Pollution | protobufjs | JavaScript |
| 55 | CVE-2022-25865 | Command Injection | workspace-tools | JavaScript |
| 54 | CVE-2022-21190 | Prototype Pollution | convict | JavaScript |
| 53 | CVE-2022-29184 | Remote Code Execution (RCE) | gocd | Java |
| 52 | CVE-2022-21189 | Prototype Pollution | dexie | JavaScript |
| 51 | CVE-2022-25303 | Cross-Site Scripting (XSS) | whoogle-search | Python |
| 50 | CVE-2022-25866 | Command Injection | czproject/git-php | PHP |
| 49 | CVE-2022-25648 | Command Injection | git | Ruby |
| 48 | CVE-2022-25766 | Remote Code Execution (RCE) | ungit | JavaScript |
| 47 | CVE-2022-24440 | Command Injection | cocoapods-downloader | Ruby |
| 46 | CVE-2022-24433 | Command Injection | simple-git | JavaScript |
| 45 | CVE-2022-23915 | Remote Code Execution (RCE) | Weblate | Python |
| 44 | CVE-2022-21803 | Prototype Pollution | nconf | JavaScript |
| 43 | CVE-2022-21235 | Command Injection | Masterminds/vcs | Go |
| 42 | CVE-2022-21223 | Command Injection | cocoapods-downloader | Ruby |
| 41 | CVE-2022-21187 | Command Injection | libvcs | Python |
| 40 | CVE-2021-23820 | Prototype Pollution | json-pointer | JavaScript |
| 39 | CVE-2021-23807 | Prototype Pollution | jsonpointer | JavaScript |
| 38 | CVE-2021-23784 | Cross-Site Scripting (XSS) | tempura | JavaScript |
| 37 | CVE-2021-23682 | Prototype Pollution | litespeed.js | JavaScript |
| 37 | CVE-2021-23682 | Prototype Pollution | appwrite/server-ce | JavaScript |
| 36 | CVE-2021-23624 | Prototype Pollution | dotty | JavaScript |
| 35 | CVE-2021-23597 | Denial of Service (DoS) | fastify-multipart | JavaScript |
| 34 | CVE-2021-23509 | Prototype Pollution | json-ptr | JavaScript |
| 33 | CVE-2021-23472 | Cross-Site Scripting (XSS) | bootstrap-table | JavaScript |
| 32 | CVE-2021-23447 | Cross-Site Scripting (XSS) | teddy | JavaScript |
| 31 | CVE-2021-23445 | Cross-Site Scripting (XSS) | datatables.net | JavaScript |
| 30 | CVE-2021-23444 | Prototype Pollution | jointjs | JavaScript |
| 29 | CVE-2021-23443 | Cross-Site Scripting (XSS) | edge.js | JavaScript |
| 28 | CVE-2021-23440 | Prototype Pollution | set-value | JavaScript |
| 27 | CVE-2021-23438 | Prototype Pollution | mpath | JavaScript |
| 26 | CVE-2021-23436 | Prototype Pollution | immer | JavaScript |
| 25 | CVE-2021-23434 | Prototype Pollution | object-path | JavaScript |
| 24 | CVE-2021-23390 | Arbitrary Code Execution | total4 | JavaScript |
| 23 | CVE-2021-23389 | Arbitrary Code Execution | total.js | JavaScript |
| 22 | CVE-2021-23358 | Arbitrary Code Execution | underscore | JavaScript |
| 21 | CVE-2021-23352 | Command Injection | madge | JavaScript |
| 20 | CVE-2021-23335 | LDAP Injection | is-user-valid | JavaScript |
| 19 | CVE-2020-8186 | Command Injection | devcert | JavaScript |
| 18 | CVE-2020-7792 | Prototype Pollution | mout | JavaScript |
| 17 | CVE-2020-7789 | Command Injection | node-notifier | JavaScript |
| 16 | CVE-2020-7777 | Arbitrary Code Execution | jsen | JavaScript |
| 15 | CVE-2020-7772 | Prototype Pollution | doc-path | JavaScript |
| 14 | CVE-2020-7770 | Prototype Pollution | json8 | JavaScript |
| 13 | CVE-2020-7766 | Prototype Pollution | json-ptr | JavaScript |
| 12 | CVE-2020-7746 | Prototype Pollution | chart.js | JavaScript |
| 11 | CVE-2020-7743 | Prototype Pollution | mathjs | JavaScript |
| 10 | CVE-2020-7742 | Prototype Pollution | simpl-schema | JavaScript |
| 9 | CVE-2020-28499 | Prototype Pollution | merge | JavaScript |
| 8 | CVE-2020-28495 | Prototype Pollution | total.js | JavaScript |
| 7 | CVE-2020-28494 | Command Injection | total.js | JavaScript |
| 6 | CVE-2020-28480 | Prototype Pollution | jointjs | JavaScript |
| 5 | CVE-2020-28478 | Prototype Pollution | gsap | JavaScript |
| 4 | CVE-2020-28477 | Prototype Pollution | immer | JavaScript |
| 3 | CVE-2020-28464 | Arbitrary Code Execution | djv | JavaScript |
| 2 | CVE-2020-28458 | Prototype Pollution | datatables.net | JavaScript |
| 1 | CVE-2020-28442 | Prototype Pollution | js-data | JavaScript |
| # | Reference | Vulnerability | Project | Language |
|---|---|---|---|---|
| 23 | Link | Cross-Site Scripting (XSS) | grafana/grafana-json-datasource | JavaScript |
| 22 | Link | Remote Code Execution (RCE) | mozilla/pontoon | Python |
| 21 | Snyk Advisory | Prototype Pollution | style-dictionary | JavaScript |
| 20 | Snyk Advisory | Prototype Pollution | highcharts | JavaScript |
| 19 | Snyk Advisory | Prototype Pollution | jiff | JavaScript |
| 18 | Snyk Advisory | Prototype Pollution | i18next | JavaScript |
| 17 | Snyk Advisory | Unsafe Deserialization | props | JavaScript |
| 16 | HackerOne Report | Prototype Pollution | @firebase/util | JavaScript |
| 15 | HackerOne Report | LDAP Injection | meemo-app | JavaScript |
| 14 | HackerOne Report | LDAP Injection | cloudron-surfer | JavaScript |
| 13 | HackerOne Report | Command Injection | wireguard-wrapper | JavaScript |
| 12 | HackerOne Report | Prototype Pollution | plain-object-merge | JavaScript |
| 11 | HackerOne Report | Prototype Pollution | extend-merge | JavaScript |
| 10 | HackerOne Report | Command Injection | gfc | JavaScript |
| 9 | HackerOne Report | Command Injection | diskstats | JavaScript |
| 8 | HackerOne Report | Prototype Pollution | objtools | JavaScript |
| 7 | HackerOne Report | Prototype Pollution | keyd | JavaScript |
| 6 | HackerOne Report | Cross-Site Scripting (XSS) | flsaba | JavaScript |
| 5 | HackerOne Report | Command Injection | extra-asciinema | JavaScript |
| 4 | HackerOne Report | Command Injection | vboxmanage.js | JavaScript |
| 3 | HackerOne Report | Command Injection | extra-ffmpeg | JavaScript |
| 2 | HackerOne Report | Prototype Pollution | object-path-set | JavaScript |
| 1 | HackerOne Report | Command Injection | xps | JavaScript |
- hashicorp: HCSEC-2024-09
- Swift forums:
- CVE-2023-0040: Swift Forum Announcement
- CVE-2022-3215: Swift Forum Announcement
- Mozilla Web Hall of Fame: 1st Quarter 2022
- gocd: releases 22.1.0
- hashicorp: HCSEC-2022-13
- Fastweb Hall of Fame: 2020
- TIM Hall of Fame: 2020
- Are mHealth Apps Secure? A Case Study. Chiara Braghin, Stelvio Cimato, and Alessio Della Libera. In: 2018 IEEE 42nd Annual Computer Software and Applications Conference, COMPSAC 2018, Tokyo, Japan, 23-27 July 2018, Volume 2. pp. 335-340. doi: 10.1109/COMPSAC.2018.10253