Shin

3 exploits Active since Apr 2025
CVE-2025-46653 WRITEUP LOW WRITEUP
Formidable 2.1.0-3.5.2 - Info Disclosure
Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.
CVSS 3.1
CVE-2025-46654 WRITEUP MEDIUM WRITEUP
CodiMD <2.2.0 - XSS
CodiMD through 2.2.0 has a CSP-based protection mechanism against XSS through uploaded JavaScript content, but it can be bypassed by uploading a .html file that references an uploaded .js file.
CVSS 4.9
CVE-2025-46655 WRITEUP MEDIUM WRITEUP
CodiMD <2.5.4 - XSS
CodiMD through 2.5.4 has a CSP-based protection mechanism against XSS through uploaded SVG documents containing JavaScript, but it can be bypassed in certain cases of different-origin file storage, such as AWS S3. NOTE: it can be considered a user error if AWS is employed for hosting untrusted JavaScript content, but the selected architecture within AWS does not have components that are able to insert Content-Security-Policy headers.
CVSS 4.9