| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-28506 | Cri | 0.59 | 9.1 | 0.01 | Jan 14, 2022 | An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device. | ||
| CVE-2021-28501 | Cri | 0.59 | 9.1 | 0.01 | Jan 14, 2022 | An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. | ||
| CVE-2021-28500 | Cri | 0.59 | 9.1 | 0.01 | Jan 14, 2022 | An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration. | ||
| CVE-2021-1049 | Cri | 0.64 | 9.8 | 0.01 | Jan 14, 2022 | Hacker one bug ID: 1343975Product: AndroidVersions: Android SoCAndroid ID: A-204256722 | ||
| CVE-2022-23227 | Cri | 0.16 | 9.8 | 0.49 | KEV | Jan 14, 2022 | NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite… | |
| CVE-2022-0224 | Cri | 0.57 | 9.8 | 0.02 | Jan 14, 2022 | dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command | ||
| CVE-2021-45468 | Cri | 0.64 | 9.8 | 0.04 | Jan 14, 2022 | Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote unauthenticated attackers to use "Content-Encoding: gzip" to evade WAF security controls and send malicious HTTP POST requests to web servers behind the WAF. | ||
| CVE-2021-33962 | Cri | 0.64 | 9.8 | 0.04 | Jan 14, 2022 | China Mobile An Lianbao WF-1 router v1.0.1 is affected by an OS command injection vulnerability in the web interface /api/ZRUsb/pop_usb_device component. | ||
| CVE-2022-23219 | Cri | 0.64 | 9.8 | 0.04 | Jan 14, 2022 | The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or… | ||
| CVE-2022-23218 | Cri | 0.64 | 9.8 | 0.05 | Jan 14, 2022 | The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if… | ||
| CVE-2022-22056 | Cri | 0.64 | 9.8 | 0.02 | Jan 14, 2022 | The Le-yan dental management system contains a hard-coded credentials vulnerability in the web page source code, which allows an unauthenticated remote attacker to acquire administrator’s privilege and control the system or disrupt service. | ||
| CVE-2022-22055 | Cri | 0.64 | 9.8 | 0.02 | Jan 14, 2022 | The Le-yan dental management system contains an SQL-injection vulnerability. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary operations on the system or disrupt service. | ||
| CVE-2022-20658 | Cri | 0.63 | 9.6 | 0.01 | Jan 14, 2022 | A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This… | ||
| CVE-2021-34993 | Cri | 0.64 | 9.8 | 0.05 | Jan 13, 2022 | This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the… | ||
| CVE-2022-22989 | Cri | 0.64 | 9.8 | 0.01 | Jan 13, 2022 | My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues. | ||
| CVE-2021-40722 | Cri | 0.64 | 9.8 | 0.03 | Jan 13, 2022 | AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE. | ||
| CVE-2021-33046 | Cri | 0.64 | 9.8 | 0.01 | Jan 13, 2022 | Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords. | ||
| CVE-2021-45807 | Cri | 0.64 | 9.8 | 0.02 | Jan 13, 2022 | jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall. | ||
| CVE-2022-23131 | Cri | 0.79 | 9.1 | 0.96 | KEV | Jan 13, 2022 | In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and… | |
| CVE-2021-30285 | Cri | 0.60 | 9.3 | 0.00 | Jan 13, 2022 | Improper validation of memory region in Hypervisor can lead to incorrect region mapping in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking | ||
| CVE-2022-21675 | Cri | 0.00 | 9.9 | 0.03 | Jan 12, 2022 | Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Versions of the package prior to 2.11.0 are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The vulnerability is exploited using a specially crafted archive that holds directory… | ||
| CVE-2021-45411 | Cri | 0.64 | 9.8 | 0.04 | Jan 12, 2022 | In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution. | ||
| CVE-2022-21969 | Cri | 0.59 | 9.0 | 0.01 | Jan 11, 2022 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2022-21907 | Cri | 0.74 | 9.8 | 0.93 | Jan 11, 2022 | HTTP Protocol Stack Remote Code Execution Vulnerability | ||
| CVE-2022-21901 | Cri | 0.59 | 9.0 | 0.01 | Jan 11, 2022 | Windows Hyper-V Elevation of Privilege Vulnerability | ||
| CVE-2022-21855 | Cri | 0.59 | 9.0 | 0.01 | Jan 11, 2022 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2022-21849 | Cri | 0.64 | 9.8 | 0.06 | Jan 11, 2022 | Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability | ||
| CVE-2022-21846 | Cri | 0.59 | 9.0 | 0.01 | Jan 11, 2022 | Microsoft Exchange Server Remote Code Execution Vulnerability | ||
| CVE-2021-43052 | Cri | 0.61 | 9.3 | 0.01 | Jan 11, 2022 | The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains an easily exploitable vulnerability that allows authentication bypass due to a hard coded secret used in the default… | ||
| CVE-2020-28103 | Cri | 0.64 | 9.8 | 0.01 | Jan 11, 2022 | cscms v4.1 allows for SQL injection via the "page_del" function. | ||
| CVE-2020-28102 | Cri | 0.64 | 9.8 | 0.01 | Jan 11, 2022 | cscms v4.1 allows for SQL injection via the "js_del" function. | ||
| CVE-2022-21669 | Cri | 0.00 | 9.1 | 0.01 | Jan 11, 2022 | PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the… | ||
| CVE-2022-22115 | Cri | 0.00 | 9.0 | 0.01 | Jan 10, 2022 | In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the… | ||
| CVE-2022-22114 | Cri | 0.00 | 9.6 | 0.01 | Jan 10, 2022 | In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are… | ||
| CVE-2021-43297 | — | Cri | 0.65 | 9.8 | 0.15 | Jan 10, 2022 | A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian… | |
| CVE-2021-25032 | Cri | 0.64 | 9.8 | 0.07 | Jan 10, 2022 | The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong… | ||
| CVE-2021-24949 | Cri | 0.64 | 9.8 | 0.02 | Jan 10, 2022 | The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection | ||
| CVE-2022-22847 | Cri | 0.64 | 9.8 | 0.01 | Jan 10, 2022 | Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration that does not require authentication). | ||
| CVE-2022-22845 | Cri | 0.00 | 9.8 | 0.04 | Jan 10, 2022 | QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations. | ||
| CVE-2022-22824 | Cri | 0.00 | 9.8 | 0.03 | Jan 10, 2022 | defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | ||
| CVE-2022-22823 | Cri | 0.00 | 9.8 | 0.03 | Jan 10, 2022 | build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | ||
| CVE-2022-22822 | Cri | 0.00 | 9.8 | 0.05 | Jan 10, 2022 | addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. | ||
| CVE-2022-22817 | — | Cri | 0.57 | 9.8 | 0.03 | Jan 10, 2022 | PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used. | |
| CVE-2021-45334 | Cri | 0.64 | 9.8 | 0.03 | Jan 10, 2022 | Sourcecodester Online Thesis Archiving System 1.0 is vulnerable to SQL Injection. An attacker can bypass admin authentication and gain access to admin panel using SQL Injection | ||
| CVE-2021-45003 | Cri | 0.64 | 9.8 | 0.03 | Jan 10, 2022 | Laundry Booking Management System 1.0 (Latest) and previous versions are affected by a remote code execution (RCE) vulnerability in profile.php through the "image" parameter that can execute a webshell payload. | ||
| CVE-2021-42392 | Cri | 0.69 | 9.8 | 0.63 | Jan 10, 2022 | The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited… | ||
| CVE-2021-40010 | Cri | 0.64 | 9.8 | 0.01 | Jan 10, 2022 | The bone voice ID TA has a heap overflow vulnerability.Successful exploitation of this vulnerability may result in malicious code execution. | ||
| CVE-2021-39996 | Cri | 0.64 | 9.8 | 0.01 | Jan 10, 2022 | There is a Heap-based buffer overflow vulnerability with the NFC module in smartphones. Successful exploitation of this vulnerability may cause memory overflow. | ||
| CVE-2021-39993 | Cri | 0.64 | 9.8 | 0.01 | Jan 10, 2022 | There is an Integer overflow vulnerability with ACPU in smartphones. Successful exploitation of this vulnerability may cause out-of-bounds access. | ||
| CVE-2021-23594 | — | Cri | 0.64 | 9.8 | 0.02 | Jan 10, 2022 | All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector. |
- risk 0.59cvss 9.1epss 0.01
An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.
- risk 0.59cvss 9.1epss 0.01
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
- risk 0.59cvss 9.1epss 0.01
An issue has recently been discovered in Arista EOS where the incorrect use of EOS's AAA API’s by the OpenConfig and TerminAttr agents could result in unrestricted access to the device for local users with nopassword configuration.
- risk 0.64cvss 9.8epss 0.01
Hacker one bug ID: 1343975Product: AndroidVersions: Android SoCAndroid ID: A-204256722
- risk 0.16cvss 9.8epss 0.49
NUUO NVRmini2 through 3.11 allows an unauthenticated attacker to upload an encrypted TAR archive, which can be abused to add arbitrary users because of the lack of handle_import_user.php authentication. When combined with another flaw (CVE-2011-5325), it is possible to overwrite…
- risk 0.57cvss 9.8epss 0.02
dolibarr is vulnerable to Improper Neutralization of Special Elements used in an SQL Command
- risk 0.64cvss 9.8epss 0.04
Imperva Web Application Firewall (WAF) before 2021-12-23 allows remote unauthenticated attackers to use "Content-Encoding: gzip" to evade WAF security controls and send malicious HTTP POST requests to web servers behind the WAF.
- risk 0.64cvss 9.8epss 0.04
China Mobile An Lianbao WF-1 router v1.0.1 is affected by an OS command injection vulnerability in the web interface /api/ZRUsb/pop_usb_device component.
- risk 0.64cvss 9.8epss 0.04
The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or…
- risk 0.64cvss 9.8epss 0.05
The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if…
- risk 0.64cvss 9.8epss 0.02
The Le-yan dental management system contains a hard-coded credentials vulnerability in the web page source code, which allows an unauthenticated remote attacker to acquire administrator’s privilege and control the system or disrupt service.
- risk 0.64cvss 9.8epss 0.02
The Le-yan dental management system contains an SQL-injection vulnerability. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to acquire administrator’s privilege and perform arbitrary operations on the system or disrupt service.
- risk 0.63cvss 9.6epss 0.01
A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) and Cisco Unified Contact Center Domain Manager (Unified CCDM) could allow an authenticated, remote attacker to elevate their privileges to Administrator. This…
- risk 0.64cvss 9.8epss 0.05
This vulnerability allows remote attackers to bypass authentication on affected installations of Commvault CommCell 11.22.22. Authentication is not required to exploit this vulnerability. The specific flaw exists within the CVSearchService service. The issue results from the…
- risk 0.64cvss 9.8epss 0.01
My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service that could be exploited by unauthenticated attackers on the network. Addressed the vulnerability by adding defenses against stack overflow issues.
- risk 0.64cvss 9.8epss 0.03
AEM Forms Cloud Service offering, as well as version 6.5.10.0 (and below) are affected by an XML External Entity (XXE) injection vulnerability that could be abused by an attacker to achieve RCE.
- risk 0.64cvss 9.8epss 0.01
Some Dahua products have access control vulnerability in the password reset process. Attackers can exploit this vulnerability through specific deployments to reset device passwords.
- risk 0.64cvss 9.8epss 0.02
jpress v4.2.0 is vulnerable to command execution via io.jpress.web.admin._AddonController::doUploadAndInstall.
- risk 0.79cvss 9.1epss 0.96
In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and…
- risk 0.60cvss 9.3epss 0.00
Improper validation of memory region in Hypervisor can lead to incorrect region mapping in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking
- risk 0.00cvss 9.9epss 0.03
Bytecode Viewer (BCV) is a Java/Android reverse engineering suite. Versions of the package prior to 2.11.0 are vulnerable to Arbitrary File Write via Archive Extraction (AKA "Zip Slip"). The vulnerability is exploited using a specially crafted archive that holds directory…
- risk 0.64cvss 9.8epss 0.04
In Sourcecodetester Printable Staff ID Card Creator System 1.0 after compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload vulnerability to obtain remote code execution.
- risk 0.59cvss 9.0epss 0.01
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.74cvss 9.8epss 0.93
HTTP Protocol Stack Remote Code Execution Vulnerability
- risk 0.59cvss 9.0epss 0.01
Windows Hyper-V Elevation of Privilege Vulnerability
- risk 0.59cvss 9.0epss 0.01
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.64cvss 9.8epss 0.06
Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- risk 0.59cvss 9.0epss 0.01
Microsoft Exchange Server Remote Code Execution Vulnerability
- risk 0.61cvss 9.3epss 0.01
The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, and TIBCO FTL - Enterprise Edition contains an easily exploitable vulnerability that allows authentication bypass due to a hard coded secret used in the default…
- risk 0.64cvss 9.8epss 0.01
cscms v4.1 allows for SQL injection via the "page_del" function.
- risk 0.64cvss 9.8epss 0.01
cscms v4.1 allows for SQL injection via the "js_del" function.
- risk 0.00cvss 9.1epss 0.01
PuddingBot is a group management bot. In version 0.0.6-b933652 and prior, the bot token is publicly exposed in main.py, making it accessible to malicious actors. The bot token has been revoked and new version is already running on the server. As of time of publication, the…
- risk 0.00cvss 9.0epss 0.01
In Teedy, versions v1.5 through v1.9 are vulnerable to Stored Cross-Site Scripting (XSS) in the name of a created Tag. Since the Tag name is not being sanitized properly in the edit tag page, a low privileged attacker can store malicious scripts in the name of the Tag. In the…
- risk 0.00cvss 9.6epss 0.01
In Teedy, versions v1.5 through v1.9 are vulnerable to Reflected Cross-Site Scripting (XSS). The “search term" search functionality is not sufficiently sanitized while displaying the results of the search, which can be leveraged to inject arbitrary scripts. These scripts are…
- risk 0.65cvss 9.8epss 0.15
A deserialization vulnerability existed in dubbo hessian-lite 3.2.11 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protocol, during Hessian catch unexpected exceptions, Hessian…
- risk 0.64cvss 9.8epss 0.07
The PublishPress Capabilities WordPress plugin before 2.3.1, PublishPress Capabilities Pro WordPress plugin before 2.3.1 does not have authorisation and CSRF checks when updating the plugin's settings via the init hook, and does not ensure that the options to be updated belong…
- risk 0.64cvss 9.8epss 0.02
The "WP Search Filters" widget of The Plus Addons for Elementor - Pro WordPress plugin before 5.0.7 does not sanitise and escape the option parameter before using it in a SQL statement, which could lead to SQL injection
- risk 0.64cvss 9.8epss 0.01
Formpipe Lasernet before 9.13.3 allows file inclusion in Client Web Services (either by an authenticated attacker, or in a configuration that does not require authentication).
- risk 0.00cvss 9.8epss 0.04
QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167f0db2-f83e-4baa-9736-d56064a5b415 JWT secret key across different customers' installations.
- risk 0.00cvss 9.8epss 0.03
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
- risk 0.00cvss 9.8epss 0.03
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
- risk 0.00cvss 9.8epss 0.05
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
- risk 0.57cvss 9.8epss 0.03
PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitrary expressions, such as ones that use the Python exec method. A lambda expression could also be used.
- risk 0.64cvss 9.8epss 0.03
Sourcecodester Online Thesis Archiving System 1.0 is vulnerable to SQL Injection. An attacker can bypass admin authentication and gain access to admin panel using SQL Injection
- risk 0.64cvss 9.8epss 0.03
Laundry Booking Management System 1.0 (Latest) and previous versions are affected by a remote code execution (RCE) vulnerability in profile.php through the "image" parameter that can execute a webshell payload.
- risk 0.69cvss 9.8epss 0.63
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited…
- risk 0.64cvss 9.8epss 0.01
The bone voice ID TA has a heap overflow vulnerability.Successful exploitation of this vulnerability may result in malicious code execution.
- risk 0.64cvss 9.8epss 0.01
There is a Heap-based buffer overflow vulnerability with the NFC module in smartphones. Successful exploitation of this vulnerability may cause memory overflow.
- risk 0.64cvss 9.8epss 0.01
There is an Integer overflow vulnerability with ACPU in smartphones. Successful exploitation of this vulnerability may cause out-of-bounds access.
- risk 0.64cvss 9.8epss 0.02
All versions of package realms-shim are vulnerable to Sandbox Bypass via a Prototype Pollution attack vector.