Self-hosted apps

A vulnerability in Sonarr software allows attackers to bypass authentication when local addresses are exempted from login requirements and no properly configured reverse proxy is used.

A security vulnerability in Sonarr version 4 on Windows systems allows unauthenticated attackers to read arbitrary files, including configuration files containing API keys and system files.

An authentication logic flaw in Jellyseerr allows attackers to register unauthorized accounts by using their own Jellyfin server details, even when the application is configured for Plex instead.

A vulnerability in Jellyseerr allows any authenticated user to retrieve complete settings of other users, including private API keys for Pushover, Pushbullet and Telegram notifications.

An authorization flaw in Jellyseerr allows authenticated users to view or delete other users' push notification subscriptions and watch data by manipulating the user ID parameter in the URL.

A security vulnerability in changedetection.io allows unauthorized users to access watch history data without providing an API key, though the impact is limited since attackers need to know specific watch identifiers.

A critical vulnerability in the website monitoring software changedetection.io allows attackers to execute arbitrary commands on the server by injecting malicious code into notification templates.

A vulnerability in changedetection.io allows attackers to inject malicious JavaScript code through the notification URLs input field, which then executes in the user's browser.

A vulnerability in changedetection.io allows attackers to read local system files through a special URL syntax when WebDriver is used, as security filters can be bypassed.

A security vulnerability in changedetection.io allows attackers to read any file from the server when a webdriver is enabled and local files should be prohibited.

A vulnerability in changedetection.io allows attackers to read local files on the server by exploiting insufficient input validation for file URLs.

A security vulnerability in changedetection.io allows cross-site scripting attacks because error messages from website monitoring filters are not properly sanitized.

A vulnerability in changedetection.io allows attackers to store malicious JavaScript URLs through the API, which then execute when users click on these links.

A vulnerability in changedetection.io allows any user without authentication to read application source code through manipulated URLs, exposing internal program logic.

Changedetection.io has a Server-Side Request Forgery vulnerability where users can monitor internal network URLs, causing the application to fetch sensitive data from internal services and make it accessible through the web interface.

A cross-site scripting vulnerability in changedetection.io allows attackers to inject malicious JavaScript code into error messages that gets executed in users' browsers, potentially stealing session cookies.

A vulnerability in changedetection.io allows cross-site scripting attacks through the RSS tag endpoint, where user input is inserted into HTML responses without proper escaping. Attackers can execute malicious JavaScript code and potentially steal session cookies or take over user accounts.

A vulnerability in the changedetection.io web application allows attackers to read arbitrary files from the server by using malicious XPath expressions in filter fields.

A critical security vulnerability in changedetection.io allows attackers to overwrite arbitrary files on the server by uploading malicious ZIP archives through the backup restore functionality.

A vulnerability in changedetection.io allows users to read all server environment variables through jq filters, including password hashes and other secrets.

A web monitoring service has a critical authentication flaw where 13 routes are accidentally accessible without login, allowing attackers to download and delete backups containing sensitive data.

An XML processing vulnerability in changedetection.io allows attackers to read local files from the server when they control the content of a monitored XML/RSS URL and XPath filters are used.

A security vulnerability in changedetection.io allows attackers to read local files on the server by restoring malicious backup files that contain harmful paths in the history file.

A vulnerability in Tandoor Recipes software allows any user to execute arbitrary commands on the server by exploiting unsafe template processing in recipe instructions.