Trebledj

**Name of the Vulnerable Software and Affected Versions** USCiLab Cereal versions prior to 1.3.3 **Description** A type confusion issue exists within the Shared Pointer Handler component. A remote attacker can execute a manipulation to trigger this condition, which occurs when a program accesses a resource using an incompatible type, potentially leading to unexpected behavior or crashes. **Recommendations** Update to a version later than 1.3.2. As a temporary mitigation, restrict the use of the Shared Pointer Handler component.

**Name of the Vulnerable Software and Affected Versions** Boost Serialization versions prior to 1.92 **Description** An issue exists in an unknown function that causes improper validation of the specified type of input. This flaw allows a remote attacker to achieve remote code execution, which is the ability to execute arbitrary commands on a target machine over a network. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mage AI versions prior to 0.9.80 **Description** A cross-site scripting issue exists in the Sign-in Flow component within the `useMutation()` function of the file `mage ai/frontend/components/Sessions/SignForm/index.tsx`. Manipulation of the `query.redirect url` variable allows for remote exploitation. **Recommendations** Update to a version later than 0.9.79. As a temporary workaround, restrict or validate the input of the `query.redirect url` variable in the affected component.

**Name of the Vulnerable Software and Affected Versions** blitz-js blitz versions prior to 3.0.3 **Description** A cross-site scripting issue exists in the Sign-in component within the file `packages/generator/templates/app/src/app/auth/components/LoginForm.tsx`. A remote attacker can initiate an attack by manipulating the `Next` argument. Cross-site scripting is a technique where malicious scripts are injected into trusted websites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pingvin-share versions prior to 1.13.1 **Description** A flaw in the Sign-in Auto-Redirect component allows remote attackers to perform cross site scripting. This occurs through the manipulation of the `redirect` argument within the `getServerSideProps()` function located in the `frontend/src/pages/auth/signIn.tsx` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** fraillt bitsery versions prior to 5.2.5 **Description** Improper validation of the specified type of input occurs within the `loadFromSharedState()` function located in the `include/bitsery/ext/std smart ptr.h` library. This issue allows for a remote attack. **Recommendations** Update to version 5.2.5. As a temporary workaround, restrict the use of the `loadFromSharedState()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** teableio teable versions prior to release.2026-04-21T08-57-20Z.1513 **Description** Cross site scripting can be triggered remotely through the manipulation of the `redirect` argument within the Sign-up component of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx. The issue occurs because the login redirect flow failed to properly validate the redirect path, allowing the execution of javascript:, data:, and cross-origin redirects. **Recommendations** Upgrade to version release.2026-04-21T08-57-20Z.1513. As a temporary workaround, restrict or validate the `redirect` parameter used during the login process to prevent the use of javascript:, data:, or cross-origin URIs.

**Name of the Vulnerable Software and Affected Versions** AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3 **Description** An issue exists in an unknown function of the Service Port 1338 component. This flaw allows for path traversal, a technique used to access files and directories outside the intended folder. **Recommendations** Upgrade to version 25.2 R3.

**Name of the Vulnerable Software and Affected Versions** AV Stumpfl Pixera Two Media Server versions prior to 25.2 R3 **Description** A flaw in the Websocket API component allows for remote code injection. This occurs through the manipulation of an unknown function within the API. **Recommendations** Upgrade to version 25.2 R3.

**Name of the Vulnerable Software and Affected Versions** lukevella rallly versions prior to 4.8.0 **Description** A flaw in the Reset Password Handler component within the file 'apps/web/src/app/[locale]/(auth)/reset-password/components/reset-password-form.tsx' allows for remote cross site scripting. This occurs through the manipulation of the `redirectTo` argument. **Recommendations** Update to version 4.8.0.

A vulnerability was detected in openstatusHQ openstatus up to 1b678e71a85961ae319cbb214a8eae634059330c. This impacts an unknown function of the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx of the component Onboarding Endpoint. The manipulation of the argument callbackURL results in cross site scripting. The attack may be launched remotely. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The patch is identified as 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.57.0 Description Homarr is an open-source dashboard. A DOM-based Cross-Site Scripting (XSS) issue exists in the `/auth/login` page. The application improperly trusts the `callbackUrl` URL parameter, which is used in redirect and router.push. An attacker can create a malicious link that, when opened by an authenticated user, redirects the user and executes arbitrary JavaScript code within their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Recommendations Update to version 1.57.0 or later.