GitHub

Dompdf prior to version 2.0.0 is vulnerable to a chroot check bypass, which could cause disclosure of png and jpeg files.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2400
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439…

Versions of thenify prior to 3.3.1 made use of unsafe calls to eval. Untrusted user input could thus lead to arbitrary code execution on the host. The patch in version 3.3.1 removes calls to eval.
References

https://github.com/thenables/thenify/issues…

Impact
Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( “refresh” ) on such a widget and the initial HTML contained encoded HTML entities…

glob-parent before 6.0.1 and 5.1.2 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1 and 5.1.2.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-35065
https://github.com/opensearch-project/OpenSear…

This affects all versions of package grunt-util-property. The function call could be tricked into adding or modifying properties of Object.prototype using a __proto__ payload.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-7641
https://github.co…

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2099
https://wpscan.com/vulnerability/0316e5…

Apache Hive before 3.1.3 CREATE and DROP function operations do not check for necessary authorization of involved entities in the query. It was found that an unauthorized user can manipulate an existing UDF without having the privileges to do so. This …

WebInterface in OctoBot before 0.4.4 allows remote code execution because Tentacles upload is mishandled.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-36711
https://github.com/Drakkar-Software/OctoBot/issues/1966
https://github.com/Drakkar-Sof…