https://vulnerability.circl.lu/sightings/feed 2026-05-11T17:04:42.303264+00:00 Vulnerability-Lookup info@circl.lu python-feedgen Contains only the most 10 recent sightings. https://vulnerability.circl.lu/sighting/ba5da11e-e122-4340-8b7f-94e87422af20/export 2026-05-11T17:04:42.707751+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "ba5da11e-e122-4340-8b7f-94e87422af20", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21715", "type": "seen", "source": "https://t.me/cibsecurity/36151", "content": "\u203c CVE-2022-21715 \u203c\n\nCodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. A cross-site scripting (XSS) vulnerability was found in `API\\ResponseTrait` in Codeigniter4 prior to version 4.1.8. Attackers can do XSS attacks if a potential victim is using `API\\ResponseTrait`. Version 4.1.8 contains a patch for this vulnerability. There are two potential workarounds available. Users may avoid using `API\\ResponseTrait` or `ResourceController` Users may also disable Auto Route and use defined routes only.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-24T22:17:40.000000Z"} 2022-01-24T22:17:40+00:00 https://vulnerability.circl.lu/sighting/93a0ec38-bafe-4411-8a43-b0b991f91f08/export 2026-05-11T17:04:42.707655+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "93a0ec38-bafe-4411-8a43-b0b991f91f08", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21711", "type": "seen", "source": "https://t.me/cibsecurity/36154", "content": "\u203c CVE-2022-21711 \u203c\n\nelfspirit is an ELF static analysis and injection framework that parses, manipulates, and camouflages ELF files. When analyzing the ELF file format in versions prior to 1.1, there is an out-of-bounds read bug, which can lead to application crashes or information leakage. By constructing a special format ELF file, the information of any address can be leaked. elfspirit version 1.1 contains a patch for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-24T22:17:46.000000Z"} 2022-01-24T22:17:46+00:00 https://vulnerability.circl.lu/sighting/85612f69-94fc-42b0-83e0-f00a9de704f6/export 2026-05-11T17:04:42.707568+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "85612f69-94fc-42b0-83e0-f00a9de704f6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21710", "type": "seen", "source": "https://t.me/cibsecurity/36156", "content": "\u203c CVE-2022-21710 \u203c\n\nShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-24T22:17:48.000000Z"} 2022-01-24T22:17:48+00:00 https://vulnerability.circl.lu/sighting/5513d44c-462d-4a62-8b14-67d8d4e0f981/export 2026-05-11T17:04:42.707458+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "5513d44c-462d-4a62-8b14-67d8d4e0f981", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21719", "type": "seen", "source": "https://t.me/cibsecurity/36442", "content": "\u203c CVE-2022-21719 \u203c\n\nGLPI is a free asset and IT management software package. All GLPI versions prior to 9.5.7 are vulnerable to reflected cross-site scripting. Version 9.5.7 contains a patch for this issue. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-01-28T12:21:25.000000Z"} 2022-01-28T12:21:25+00:00 https://vulnerability.circl.lu/sighting/2ee51535-6f02-4cf8-9bcc-8fb16034a319/export 2026-05-11T17:04:42.707355+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "2ee51535-6f02-4cf8-9bcc-8fb16034a319", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21712", "type": "seen", "source": "https://t.me/cibsecurity/36979", "content": "\u203c CVE-2022-21712 \u203c\n\ntwisted is an event-driven networking engine written in Python. In affected versions twisted exposes cookies and authorization headers when following cross-origin redirects. This issue is present in the `twited.web.RedirectAgent` and `twisted.web. BrowserLikeRedirectAgent` functions. Users are advised to upgrade. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-02-08T00:35:43.000000Z"} 2022-02-08T00:35:43+00:00 https://vulnerability.circl.lu/sighting/4172ab82-5536-4580-b9b3-b1c459bffd25/export 2026-05-11T17:04:42.707219+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "4172ab82-5536-4580-b9b3-b1c459bffd25", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21713", "type": "seen", "source": "https://t.me/cibsecurity/37031", "content": "\u203c CVE-2022-21713 \u203c\n\nGrafana is an open-source platform for monitoring and observability. Affected versions of Grafana expose multiple API endpoints which do not properly handle user authorization. `/teams/:teamId` will allow an authenticated attacker to view unintended data by querying for the specific team ID, `/teams/:search` will allow an authenticated attacker to search for teams and see the total number of available teams, including for those teams that the user does not have access to, and `/teams/:teamId/members` when editors_can_admin flag is enabled, an authenticated attacker can see unintended data by querying for the specific team ID. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-02-09T00:15:33.000000Z"} 2022-02-09T00:15:33+00:00 https://vulnerability.circl.lu/sighting/2eb4cb89-914e-4771-b223-12341ab8f027/export 2026-05-11T17:04:42.707114+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "2eb4cb89-914e-4771-b223-12341ab8f027", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21716", "type": "published-proof-of-concept", "source": "https://t.me/cibsecurity/38385", "content": "\u203c CVE-2022-21716 \u203c\n\nTwisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as `nc -rv localhost 22 < /dev/zero`. A patch is available in version 22.2.0. There are currently no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-03-04T00:26:21.000000Z"} 2022-03-04T00:26:21+00:00 https://vulnerability.circl.lu/sighting/40835686-6bbf-4ab8-ac8c-eaa6a25fc64c/export 2026-05-11T17:04:42.706954+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "40835686-6bbf-4ab8-ac8c-eaa6a25fc64c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-21718", "type": "seen", "source": "https://t.me/cibsecurity/39385", "content": "\u203c CVE-2022-21718 \u203c\n\nElectron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-03-22T19:28:04.000000Z"} 2022-03-22T19:28:04+00:00 https://vulnerability.circl.lu/sighting/a5b4035c-56af-409e-8113-c58781bbeea8/export 2026-05-11T17:04:42.704601+00:00 Automation user http://cve.circl.lu/user/automation {"uuid": "a5b4035c-56af-409e-8113-c58781bbeea8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2171", "type": "seen", "source": "https://t.me/cibsecurity/47312", "content": "\u203c CVE-2022-2171 \u203c\n\nThe Progressive License WordPress plugin through 1.1.0 is lacking any CSRF check when saving its settings, which could allow attackers to make a logged in admin change them. Furthermore, as the plugin allows arbitrary HTML to be inserted in one of the settings, this could lead to Stored XSS issue which will be triggered in the frontend as well.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-08-01T16:16:49.000000Z"} 2022-08-01T16:16:49+00:00