2z Project
Products
2- 5 CVEs
- 4 CVEs
Recent CVEs
9| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48374 | Med | 0.29 | — | 0.00 | May 22, 2025 | zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into… | ||
| CVE-2026-31801 | 0.00 | — | 0.00 | Mar 10, 2026 | zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only… | |||
| CVE-2025-23208 | 0.00 | — | 0.00 | Jan 17, 2025 | zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships,… | |||
| CVE-2024-39897 | 0.00 | — | 0.00 | Jul 9, 2024 | zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is… | |||
| CVE-2007-6660 | 0.00 | — | 0.01 | Jan 4, 2008 | 2z project 0.9.6.1 allows remote attackers to obtain sensitive information via (1) a request to index.php with an invalid template or (2) a request to the default URI with certain year and month parameters, which reveals the path in various error messages. | |||
| CVE-2007-6661 | 0.00 | — | 0.01 | Jan 4, 2008 | 2z project 0.9.6.1 allows attackers to change the password without supplying the old password. | |||
| CVE-2007-6659 | 0.00 | — | 0.01 | Jan 4, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in 2z project 0.9.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) contentshort or (2) contentfull parameter in an addnews action to the default URI; (3) the content parameter in a pm write action… | |||
| CVE-2007-2898 | 0.00 | — | 0.01 | May 30, 2007 | SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute arbitrary SQL commands via the rating parameter to index.php. | |||
| CVE-2007-2905 | 0.00 | — | 0.01 | May 30, 2007 | SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute arbitrary SQL commands via the post_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
- risk 0.29cvss —epss 0.00
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. Prior to version 2.1.3 (corresponding to pseudoversion 1.4.4-0.20250522160828-8a99a3ed231f), when using Keycloak as an oidc provider, the clientsecret gets printed into…
- CVE-2026-31801Mar 10, 2026risk 0.00cvss —epss 0.00
zot is ancontainer image/artifact registry based on the Open Container Initiative Distribution Specification. From 1.3.0 to 2.1.14, zot’s dist-spec authorization middleware infers the required action for PUT /v2/{name}/manifests/{reference} as create by default, and only…
- CVE-2025-23208Jan 17, 2025risk 0.00cvss —epss 0.00
zot is a production-ready vendor-neutral OCI image registry. The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. SetUserGroups is alled on login, but instead of replacing the group memberships,…
- CVE-2024-39897Jul 9, 2024risk 0.00cvss —epss 0.00
zot is an OCI image registry. Prior to 2.1.0, the cache driver `GetBlob()` allows read access to any blob without access control check. If a Zot `accessControl` policy allows users read access to some repositories but restricts read access to other repositories and `dedupe` is…
- CVE-2007-6660Jan 4, 2008risk 0.00cvss —epss 0.01
2z project 0.9.6.1 allows remote attackers to obtain sensitive information via (1) a request to index.php with an invalid template or (2) a request to the default URI with certain year and month parameters, which reveals the path in various error messages.
- CVE-2007-6661Jan 4, 2008risk 0.00cvss —epss 0.01
2z project 0.9.6.1 allows attackers to change the password without supplying the old password.
- CVE-2007-6659Jan 4, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in 2z project 0.9.6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) contentshort or (2) contentfull parameter in an addnews action to the default URI; (3) the content parameter in a pm write action…
- CVE-2007-2898May 30, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute arbitrary SQL commands via the rating parameter to index.php.
- CVE-2007-2905May 30, 2007risk 0.00cvss —epss 0.01
SQL injection vulnerability in includes/rating.php in 2z Project 0.9.5 allows remote attackers to execute arbitrary SQL commands via the post_id parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.