Security Report
BerriAI LiteLLM SQL Injection Vulnerability
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
CVE-2026-42298
free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions
free5GC's NEF mounts the `nnef-pfdmanagement` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-real-token`) to read PFD application data via `GET /a…
free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers
free5GC's SMF mounts the `UPI` management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit `UPI` endpoints with no `Authorization` header at all, and the requests reach the SMF business handlers. In the running Dock…
free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler
free5GC's NEF mounts the `nnef-oam` route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no `Authorization` header at all and the handler returns `200 OK`. The current OAM handler is a stub that returns …
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
No minimum length or entropy is enforced on the `JWT_SECRET` configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte.
HS256 secrets below 32 bytes are brute-forceable offline, allowing attackers to recover the s…
CVE-2026-33587
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM m…
vm2 Access to Host Object Enables Sandbox Escape
It is possible to obtain the host `Object`, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete.
### Details
There are various ways to use the host `Object`, to escape the sandbox, one example …
vm2 has a Sandbox Escape Vulnerability
It is possible to reach `BaseHandler.getPrototypeOf`, which can be used to get arbitrary prototypes
### Details
https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658
`BaseHandler` can be reached via `util.inspect` (same as https://gi…
CVE-2026-40281
CVE-2026-42454
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
NodeVM's `builtin` allowlist can be bypassed when the `module` builtin is allowed (including via the `'*'` wildcard). The `module` builtin exposes Node's `Module._load()`, which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This all…
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.
**Helm `lookup` bypass:** The Helm…
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
The `reset_user_password` and `gym_permissions_user_edit` views in wger perform a gym-scope authorization check using Python object comparison (`!=`) that evaluates `None != None` as `False`, silently bypassing the guard when both the attacker and victim have no gym assignment (`gym=Non…
Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
A SQL injection vulnerability in `FilterEngine.create_postgres_query` allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the external metadata plugin `po…
Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API
A SQL injection vulnerability in the Oracle path of `FilterEngine.create_sqla_query` allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint (`GET /dids/<scope>/dids/search`). Attacker-controlled filter keys and values ar…
Apache Polaris has an Improper Input Validation Issue
In S3 IAM policy matching, `*` is tre…
Apache Polaris has an Improper Input Validation Issue
Apache Polaris has an Improper Input Validation issue
`write.metadata.path` is an optional table property that tells Polaris where to write those metadata files. For a table already registered in a Po…
Apache Polaris has an Improper Input Validation issue
Apache Polaris builds Google Cloud Storage downscoped credentials by …
CVE-2026-42811
that
only work for one table's files, but a crafted namespace or table name can
cause those credentials to work across the configured bucket instead.
Apache Polaris builds Google Cloud Storage downscoped credentials by…
@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module
<body>
<!–StartFragment–><html><head></head><body><h1>Security Advisory: OS Command Injection in <code>profullstack/mcp-server</code> <code>domain_lookup</code> Module</h1>
Field | Value
— | —
Project | profullstack/mcp-server
Repository | https://github.com/profullstack/mcp-server
Affec…
Electerm runWidget has a path traversal that leads to arbitrary code execution
The `runWidget` function in `src/app/widgets/load-widget.js` constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation:
“`javascript
const file = `widget-${widgetId}.js`
const widget = require(path.join(__dirname, file))
“`
Because `r…
vm2 has Sandbox Breakout Through Null Proto Exception
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
In `handleException` due to “// SECURITY (post-GHSA-mpf8 hardening): use `from` (not `ensureThis…
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The new method `neutralizeArraySpeciesBatch` works with objects from the other side but can call …
CVE-2026-43402
kthread: consolidate kthread exit paths to prevent use-after-free
Guillaume reported crashes via corrupted RCU callback function pointers
during KUnit testing. The crash was traced back to the pidfs rhashtable
conversion which rep…
CVE-2026-41507
CVE-2026-41497
CVE-2023-46453
Gotenberg has Unauthenticated RCE via ExifTool Metadata Key Injection
## Summary
Gotenberg's `/forms/pdfengines/metadata/write` HTTP endpoint accepts a JSON metadata object and passes its keys directly to ExifTool via the go-exiftool library. No validation is performed on key characters. A `\n` em…
CVE-2026-41930
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore
**Repository:** `0xJacky/nginx-ui` (branch: `dev`)
**Vulnerability Class:** Authentication Bypass → Arbitrary File Write → OS Command Injection
**Affected Component:** `POST /api/restore`
—
## 1. Vulnerability Summary
nginx-ui exposes a backup restore endpoint (`POST /…
CVE-2026-43186
ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()
On the receive path, __ioam6_fill_trace_data() uses trace->nodelen
to decide how much data to write for each node. It trusts this field
as-is from the incoming pack…
CVE-2026-35579
CVE-2026-38428
CVE-2026-38431
VM2 Has a WASM Sandbox Escape (Node 25 only)
Full sandbox escape with arbitrary code execution. Attacker code inside `VM.run()` obtains host process object and runs host commands with zero host cooperation.
## Details
**Confirmed on:** vm2 3.10.4, Node.js v25.6.1 (x64 Linux)
**Trigger:** Attacker-controlled code passed to `VM.run…
VM2 Has a Sandbox Escape Issue via SuppressedError
### PoC
“`js
const { VM } = require("vm2");
const vm = new VM();
vm.run(`
const ds = new DisposableStack();
ds.defer(() => { throw null; });
ds.defer(() => {
const e = Error();
…
VM2 Has Sandbox Breakout Through Inspect Function
VM2 suffers from a sandbox breakout vulnerability through the `inspect` function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The node `inspect` method allows to log details of objects. To get…
VM2 Has Sandbox Breakout Through Promise Species
The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system.
### Details
The fix for https://gith…
CVE-2026-43067
ext4: handle wraparound when searching for blocks for indirect mapped blocks
Commit 4865c768b563 ("ext4: always allocate blocks only from groups
inode can use") restricts what blocks will be allocated for indirect
block based file…
CVE-2026-42238
CVE-2026-42233
Apache OpenNLP ExtensionLoader Vulnerable to Arbitrary Class Instantiation via Model Manifest
Versions Affected: before 2.5.9, before 3.0.0-M3
Description:
The ExtensionLoader.instantiateExtension(Class, String) method loads a class by its fully-qualified name via Class.forName() and invokes its…
CVE-2026-42796
CVE-2026-42076
CVE-2026-26956
CVE-2026-26332
CVE-2026-24781
CVE-2026-24120
CVE-2026-24118
Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
The `kanban` npm package (used by the `cline` CLI) starts a WebSocket server on `127.0.0.1:3484` with no Origin header validation. Any website a developer visits can silently connect to the kanban server via WebSocket and:
1. Leak sensitive data in real-time: workspace filesystem paths,…
CVE-2026-44336
CVE-2026-42880
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism.
### Details
Argo CD masks S…
CVE-2026-7910
CVE-2026-7908
CVE-2026-42235
CVE-2026-42088
CVE-2026-42090
free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions
free5GC's NEF mounts the `3gpp-traffic-influence` API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no `Authorization` header at all, or with a forged bear…
free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions
free5GC's NEF mounts the `3gpp-pfd-management` API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-r…
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
The default deny-lists used by Gotenberg's `downloadFrom` feature and `webhook` feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as `http://[::ffff:127.0.0.1]:…` and reach loopback or private HTTP services th…
S3-Proxy has Security Issues in its Resource Path Matching Implementation
The original concern is functional: a resource pattern should treat a percent-encoded segment like some%2Fvalue as a single opaque token rather than splitting it into two path segments at the decoded /. Investigation into why %2F was being decoded and how routes matched against the re…
Compromised version of intercom-client published to npm
On April 30, 2026, version 7.0.4 of intercom-client was published to npm using credentials obtained from a compromised developer account. This version was not produced by Intercom's build pipeline.
The malicious version contained an obfuscated JavaScript payload that executed during pac…
CVE-2026-42560
Open WebUI has an LDAP Empty Password Authentication Bypass
## Affected Component
LDAP authentication endpoint:
– `backend/open_webui/routers/auths.py` (lines 468-477, user bind with empty password)
– `backend/open_webui/models/auths.py` (lines 58-60, `LdapForm` model)
## Affected Versions
Current main branch (…
CVE-2026-44497
CVE-2026-41583
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
When a `NodeVM` is created with `nesting: true`, sandbox code can unconditionally `require('vm2')` regardless of the outer VM's `require` configuration — including `require: false`. With access to `vm2`, the sandbox constructs a new inner `NodeVM` with its own unrestricted `require` s…
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences (e.g., ../) to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled ca…
Axonflow fixed bugs by implementing multi-tenant isolation and access-control hardening
Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the AxonFlow platform. They are filed as a single consolidated advisory because the recommended remediation is…
fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
A critical authentication-bypass vulnerability in `fast-jwt`'s async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key resolver returns an empty string (`''`), for example via the common `keys[decoded…
Valtimo has SpEL injection via StandardEvaluationContext that allows Remote Code Execution by admin users
Multiple classes evaluate Spring Expression Language (SpEL) expressions from user-supplied input using `StandardEvaluationContext`, which provides unrestricted access to Java types and methods. An authenticated user with the ADMIN role can achieve Remote Code Execution and credential ex…
CVE-2026-43083
net: ioam6: fix OOB and missing lock
When trace->type.bit6 is set:
if (trace->type.bit6) {
…
queue = skb_get_tx_queue(dev, skb);
qdisc = rcu_dereference(queue->qdisc);
This code can lead to an out-o…
CVE-2026-43071
dcache: Limit the minimal number of bucket to two
There is an OOB read problem on dentry_hashtable when user sets
'dhash_entries=1':
BUG: unable to handle page fault for address: ffff888b30b774b0
#PF: supervisor read access in…
CVE-2026-36356
OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange
The `ConceptReferenceRangeUtility.evaluateCriteria()` method in OpenMRS Core
evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The `VelocityEngine` is initialized with only logging properties and no`SecureUberspector`, leaving the …
Apache OpenNLP DictionaryEntryPersistor Vulnerable to XML External Entity (XXE) via Unsanitized Dictionary Parsing
Versions Affected: before 2.5.9, before 3.0.0-M3
Description: The DictionaryEntryPersistor class initializes a static SAXParserFactory at class-load time without enabling FEATURE_SECURE_PROCES…
ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases
Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a DB user with an uninitialized fileAccessMap, which requestA…
Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to…
OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)
version ≤ 2.7.8 (latest version at time of disclosure)
https://github.com/openmrs/openmrs-core
## Impact
The endpoint `POST /openmrs/ws/rest/v1/module` is vulnerable to a path traversal (Zip Slip) attack. An authenticated attacker can upload a crafted `.omod` archive conta…
SiYuan: Electron Renderer RCE via decodeURIComponent-driven tooltip XSS in aria-label sink (incomplete fix for CVE-2026-34585)
The tooltip mouseover handler in `app/src/block/popover.ts` reads `aria-label` via `getAttribute` and passes it through `decodeURIComponent` before assigning to `messageElement.innerHTML` in `app/src/dialog/tooltip.ts:41`. The encoder used at the producer side, `escapeAriaLabel` in `app/…
Electerm users can run dangrous code through link or command line
_Arbitrary local code execution via deep links, CLI `–opts`, or crafted shortcuts. Affected users: electerm installs that accept protocol URLs or CLI options (affected versions listed in the original report). Exploit requires clicking a crafted `electerm://…` link or opening a crafted …
Zebra v4.4.0 still accepts V5 SIGHASH_SINGLE without a corresponding output
## Summary
Zebra failed to enforce a ZIP-244 consensus rule for V5 transparent transactions: when an input is signed with `SIGHASH_SINGLE` and there is no transparent output at the same index as that input, valida…
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw `strings.ReplaceAll(tpl, "${avName}", nodeAvName)` to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (`render.ts:120` → `o…
Zebra's Transparent SIGHASH_SINGLE Handling Diverges from zcashd for Corresponding Outputs
### Summary
For V5+ transparent spends, `Zebra` and `zcashd` disagree on the same consensus rule: `SIGHASH_SINGLE` must fail when the input index has no corresponding output. `zcashd` treats this as consensu…
Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer
## Summary
The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue due to insuficient error handling of the case where the sighash t…
Zebra's Block Validator Undercounts Coinbase and P2SH Sigops
Compromise of PyTorch Lightning PyPi Package Versions
**Published:** 2026-04-30
**Last Updated:** 2026-04-30
Lightning AI has identified a security incident affecting certain versions of a PyPI package.
## What happened
Lightning AI has determined that one or more releas…
misp-modules website – Missing CSRF protection in the website home blueprint
DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header
The `SessionMiddleware` accepts a client-supplied `X-Admin-Token` HTTP request header and uses its raw string value as the authenticated `userID` when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue req…
MagicMirror vulnerable to unauthenticated SSRF via /cors endpoint
An unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the `/cors` endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands en…
django-s3file is vulnerable to relative path traversal
`S3FileMiddleware` is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into `request.FILES`
Depending on how files are handled, this may lead …
`mysten-metrics` was removed from crates.io for malicious code
The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io.
`sui-execution-cut` was removed from crates.io for malicious code
The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io.
Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor
A code execution (RCE) vulnerability exists in electerm's SFTP open with system editor or "Edit with custom editor" feature. When a user opts to edit a file using open with system editor or open with a custom editor, the filename is passed directly into a command line without sanitizatio…
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
Electerm's terminal hyperlink handler passes any URL clicked in the terminal directly to `shell.openExternal` without any protocol validation.
When a user connects to a malicious SSH server, the attacker can print a crafted URI in the terminal output. If the victim clicks the link, `she…
CVE-2026-42215
CVE-2025-63705
CVE-2026-41139
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
A `trust_remote_code` bypass in `DiffusionPipeline.from_pretrained` allows arbitrary remote code execution despite the user passing `trust_remote_code=False` (or omitting it, which is the default). The vulnerability has three variants, all sharing the same root cause — the `trust_remot…
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
This vulnerability is found in the `DiffusionPipeline.from_pretrained` flow, which is used to load a pipeline from the HuggingFace Hub.
This function accepts an optional `custom_pipeline` keyword argument: the name of a Python file in the repo that contains a custom class inheriting …
rmcp Streamable HTTP server transport has a DNS rebinding vulnerability
Prior to version 1.4.0, the `rmcp` crate's Streamable HTTP server transport (`crates/rmcp/src/transport/streamable_http_server/`) did not validate the incoming `Host` header. This allowed a malicious public website, via a DNS rebinding attack, to send authenticated requests to an MCP ser…
CVE-2026-8000
CVE-2026-7973
CVE-2026-7928
CVE-2026-7907
CVE-2026-7906
CVE-2026-7903
CVE-2026-7902
CVE-2026-7901
CVE-2026-7899
CVE-2026-7898
CVE-2026-7896
CVE-2026-42503
If -listen is given a value without an explicit host (e.g. :8080), or -port is used, gopls will listen on 0.0.0.0.
As a result, users might inadvertently cause gopls to bind 0.0.0.0.
This…
CVE-2026-43158
xfs: fix freemap adjustments when adding xattrs to leaf blocks
xfs/592 and xfs/794 both trip this assertion in the leaf block freemap
adjustment code after ~20 minutes of running on my test VMs:
ASSERT(ichdr->firstused >= ichdr-…
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)
The `evolver fetch` subcommand in `index.js` writes Hub-supplied `bundled_files[]` into a directory derived from a Hub-supplied `skill_id`. When `–out` is not used, the path-sanitizing regex permits `.` characters, allowing a `skill_id` of `..` to escape the `skills/` subdirectory and r…
Hysteria: A specially constructed quic package can crash the server OOM when the sniff is enabled
A specially constructed quic package can crash the server OOM when the sniff is enabled.
### Details
When the server has sniff enabled, a valid connection can request the server to forward UDP traffic and construct a huge crypto length. The server will allocate memory according to thi…
JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request
This has security implications for deployment…
YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`
YAFNET's only admin authorization gate is `PageSecurityCheckAttribute`, implemented as a `ResultFilterAttribute` that runs *after* the page handler completes rather than before it. No other gate exists. Any admin `OnPost…` handler therefore executes its side effects before the f…
CVE-2026-34464
CVE-2026-34459
CVE-2026-34458
OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes
The agent-facing `gateway` tool protects `config.apply` and `config.patch` with a model-to-operator trust boundary. That guard used a hand-maintained denylist of protected config paths. The config schema outgrew that denylist, leaving sensitive subtrees writable through model-driven gate…
CVE-2026-42434
CVE-2026-42237
CVE-2026-42234
CVE-2026-42232
CVE-2026-42231
CVE-2026-42229
CVE-2026-29514
Open WebUI: Redis Cache Keys tool_servers and terminal_servers Missing Instance Prefix Enable Cross-Instance Cache Poisoning
## Affected Component
Tool server and terminal server Redis cache:
– `backend/open_webui/utils/tools.py` (line 841, tool_servers SET)
– `backend/open_webui/utils/tools.py` (line 850, …
netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables
An authenticated user who can create or edit `ObjectAlias` objects can store arbitrary HTML/JavaScript in an alias name. That payload is later rendered unescaped in `DataFlow` table views, causing a stored XSS when another user views the affected page.
### Details
The issue is caused by…
CVE-2026-42352
CVE-2026-41690
CVE-2026-41683
CVE-2026-42047
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the `onRejected` callback in `.then…
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
A vulnerability has been identified in the [SUSE Virtualization (Harvester) Rancher integration mechanism](https://docs.harvesterhci.io/v1.7/rancher/rancher-integration) where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certi…
PPTAgent: Arbitrary Code Execution via Python eval() of LLM-Generated Code with Builtins in Scope
> This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.
`CodeExecutor.execute_actions` (pptagent/apis.py:126-205) processes LLM-generated slide editing actions using Python's `eval()`:
“`python
# pptagent/apis.py:18…
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
A vulnerability in the Inngest TypeScript SDK versions `3.22.0` through `3.53.1` allows unauthenticated remote attackers to exfiltrate environment variables from the host process via the `serve()` HTTP handler.
The `serve()` handler implements `GET`, `POST`, and `PUT` methods. Requests u…
CVE-2026-42079
CVE-2026-42449
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
NodeVM's `require.root` path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses `path.resolve()` (which does not dereference symlinks) but module loading uses …
Rancher Extensions have arbitrary file access via path traversal
A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEndpoint` field inside a `UIPlugin` deployment. A m…
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every …
Velocity.js has a Prototype Pollution vulnerability through #set path assignment
A prototype pollution vulnerability was discovered in Velocity.js <= 2.1.5. This issue occurs during the processing of #set directives in Velocity templates. If an application renders a template controlled by an attacker, it is possible to modify Object.prototype, potentially leading to …
n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure
`n8n-mcp` versions before 2.50.1 contained three independently-reported issues affecting deployments that run the n8n API integration:
1. **Caller-supplied identifiers were not validated before being used as URL path segments** by the n8n API client. An authenticated MCP caller passing a…
CVE-2026-41422
CVE-2026-7917
CVE-2026-7914
CVE-2026-7911
CVE-2026-7905
CVE-2026-7900
LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists
free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating
free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as the broader UPI auth gap reported in free5gc/free5gc#887). On top of that, the `DELETE /upi/v1/upNodesLinks/{upNodeRef}` handler unconditionally dereferences `upNode.UPF` after the…
@babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input
Using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code.
Known affected plugins are:
– `@babel/plugin-transform-modules-systemjs`
– `@babel/preset-env` when using the [`modules: "systemjs"` option](htt…
CVE-2026-42353
Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI
PCF Npcf_SMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI
### Details
In `NewServer()`, the `smPolicyGroup` route group is created and routes are applied without attaching the router authorization midd…
Gotenberg has a Server-Side Request Forgery (SSRF) Issue
The SSRF hardening shipped in v8.31.0 only covers outbound URLs that Gotenberg's Go code handles — Chromium asset fetches, webhook delivery, and download-from. The LibreOffice conversion endpoint (`/forms/libreoffice/convert`) passes uploaded documents directly to LibreOffice without …
Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist
The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m.
**Details**
The blocklist in `pkg/module…
CVE-2026-39852
open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
`src/utils/urlSafety.ts` exposes `isPublicHttpUrl` / `assertPublicHttpUrl`, used to gate the MCP `fetchWebContent` tool against private-network targets. The check has two defects that together allow **non-blind SSRF with the response body returned to the caller**:
1. **Bracketed IPv6 li…
ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
`ssrfcheck` v1.3.0 (latest) fails to block Server-Side Request Forgery attacks when the target private IP address is encoded as an IPv4-mapped IPv6 address (e.g. `http://[::ffff:127.0.0.1]/`). The WHATWG URL parser built into Node.js silently normalizes the IPv4 notation inside the brac…
exiftool-vendored vulnerable to argument injection via newline characters in tag names
`exiftool-vendored` starts ExifTool in `-stay_open True -@ -` mode, where arguments are read from stdin one per line. In affected versions, several caller-supplied strings were interpolated into ExifTool arguments without rejecting line delimiters. A newline or carriage return inside one…
Quarkus has Authentication/Authorization bypasses
Unauthenticated or lower-privileged users can …
CVE-2026-42296
epa4all-client has a VAU Signature bypass
In SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify(). The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actua…
CVE-2026-42452
Open WebUI has Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite
## Affected Component
Retrieval web/YouTube processing endpoints:
– `backend/open_webui/routers/retrieval.py` (lines 1810-1837, `process_web`)
– `backend/open_webui/routers/retrieval.py` (the parallel `process_you…
Open WebUI: Stale Admin Role in Socket.IO Session Pool Enables Post-Demotion Cross-User Note Access
## Affected Component
Socket.IO session state and role-check callsites:
– `backend/open_webui/socket/main.py` (lines 330-351, `connect` handler — role snapshotted into SESSION_POOL)
– `backend/open_webui/so…
CVE-2026-41883
CVE-2026-42239
CVE-2026-42284
CVE-2026-33588
opentelemetry-collector-contrib's azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
A server-side authentication bypass in `azureauthextension` allows any party who holds a single valid Azure access token for *any scope the collector's configured identity can mint for* to authenticate to any OpenTelemetry receiver that uses `auth: azure_auth`. The extension's `Authenti…
Lemur: LDAP Filter Injection enables post-authentication privilege escalation
### Overview
Lemur's LDAP authentication module (`lemur/auth/ldap.py`) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group members…
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
An unauthenticated bootstrap takeover exists in `nginx-ui` during the initial installation window exposed by `POST /api/install`.
When the instance is still uninitialized, `POST /api/install` is reachable without authentication and accepts attacker-controlled bootstrap data. The handler…
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
An unauthenticated network attacker can claim the initial administrator account on a fresh `nginx-ui` instance during the first-run setup window. The public `/api/install` endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality …
PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data
No sanitization of package folder name allows writing files anywhere outside the intended download directory.
#### Affected Component
– `src/pyload/core/api/__init__.py`
– Function: `set_package_data()`
### Details
When passing a folder name in the `set_package_data()` API function cal…
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts
The validator-mode sandbox executor (`src/gep/validator/sandboxExecutor.js`) places `npm` and `npx` in its hard executable allowlist. Because `npm install <pkg>` and `npx -y -p <pkg> <bin>` execute arbitrary code by design (preinstall/install/postinstall lifecycle scripts and remote-pack…
YAFNET has Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header
Stored (second-order) Cross-Site Scripting (XSS) occurs when attacker-controlled input is persisted through one component of an application and later rendered, without proper sanitization or contextual output encoding, by a completely different component — often one that implicitl…
@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin
Anonymous GitHub fetches repository content (e.g., markdown files) from GitHub's API and renders it without sanitization. On the client side, markdown is parsed with `marked` (with `sanitize: false`) and injected into the DOM via `$sce.trustAsHtml()` + `ng-bind-html`, bypassing AngularJ…
CVE-2026-42222
CVE-2026-42221
Ech0's OAuth redirect URI validation ignores path component, enables exchange-code theft
`parseAndValidateClientRedirect` at `internal/service/auth/auth.go:448` validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and fragment are ignored. The initiator at `/oauth/:provider/login` embeds the caller-suppli…
CVE-2026-42301
CVE-2026-8148
CVE-2022-26522
CVE-2026-44244
gix-fs: Symlink prefix-reuse allows worktree escape during checkout
A malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink into any existing directory the user has write access to.
### Details
During checkout, all symlink index entries are deferred and created after regular files us…
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
CVE-2026-7994
CVE-2026-7990
CVE-2026-7925
CVE-2026-7913
CVE-2026-43236
drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release
The atmel_hlcdc_plane_atomic_duplicate_state() callback was copying
the atmel_hlcdc_plane state structure without properly duplicating the
drm_plane_state. In pa…
CVE-2026-43211
PCI: Fix pci_slot_trylock() error handling
Commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
delegates the bridge device's pci_dev_trylock() to pci_bus_trylock() in
pci_slot_trylock(), but it forgets to remove…
CVE-2026-43178
procfs: fix possible double mmput() in do_procmap_query()
When user provides incorrectly sized buffer for build ID for PROCMAP_QUERY
we return with -ENAMETOOLONG error. After recent changes this condition
happens later, after we …
CVE-2026-43150
perf/arm-cmn: Reject unsupported hardware configurations
So far we've been fairly lax about accepting both unknown CMN models
(at least with a warning), and unknown revisions of those which we
do know, as although things do freque…
CVE-2026-43116
netfilter: ctnetlink: ensure safe access to master conntrack
Holding reference on the expectation is not sufficient, the master
conntrack object can just go away, making exp->master invalid.
To access exp->master safely:
– Grab …
CVE-2026-43106
cachefiles: fix incorrect dentry refcount in cachefiles_cull()
The patch mentioned below changed cachefiles_bury_object() to expect 2
references to the 'rep' dentry. Three of the callers were changed to
use start_removing_dentry(…
CVE-2026-43093
xsk: tighten UMEM headroom validation to account for tailroom and min frame
The current headroom validation in xdp_umem_reg() could leave us with
insufficient space dedicated to even receive minimum-sized ethernet
frame. Furthermo…
CVE-2026-43091
xfrm: Wait for RCU readers during policy netns exit
xfrm_policy_fini() frees the policy_bydst hash tables after flushing the
policy work items and deleting all policies, but it does not wait for
concurrent RCU readers to leave the…
CVE-2026-43084
netfilter: nfnetlink_queue: make hash table per queue
Sharing a global hash table among all queues is tempting, but
it can cause crash:
BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
[..]
n…
CVE-2026-43078
crypto: af_alg – Fix page reassignment overflow in af_alg_pull_tsgl
When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.
Add the check to th…
CVE-2026-43076
ocfs2: validate inline data i_size during inode read
When reading an inode from disk, ocfs2_validate_inode_block() performs
various sanity checks but does not validate the size of inline data. If
the filesystem is corrupted, an i…
CVE-2026-43075
ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
KASAN reports a use-after-free write of 4086 bytes in
ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
copy_file_range splice fallback on a corrupted ocfs…
CVE-2026-43074
eventpoll: defer struct eventpoll free to RCU grace period
In certain situations, ep_free() in eventpoll.c will kfree the epi->ep
eventpoll struct while it still being used by another concurrent thread.
Defer the kfree() to an RCU…
CVE-2026-34462
CVE-2026-34461
gitoxide: CommandForbiddenInModulesConfiguration Bypass in gix_submodule::File::update() Enables Arbitrary Command Execution via .gitmodules
[`gix_submodule::File::update()`](https://github.com/GitoxideLabs/gitoxide/blob/main/gix-submodule/src/access.rs#L168) is the API that gates whether an attacker-supplied `.gitmodules` file may set `update = !<shell command>`. The function is designed to return `Err(CommandForbiddenInMod…
OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript dur…
CVE-2026-43070
bpf: Reset register ID for BPF_END value tracking
When a register undergoes a BPF_END (byte swap) operation, its scalar
value is mutated in-place. If this register previously shared a scalar ID
with another register (e.g., after a…
CVE-2026-43063
xfs: don't irele after failing to iget in xfs_attri_recover_work
xlog_recovery_iget* never set @ip to a valid pointer if they return
an error, so this irele will walk off a dangling pointer. Fix that.
CVE-2026-43060
netfilter: nft_ct: drop pending enqueued packets on removal
Packets sitting in nfqueue might hold a reference to:
– templates that specify the conntrack zone, because a percpu area is
used and module removal is possible.
– conn…
CVE-2026-7791
Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo
The `fetchPeerConnectInfo` function in `internal/service/connect/connect.go:214-239` uses `httpUtil.SendRequest` (no SSRF protection) instead of `SendSafeRequest` (which has `ValidatePublicHTTPURL` with private IP blocking). This allows authenticated users to make the server request arbit…
CVE-2026-41905
CVE-2026-41688
DevSpace UI Server WebSocket CheckOrigin does not validate source
DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use th…
OpenStack Ironic has an Incorrect Resource Transfer Between Spheres
Open WebUI's Base Model Routing Bypasses Access Control via Model Chaining
## Affected Component
Model chaining via `base_model_id`:
– `backend/open_webui/routers/models.py` (lines 170-214, `create_new_model`)
– `backend/open_webui/routers/models.py` (lines 254-308, `import_models`)
– `backend/open_webui/mai…
MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys
MikroORM's identifier-quoting helper (`Platform.quoteIdentifier` and the postgres/mssql overrides) and its JSON-path emitters (`Platform.getSearchJsonPropertyKey`, `quoteJsonKey`) did not properly escape characters that delimit the SQL identifier or string-literal context they emit into.…
CVE-2026-42351
free5GC NRF: type-confusion panic in POST /oauth2/token structured-form parser via Reflect.Set on incompatible types
free5GC's NRF root SBI endpoint `POST /oauth2/token` contains a parser-level type-confusion bug family. The handler in `NFs/nrf/internal/sbi/api_accesstoken.go` reflects over `models.NrfAccessTokenAccessTokenReq`, special-cases only plain `string` and `NrfNfManagementNfType` fields, and …
free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference
free5GC's NEF `PATCH /3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}` handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns `err != nil` together with a nil `*ProblemDetails`. The handler's `errPfdData !…
free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)
free5GC's SMF mounts the `UPI` management route group without inbound OAuth2 middleware (same root cause as free5gc/free5gc#887). The `POST /upi/v1/upNodesLinks` create-or-update handler accepts attacker-controlled JSON and passes it directly into `UpNodesFromConfiguration()`, which call…
free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)
free5GC's NEF terminates the entire process when a stored PFD-subscription `notifyUri` cannot be reached. In `PfdChangeNotifier.FlushNotifications()`, the notifier calls `NnefPFDmanagementNotify(…)` and on any delivery error invokes `logger.PFDManageLog.Fatal(err)`, which is `os.Exit(1…
free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference
free5GC's PCF `POST /npcf-smpolicycontrol/v1/sm-policies` handler (`HandleCreateSmPolicyRequest`) panics with a nil-pointer dereference when a downstream OpenAPI consumer call (UDR lookup) returns `404 Not Found` and the consumer wrapper returns `err != nil` together with a nil response …
banks has Critical Remote Code Execution (RCE) via Jinja2 SSTI
`banks <= 2.4.1` uses `jinja2.Environment()` (unsandboxed) to render prompt templates. Applications that pass user-supplied strings as the template argument to `Prompt()` are vulnerable to Server-Side Template Injection (SSTI), which can lead to Remote Code Execution (RCE) on the host sy…
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
`fast-uri` v3.1.1 and earlier decodes percent-encoded authority delimiters (`%40` as `@`, `%3A` as `:`) inside the host component and serializes them back as raw characters. This changes the URI structure, turning a hostname into userinfo plus a different host.
For example, `http://trus…
bitcoinj has a ScriptExecution P2PKH/P2WPKH Verification Bypass
`ScriptExecution.correctlySpends()` contains two fast-path verification bugs for standard `P2PKH` and native `P2WPKH` spends in `core/src/main/java/org/bitcoinj/script/ScriptExecution.java`.
In both branches, bitcoinj verifies an attacker-controlled signature/public-key pair but fails t…
fast-uri vulnerable to path traversal via percent-encoded dot segments
`fast-uri` v3.1.0 and earlier decodes percent-encoded path separators (`%2F`) and dot segments (`%2E`) before applying dot-segment removal in `normalize()` and `equal()`. This makes encoded path data behave like real `/` and `..`, so distinct URIs collapse onto the same normalized path.
…
@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
`@fastify/accepts-serializer` cached serializer-selection results keyed by the request `Accept` header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching `Accept` header variants to make the cache grow unbounded. Under sustained…
ZITADEL has LDAP Filter Injection in Login Flow
A vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allows unauthenticated attackers to perform LDAP Filter Injection during the login process.
…
CVE-2026-44498
CVE-2026-41584
CVE-2024-46508
CVE-2026-39836
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
Sandboxed code can call `Buffer.alloc()` with an arbitrary size to allocate memory directly on the host heap. Because `Buffer.alloc` is a synchronous C++ native call, vm2's `timeout` option cannot interrupt it. A single request can exhaust host memory and crash the process with a `FATAL …
CVE-2026-41640
Talos Linux has a local privilege escalation from untrusted workloads
A vulnerability in the Linux kernel's algif_aead subsystem (CVE-2026-31431, "copy.fail") allows an unprivileged container workload to corrupt arbitrary file page-cache pages via the AF_ALG crypto interface and splice(). On Talos Linux, this vulnerability can be chained into a complete n…
rust-zserio has Unbounded Memory Allocation
When deserializing arrays, strings or bytes (blob) types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allo…
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
The webhook middleware spawns a goroutine that holds a reference to the request's `echo.Context` after the synchronous handler returns `ErrAsyncProcess` and Echo recycles the context back to its `sync.Pool`. When a concurrent request claims the recycled context, `c.Reset()` clears the st…
Netty: HttpContentDecompressor maxAllocation bypass when Content-Encoding set to br/zstd/snappy leads to decompression bomb DoS
`HttpContentDecompressor` accepts a `maxAllocation` parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via `ZlibDecoder`, but is silently ignored when the content encoding is `br` (Brotli), …
Netty Lz4FrameDecoder is vulnerable to resource exhaustion
Lz4FrameDecoder allocates a ByteBuf of size `decompressedLength` (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus `compressedLength` payload bytes – 22 bytes if `compressedLength == 1` – to force that allocation.
### Details
io.netty.handler.codec.compres…
Netty HTTP/3 QPACK literal unbounded allocation
When Netty decodes HTTP/3 headers, it sometimes runs `new byte[length]` using a length from the wire before checking that many bytes are really there. A small malicious header can claim a huge length (on the order of a gigabyte).
### Details
When decoding header blocks, the non-Huffman …
Netty has a DNS Codec Input Validation Bypass (Encoder + Decoder)
## 1. Vulnerability Summary
| Field | Value |
|——-|——-|
| **Product** | Netty |
| **Version** | 4.2.12.Final (and all prior versions with codec-dns) |
| **Component** | `io.netty.handler.codec.d…
Netty epoll transport denial of service via RST on half-closed TCP connection
Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some code paths, a 100% CPU busy-loop in the event loop thread.
## Affected versions
All versions of 4.2.x `netty-tr…
Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a …
python-multipart has Denial of Service via unbounded multipart part headers
`python-multipart` has a denial of service vulnerability in multipart part header parsing. When parsing `multipart/form-data`, `MultipartParser` previously had no limit on the number of part headers or the size of an individual part header. An attacker could send a request with either m…
Granian vulnerable to unauthenticated DoS via WebSocket subprotocol header panic
Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose `Sec-WebSocket-Protocol` header contains non-ASCII bytes.
The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked.
This is a single-r…
Snappier has an infinite loop during SnappyStream decompression with malformed framed input
`Snappier.SnappyStream` enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes.
### Details
The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The ex…
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header
`TimeConverterRegistrar` caches `DateTimeFormatter` instances in an unbounded `ConcurrentHashMap<String, DateTimeFormatter>` whose key is derived from the `@Format` annotation pattern concatenated with the locale from the HTTP `Accept-Language` header. Because `Locale.forLanguageTag()` a…
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
`basic-ftp` is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses.
A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending attac…
CVE-2026-7948
CVE-2026-7897
Nokogiri CSS selector tokenizer has regular expression backtracking
Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:
1. String-literal tokenization on certain unterminated quoted-string input.
2. Stri…
CVE-2026-23870
CVE-2026-43226
net/rds: No shortcut out of RDS_CONN_ERROR
RDS connections carry a state "rds_conn_path::cp_state"
and transitions from one state to another and are conditional
upon an expected state: "rds_conn_path_transition."
There is one exc…
CVE-2026-43164
udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().
syzbot reported null-ptr-deref of udp_sk(sk)->udp_prod_queue. [0]
Since the cited commit, udp_lib_init_sock() can fail, as can
udp_init_sock() and udpv6_init_sock().
L…
CVE-2026-43101
ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()
We need to check __in6_dev_get() for possible NULL value, as
suggested by Yiming Qian.
Also add skb_dst_dev_rcu() instead of skb_dst_dev(),
and two missing …
CVE-2026-43099
ipv4: icmp: fix null-ptr-deref in icmp_build_probe()
ipv6_stub->ipv6_dev_find() may return ERR_PTR(-EAFNOSUPPORT) when the
IPv6 stack is not active (CONFIG_IPV6=m and not loaded), and passing
this error pointer to dev_hold() will …
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator.
When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical oper…
changedetection.io has an Arbitrary Local File Read via a crafted backup restore
The vulnerability is caused by trusting attacker-controlled snapshot paths restored from backup files.
The vulnerable flow starts in the backup restore logic. When a backup ZIP is restored, the application extracts the archive and copies each restored watch UUID directory directly into …
Twisted has a Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Chains
The twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exhaustion during DNS name decompression. A remote, unauthenticated attacker can exploit this by sending a crafted TCP DNS packet containing deeply chained compression pointers. This flaw bypasses pr…
GoBGP has a panic in AdjRib.Update via malformed BGP Update message (Nil Pointer Dereference)
Remote Denial of Service (DoS) via Nil Pointer Dereference in BGP Update Processing
An unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improper…
ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid
`ssrfcheck` is an npm package that serves to provide protection from SSRF by validating URLs or hostname inputs.
Resources:
* Project's GitHub code repository: https://github.com/felippe-regazio/ssrfcheck
* Pr…
CVE-2026-40280
CVE-2026-32934
pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS
pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication.
### Impact
A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count.
With a large enough value, the client spends an unbounded amount of CPU ti…
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
The remote read endpoint (`/api/v1/read`) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.
An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaus…
Prometheus Azure AD remote write OAuth client secret exposed via config API
Users who use Azure AD remote write with OAuth authentication are impacted.
The `client_secret` field in the Azure AD remote write OAuth configuration (`storage/remote/azuread`) was typed as `string` instead of `Secret`. Prometheus redacts fields of type `Secret` when serving the config…
CVE-2026-30923
CVE-2026-7776
CVE-2026-7768
CVE-2026-42236
CVE-2026-42226
CVE-2026-42151
Apache OpenNLP AbstractModelReader has an OOM Denial of Service via Unbounded Array Allocation
Versions Affected:
Before 2.5.9
Before 3.0.0-M3
Description:
The AbstractModelReader methods getOutcomes(), getOutcomePatterns(), and getPredicates() each read a 32-bit signed integer count field f…
OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read
version ≤ 2.7.8 (latest version at time of disclosure)
https://github.com/openmrs/openmrs-core
## Impact
The `/openmrs/moduleResources/{moduleid}` endpoint in OpenMRS Core is vulnerable to a path traversal attack. The `ModuleResourcesServlet` does not properly validate use…
CVE-2026-37461
CVE-2026-34354
CVE-2026-42264
CVE-2026-40213
ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete does not blacklist JTI
Access tokens created with the "never expire" option have no `exp` JWT claim. Three independent revocation mechanisms fail for this token type. Logout at `internal/handler/auth/auth.go:154` and `:163` dereferences `claims.ExpiresAt.Time`, panicking on the nil field so the token never hit…
katalyst-koi: Session cookies can be replayed after user logout
Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated.
This affects applications using Koi admi…
wger: CSV/TSV formula injection in gym member export (first_name/last_name)
The gym member TSV export endpoint in wger writes `first_name` and `last_name` profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member (including newly self-registered users) can pre-load a spreadsheet formula into their own profile. When a gym admin lat…
Axios: Prototype Pollution Gadgets – Response Tampering, Data Exfiltration, and Request Hijacking
When `Object.prototype` has been polluted by any co-dependency with keys that axios reads without a `hasOwnProperty` guard, an attacker can (a) silently intercept and modify every JSON response before the application sees it, or (b) fully hijack the underlying HTTP transport, gaining acc…
Axios: Header Injection via Prototype Pollution
A prototype pollution gadget exists in the Axios HTTP adapter (lib/adapters/http.js) that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders,…
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
Five config properties in the HTTP adapter are read via direct property access without `hasOwnProperty` guards, making them exploitable as prototype pollution gadgets. When `Object.prototype` is polluted by another dependency in the same process, axios silently picks up these polluted va…
smallbitvec: Integer overflow in safe API leads to heap buffer overflow
An integer overflow in the internal capacity calculation of `smallbitvec` can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring `unsafe` code from the caller.
### Details
The issue originate…
free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path
free5GC's NEF mounts the `nnef-callback` route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token (e.g. `Authorization: Bearer not-a-real-token`) is enough to reach the SMF-callback handler — the callback body is parsed and dispatched into NEF bu…
Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal
# KL-CAN-2024-002
## Vulnerability Details
| # | Field | Value |
|—|——-|——-|
| 1 | **Discoverer** | Jaggar Henry & Sean Segreti of KoreLogic, Inc. |
| 2 | **Date Submitted** | 2024.03.12 |
| 3 | **Title** | Open WebUI Arbitrary File Upload + Path Traversal |
| 5 | **A…
Open WebUI has Improper Authorization Control
# Vulnerability Disclosure Analysis Documentation
—
## Vulnerability Details
| # | Field | Value |
|—|——-|——-|
| 1 | **Discoverer** | Taylor Pennington of KoreLogic, Inc. |
| 2 | **Date Submitted** | June 11, 2024 |
| 3 | **Title** | Open WebUI Improper Authorizati…
Open WebUI has stored XSS in Excel file preview
Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the [sheetjs](https://git.sheetjs.com/sheetjs/sheetjs) function [sheet_to_html](https://git.sheetjs.com/sheetjs/sheetjs/src/commit/66cf8d2117d271f89e4f47b5fed35a3e1ea93f67/bits/79_html…
open-webui Vulnerable to Stored XSS via Model Description
> Relationship to CVE-2024-7990
> CVE-2024-7990 (issued by huntr.dev, March 2025) describes a stored XSS in the same field — the model description — but exploits a different bypass mechanism: a second-order injection through the sanitizeResponseContent function's video-tag place…
CVE-2025-55449
Netty has HttpClientCodec response desynchronization
If HttpClientCodec is configured, there are use cases when a response body from one request, can be parsed as another's.
### Details
HttpClientCodec pairs each inbound response with an outbound request by `queue.poll()` once per response, including for `1xx`. If the client pipelines GE…
YAFNET has Stored XSS in Forum Thread Posts/Replies that Allows Arbitrary JavaScript Execution for All Thread Viewers
Stored Cross-Site Scripting (XSS) occurs when user-supplied input is persisted by the application and later rendered in another user's browser without proper sanitization or contextual output encoding. When the vulnerable sink is a high-traffic surface such as a public forum thread,…
Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption
This issue affects Apache Thrift:…
Apache Thrift has an Improper Validation of Certificate with Host Mismatch Vulnerability
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version [0.23.0](https://github.com/apache/thrift/releases/tag/v0.23.0), which fixes the issue.
CVE-2026-7810
Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure
[Amazon Elastic Container Service (Amazon ECS)](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/Welcome.html) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. An issue exists where, under certai…
CVE-2026-39383
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
This report documents an **incomplete security patch** for the previously disclosed vulnerability **GHSA-3p68-rc4w-qgx5 (CVE-2025-62718)**, which affects the `NO_PROXY` hostname resolution logic in the Axios HTTP library.
**Background — The Original Vulnerability**
The or…
Open WebUI's responses passthrough endpoint lacks access control authorization
The /responses endpoint in the OpenAI router accepts any authenticated user and forwards requests directly to upstream LLM providers without enforcing per-model access control. While the primary chat completion endpoint (generate_chat_completion) checks model ownership, group membership,…
Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install
Microsoft APM normalizes marketplace plugins by copying plugin components referenced in `plugin.json` into `.apm/`. The manifest fields `agents`, `skills`, `commands`, and `hooks` are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin d…
CVE-2026-44243
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository
A vulnerability in **GitPython** allows **attackers who can supply a crafted reference path to an application using GitPython** to **write, overwrite, move, or delete files outside the repository’s `.git` directory** via **insufficient validation of reference paths in reference cr…
Auth.js SDK has Improper Permission Checking
Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided.
### Am I Affected?
Users are affected if they meet each of the following preconditions:
– Applications b…
CVE-2026-43062
Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()
l2cap_ecred_reconf_rsp() casts the incoming data to struct
l2cap_ecred_conn_rsp (the ECRED *connection* response, 8 bytes with
result at offset 6) instead of struct …
Apache Atlas has a Code Injection Vulnerability
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas.
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data.
##…
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
The patch for CVE-2026-42215 (GitPython 3.1.49) validates newlines only in the value parameter of set_value(). The section and option parameters are passed to configparser without any newline validation. An attacker who controls the section argument can inject \n to write arbitrary section …
CVE-2026-34596
awslabs/tough is Missing Delegated Metadata Validation
Missing expiration, hash, and length enforcement in delegated metadata validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users with delegated signing authority to bypass TUF specification integrity checks for delegated targets metadata and poison the local meta…
awslabs/tough Delegated Roles have a Signature Threshold Bypass
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegat…
@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
A review of `mcp-gitlab-server` at commit `80a7b4cf3fba6b55389c0ef491a48190f7c8996a` uncovered that the SSE HTTP transport — advertised in the README and comparison table as a d…
Zebra has Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning
A composite denial-of-service vulnerability in Zebra's block discovery pipeline allows an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node. The attack exploits three independent weaknesses in the gossip, syncer, and download subsystems — al…
n8n-mcp webhook and API client paths has an authenticated SSRF
Authenticated Server-Side Request Forgery affecting the webhook trigger tools, the n8n API client (`N8N_API_URL`), and per-request URLs supplied via the `x-n8n-url` header in multi-tenant HTTP mode.
### Impact
A caller with access to the MCP session can drive HTTP requests from the n8…
gmaps-mcp's unauthenticated HTTP transport allows unlimited Google Maps API calls at operator expense
The `gmaps-mcp` codebase was reviewed at commit `e671db68c804c9e67d51582d3280839ffa65f127` and three issues worth flagging were discovered — one high-severity, one medium, one structural. There were no pr…
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
When an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML.
## Detail
Malicious Input
“`
{
a: {
"@_attr": '…
mcp-ssh-tool has file transfer path policy bypass and bearer token comparison hardening
`mcp-ssh-tool` has released version `2.1.1` with security hardening for transfer path authorization and HTTP bearer authentication.
The release addresses:
– insufficient local path policy enforcement in transfer-related filesystem handling
– incomplete canonicalization and segment-boun…
Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remote Code Execution
The Note Mark application allows authenticated users to upload assets to notes via `POST /api/notes/{noteID}/assets`, where the asset filename is provided through the `X-Name` HTTP request header. This value is stored directly in the database without any sanitization or validation -…
Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker
A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's client to send their Matrix access token to an attacker-controlled server. This occurs when the victim opens the emoji or sticker picker f…
hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information
The free5GC UDM component fails to validate the `supi` path parameter in six GET handlers of the `nudm-sdm` (Subscriber Data Management) service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and retur…
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user (User A), given another user's `thread_id` (User B), can:
– Execute graph runs against User B's thread via `POST /threads/{th…
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.
This vulnerability is present in the RedirectHandl…
ldap3_proto has LDAP Filter stack exhaustion
LDAP queries are not validated for depth, which can cause the parser (both PEG and ASN) to exhaust the stack. This *may* cause a denial of service in applications that process queries.
### Workarounds
N/A
### Resources
Related to GHSA-r5fr-9gmv-jggh
scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion
A single unauthenticated `GET` to any `/scim/v1/…` endpoint with a `?filter=` query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with `std::process::abort(…
Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)
Keras’s model loader (KerasFileEditor) unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares a…
Daptin fuzzy search injects unvalidated column name into raw SQL
`processFuzzySearch` in `server/resource/resource_findallpaginated.go:1484` splits the user-supplied `column` parameter by comma and interpolates each segment directly into `goqu.L(fmt.Sprintf("LOWER(%s) LIKE ?", prefix+col))` raw SQL with no column whitelist check. The entry point is `G…
PraisonAI has an SSRF bypass
The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.
### Details
The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extrac…
Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup
On Windows, a URI using backslash traversal (e.g. `\..\..\ secret.txt`) bypasses the directory traversal check in `Template.__init__` and the `posixpath`-based normalization in `TemplateLookup.get_template()`, allowing reads of files outside the configured template directory.
## Detail…
JupyterLab's command linker attributes in HTML enable one-click command execution from untrusted content
Mezo: ERC-20 bridgeOut burn can be erased by a stale StateDB overwrite leading to full L1 bridge drain
### Impact
Potential full drain of L1 bridge without changing bridged balance on Mezo.
## Brief/Intro
A malicious user can steal all ERC-20 tokens locked in the L1 bridge by repeatedly calling the `bridgeOut` pr…
dssrf: every IPv6 category bypasses is_url_safe
“`rust
Input Category
http://[::1]/…
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0
### Summary
The SSRF protection introduced in v0.9.0.5 (CVE-2025-59146) and hardened in v0.9.6 (CVE-2025-62155) does not block the unspecified address `0.0.0.0`. A regular (non-admin) user holding any valid API token can send a multimodal request to `/v1/chat/co…
Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input
This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references.
### Original Description
### Summary
**Denial-of-Service (DoS)** vulnerability in the Mistune Markdown parser. The issue occurs when pr…
Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input
A ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), wit…
jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine
**Description**
An Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Jdbi allows arbitrary command execution when an application using `jdbi3-freemarker` permits attacker-influenced text to reach `FreemarkerEngine.parse()` as template sourc…
authd: Primary group ID is incorrectly set to value of UID
It affects users whose primary group ID (i.e. the GID in the user record) differs from their UID. There are two ways which can lead to this:
1. The user was created with au…
rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover
`ListServiceAccount` (`GET /rustfs/admin/v3/list-service-accounts?user=<other>`) authorizes cross-user requests against `UpdateServiceAccountAdminAction` instead of `ListServiceAccountsAdminAction` at `rustfs/src/admin/handlers/service_account.rs:936`. The handler accepts the **wrong** a…
link-preview-js vulnerable to IPv6 and internal loopback attacks
The library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks.
### Patches
Problem has been patched in version 4.0.1. However, it cannot be completely solved by the package al…
gix and gitoxide: unvalidated submodule name traverses out of .git/modules and redirects state() / open() to another repository
attachments:
[pocs.zip](https://github.com/user-attachments/files/26431422/pocs.zip)
Submodule names coming from `.gitmodules` are exposed as unvalidated names and are later reused to derive the submodule git directory as:
“`
<superproject common_dir>/modules/<submodule name>
“`
…
gix and gitoxide's symlinked .gitmodules are followed and parsed from outside of the repository
attachments:
[pocs.zip](https://github.com/user-attachments/files/26431422/pocs.zip)
When `Repository::submodules()` loads submodule metadata, it prefers the worktree `.gitmodules` file if that path exists. In the current implementation, the path is read with `std::fs::read()`, which fo…
gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data
Multiple denial-of-service vectors in `gix-pack`: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch.
### Details
**Bug 1: Unchecked…
gix's submodule name validation bypass + trust inheritance flaw enables path traversal and credential disclosure
Submodule name validation bypass plus missing validation in production code paths allows path traversal via crafted `.gitmodules`. Combined with a trust inheritance flaw in `Submodule::open()`, this enables reading arbitrary git repository configs (including credentials) from traversed …
Diesel's SQLite backend has possible UTF-8 corruption
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls
| Field | Value |
|—|—|
| Project | `Jovancoding/Network-AI` |
| Repository | https://github.com/Jovancoding/Network-AI |
| Affected commit | `c344f2053eb0d49395988f803bf92f2a86b2a0d0` |
| Affected tes…
net-imap vulnerable to STARTTLS stripping via invalid response timing
A man-in-the-middle attacker can cause `Net::IMAP#starttls` to return "successfully", without starting TLS.
### Details
When using `Net::IMAP#starttls` to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged `OK` response with an easily predictab…
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError.
### Details
lib/helpers/toFormData.js:210 defines an inner `build(value, path)` that recurses into every object/array child (li…
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook…
CVE-2026-42194
Netty Redis Codec Encoder has a CRLF Injection Issue
## 1. Vulnerability Summary
| Field | Value |
|——-|——-|
| **Product** | Netty |
| **Version** | 4.2.12.Final (and all prior versions with codec-redis) |
| **Component** | `io.netty.handler.codec.redis.RedisEncoder…
Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled
### Overview
When LDAP TLS is enabled (`LDAP_USE_TLS = True`), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the **global** `ldap` module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to int…
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
### Impact
`wireshark-mcp` exposes a `wireshark_export_objects` MCP tool that accepts an attacker-controlled `dest_dir` parameter and passes it to tshark's `–export-objects` flag with **no mandatory path restriction**.
The path sandbox (`_allowed_dirs`) is `None` by default and on…
gix-transport: HTTP credentials leaked to redirected host in curl backend
The curl-based HTTP transport in `gix-transport` sends user credentials (passwords, tokens) to an attacker-controlled server after an HTTP redirect. When a server responds with a 302 redirect during the initial `GET /info/refs`, gitoxide records the redirected base URL and rewrites all s…
Axios: no_proxy bypass via IP alias allows SSRF
The shouldBypassProxy() function does pure string matching — it does not
resolve IP aliases or loopback…
view_component: Preview Route Can Dispatch Inherited Helper Methods
The preview route derives an example name from the URL and calls it with `public_send`. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class.
As a result, inherited public methods on `ViewComponent::Preview` are route…
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)
free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler panics on a single authenticated request against a fresh UDR instance when the supplied `ueId` does not exist in `UESubsCollection`. The processor checks `value,…
free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions
free5GC's BSF `PUT /nbsf-management/v1/subscriptions/{subId}` handler has an unsynchronized write on the global `Subscriptions` map. The handler first reads the map under `RLock()` via `BSFContext.GetSubscription(subId)`, but if the subscription does not exist, `ReplaceIndividualSubcript…
free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference
free5GC's PCF `POST /npcf-policyauthorization/v1/app-sessions` handler panics on a single authenticated request whose `ascReqData.suppFeat == "1"` (enabling traffic-routing feature negotiation) and whose `medComponents` entries supply an `afAppId` but NO `AfRoutReq`. The create path then…
OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured
The `OpenTelemetry.Exporter.Instana` NuGet package does not validate HTTPS/TLS certificates are valid when sending telemetry to a configured Instana back-end when a proxy is configured using the `INSTANA_ENDPOINT_PROXY` environment variable.
If a network attacker can Man-in-the-Middle …
Wagtail has improper permission handling when copying pages
A CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once copied, they'd be able to view its contents, and potentially publish it. Permissions were correctly checked for the copy destination, but not for the source page.
###…
Wagtail has improper permission handling when deleting form submissions
A CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to for submissions they don't.
The vulnerability is not exploitable by an ordinary site visito…
Wagtail has improper permission handling when comparing revisions
A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information.
### Patches
Patched versions have been released as Wag…
Open WebUI has Unauthorized File and Knowledge Base Content Access via RAG Vector Search
## Affected Component
RAG source resolution in chat completion pipeline:
– `backend/open_webui/retrieval/utils.py` (lines 963-965, 1063-1068, 1126-1131 in `get_sources_from_items`)
## Affected Versions
Current main branc…
Open WebUI's Model Import Overwrites Any Model Without Ownership Check
## Affected Component
Model import endpoint:
– `backend/open_webui/routers/models.py` (lines 254-308, `import_models`)
## Affected Versions
Current main branch (commit `6fdd19bf1`) and likely all versions with model import functionality…
Electerm's full process.env exposed to renderer via window.pre.env
The `getConstants()` IPC handler in `src/app/lib/ipc-sync.js` serialises the entire `process.env` object and sends it to the renderer. The data is stored as `window.pre.env` and is accessible from any JavaScript running in the renderer (e.g., via the DevTools console or a compromised web…
CVE-2026-41585
Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify any echo's fav_count
`PUT /api/echo/like/:id` at `internal/router/echo.go:12` is registered on `PublicRouterGroup` with no authentication and no rate limit. Anonymous callers increment the `fav_count` counter on any echo (including private echoes) by UUID, repeat the request without deduplication, and trigge…
CVE-2026-33589
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
A sandbox boundary violation in **vm2** allows host object identity to cross into the sandbox through host Promise resolution.
When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox `.then()` callback preserves host identit…
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check
`GET /api/namespaces/:tenant` returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an **API Key**, for any tenant, regardless of the API Key's own tenant scope.
The handler conditionall…
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change
A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens (JWTs) remain fully valid after a user changes their password. The JWT validation middleware (`CheckJWT`) only verifies token signature, expiry, issuer, and signing algorithm — it does …
Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users
Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. T…
Netty vulnerable to HTTP Request Smuggling due to malformed Transfer-Encoding
Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks.
### Details
Netty incorrectly marks a request as chunked when malformed "Transfer-Encoding: chunked, identity" is present.
According to RFC https://datatracker.ietf.org/doc/html/rfc9112#name-messag…
Netty vulnerable to HTTP Request Smuggling due to incorrect chunk size parsing
Netty's chunk size parser silently overflows int, enabling request smuggling attacks.
### Details
io.netty.handler.codec.http.HttpObjectDecoder#getChunkSize silently overflows int.
The size is accumulated as follows:
result *= 16;
result += digit;
The result is checked only for negat…
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
`bodyLimit()` does not reliably enforce `maxSize` for requests without a usable `Content-Length` (e.g. `Transfer-Encoding: chunked`). Oversized requests can reach handlers and return `200` instead of `413`.
## Details
For chunked / unknown-length requests, `bodyLimit()` wraps the body …
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data
`GET /api/sessions/:uid` returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespa…
ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace
`GET /api/devices/:uid` returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other na…
vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters
The `extract_hidden_states` speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a `RuntimeError` that crashes the EngineCore process. The crash is triggered when any request in the batch uses sampling penalty parameters (`r…
CVE-2026-40197
Nginx-UI Settings API Exposes Protected Secrets
The `GetSettings` API handler (`api/settings/settings.go:24-65`) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with `protected:"true"` – however, this tag is only enforced during writes (via `ProtectedFill` in `SaveSetti…
vLLM Vulnerable to Remote DoS via Special-Token Placeholders
This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during…
PyLoad Vulnerable to Path Traversal via Package Folder Name
## Affected Component
– `src/pyload/core/api/__init__.py`
– Function: `add_package()`
## Description
Package folder names are sanitized using insufficient string replacement:
“`python
…
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
An authenticated user can call `GET /api/settings` and retrieve sensitive configuration values, including `node.secret`. The same `node.secret` is accepted by `AuthRequired()` through the `X-Node-Secret` header (or `node_secret` query parameter), causing the request to be treated as authe…
CVE-2026-32603
requests-hardened is Vulnerable to Server-Side Request Forgery
CVE-2026-30246
OpenClaw contains a symlink traversal vulnerability
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
## Summary
The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any `Object.prototype` pollution in the application's dependency tree to be escalated into …
CVE-2026-42223
CVE-2026-42220
CVE-2026-42228
CVE-2026-42092
CVE-2026-42091
kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentication, Allowing Cluster-Wide BGP Route Injection
When the kube-router routing controller starts (`–run-router`), it binds the GoBGP gRPC management server to the node's primary IP (e.g., `192.168.1.10:50051`) in addition to `127.0.0.1:50051`. The default admin port is `50051` and the server is enabled by default with no TLS and no aut…
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth
@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS
The EvoMap proxy daemon's HTTP body parser accepts requests of any size, and the `POST /asset/submit` route persists the full request body — verbatim and uncapped — as a JSONL line in `<dataDir>/messages.jsonl`. An unauthenticated local attacker (other local user, container neighbor,…
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution
The vulnerability was automatically discovered by an ai agent and then manually verified.
LobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malic…
Mistune Heading ID Attribute has Injection XSS
`HTMLRenderer.heading()` builds the opening `<hN>` tag by string-concatenating the `id` attribute value directly into the HTML — with no call to `escape()`, `safe_entity()`, or any other sanitisation function. A double-quote character `"` in the `id` value terminates the attribute, allo…
Mistune Math Plugin has an XSS Escape Bypass
The mistune math plugin renders inline math (`$…$`) and block math (`$$…$$`) by concatenating the raw user-supplied content directly into the HTML output **without any HTML escaping**. This occurs even when the parser is explicitly created with `escape=True`, which is supposed to guar…
fast-xml-builder Comment Value regex can be bypassed
The fix for https://github.com/advisories/GHSA-gh4j-gqv2-49f6 in fast-xml-parser sanitizes `–` sequences in XML comment content using .replace(/–/g, '- -'). This skip the values containing three consecutive dashes (e.g., —>…), allowing an attacker to break out of an XML comment and i…
Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
When the `Timeoutable` module is enabled in Devise, the `FailureApp#redirect_url` method returns `request.referrer` — the HTTP `Referer` header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page…
Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest
The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, wh…
Kanidm: Stored HTML injection in "passkey-enrolment" partial via displayname → htmx-driven authenticated request forgery
The kanidmd web UI renders the WebAuthn passkey-registration challenge as raw JSON inside an inline `<script id="data">` element using the Askama `|safe` filter. The challenge embeds the account's `displayname`, which `serde_json` serialises without escaping `<`/`>`. A `displayname` con…
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flow…
CVE-2026-42230
OpenClaw's Webhooks SecretRef route secret remains valid after rotation/reload
OpenClaw webhooks allowed route secrets to be backed by `SecretRef` values, but cached the resolved secret for a route. After an operator rotated the underlying secret and ran `openclaw secrets reload`, the previous resolved webhook secret could remain valid until the plugin or gateway r…
SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant)
A path traversal vulnerability in `IArchive.WriteToDirectory()` allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the …
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape
The system test entrypoint canonicalizes a user-controlled file path with `File.realpath`, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix.
Severity: Medium; tes…
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
The `/forms/chromium/convert/url` and `/forms/chromium/screenshot/url` routes accept `url=file:///tmp/…` from anonymous callers. The default Chromium deny-list intentionally exempts `file:///tmp/` so HTML/Markdown routes can load their own request-local assets, and those routes apply a…
axonflow-sdk-java: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
The AxonFlow SDK's `WebhookSubscription` (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's `CreateWebhook` endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the `X-AxonFlow-Signature` header on incomin…
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
The AxonFlow SDK's `WebhookSubscription` (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's `CreateWebhook` endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the `X-AxonFlow-Signature` header on incomin…
axonflow-sdk-go: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
The AxonFlow SDK's `WebhookSubscription` (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's `CreateWebhook` endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the `X-AxonFlow-Signature` header on incomin…
axonflow-sdk-python: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
The AxonFlow SDK's `WebhookSubscription` (or equivalent) type did not expose the HMAC-SHA256 signing key returned by the platform's `CreateWebhook` endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the `X-AxonFlow-Signature` header on incomin…
Granian vulnerable to DoS via WSGI response header panic
Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses `.unwrap()` on both the header name and header value constructors, so malformed output from the application becomes a process abort instead…
OpAMP client reads unbounded HTTP response bodies
When receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed.
This could cause memory exhaustion in the consuming application if the configured OpAMP serve…
eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields
`eventsource-encoder` does not sanitize the `event` or `id` fields of an `EventSourceMessage` before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators (`\n`, `\r`, or `\r\n`) and thereby forge additional SSE fields or entire…
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
vm2's `CallSite` wrapper class (intended as a safe wrapper for V8's native CallSite) blocks `getThis()` and `getFunction()` to prevent host object leakage, but allows `getFileName()` to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, l…
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with `OpenSSL::SSL::VERIFY_NONE`, meaning any HTTPS certificate—even entirely untru…
Netty HTTP/1.0 TE+CL Coexistence Bypasses Smuggling Sanitization
| Field | Value |
|———–|——-|
| Library | `io.netty:netty-codec-http` |
| Component | `codec-http` — `HttpObjectDecoder` |
| Severity | **HIGH** |
| Affects | HEAD, commit `4f3533ae` confirmed |
—
## Summary…
docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler
The `URLInputHandler` class in `docling_graph/core/input/handlers.py` makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The `URLValidator` only checks for a valid scheme and non-empty `netloc`, perfo…
BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build context
BentoML's `bentoml build` packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact.
If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can pla…
CVE-2026-40004
Vercel: Non-interactive mode includes CLI arguments in suggested command output
When the Vercel CLI runs in non-interactive mode (`–non-interactive` or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via `–token` or `-t` on the command line, the token value is includ…
@axonflow/openclaw fix introduces plugin cache and credential-file permission hardening
Two related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user's home directory was at the conventional `0755` mode.
## Affected versions
Versions 1.3.2 and below.
## Impact
1…
CVE-2026-43277
APEI/GHES: ensure that won't go past CPER allocated record
The logic at ghes_new() prevents allocating too large records, by
checking if they're bigger than GHES_ESTATUS_MAX_SIZE (currently, 64KB).
Yet, the allocation is done with…
CVE-2026-43271
md-cluster: fix NULL pointer dereference in process_metadata_update
The function process_metadata_update() blindly dereferences the 'thread'
pointer (acquired via rcu_dereference_protected) within the wait_event()
macro.
While th…
CVE-2026-43266
EFI/CPER: don't go past the ARM processor CPER record buffer
There's a logic inside GHES/CPER to detect if the section_length
is too small, but it doesn't detect if it is too big.
Currently, if the firmware receives an ARM proces…
CVE-2026-43265
KVM: x86: Ignore -EBUSY when checking nested events from vcpu_block()
Ignore -EBUSY when checking nested events after exiting a blocking state
while L2 is active, as exiting to userspace will generate a spurious
userspace exit, us…
CVE-2026-43264
fbdev: of: display_timing: fix refcount leak in of_get_display_timings()
of_parse_phandle() returns a device_node with refcount incremented,
which is stored in 'entry' and then copied to 'native_mode'. When the
error paths at line…
CVE-2026-42192
Open WebUI: Deactivated Channel Members Retain Full Access to Group/DM Channels
## Affected Component
Channel membership authorization check:
– `backend/open_webui/models/channels.py` (lines 663-673, `is_user_channel_member`)
– Used at 15 locations in `backend/open_webui/routers/channels.py`
## Affected Ve…
Read-Only Open WebUI Users Can Modify Collaborative Documents via Socket.IO
## Affected Component
Socket.IO collaborative document editing handler:
– `backend/open_webui/socket/main.py` (lines 667-721, `ydoc:document:update` handler)
## Affected Versions
Current main branch and likely all versions with c…
Open WebUI's Ollama Model Access Control Bypass via /api/generate, /api/embed, /api/embeddings, and /api/show
## Affected Component
Ollama proxy endpoints missing model access control:
– `backend/open_webui/routers/ollama.py` (lines 955-995, `generate_completion`)
– `backend/open_webui/routers/ollama.py` (li…
Open WebUI's Channel Access Grants Bypass filter_allowed_access_grants
## Affected Component
Channel creation and update endpoints:
– `backend/open_webui/routers/channels.py` (lines 291-340, `create_new_channel`)
– `backend/open_webui/routers/channels.py` (lines 617-638, `update_channel_by_id`)
– `backend/op…
gitsign –verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers
`CertVerifier.Verify()` in `pkg/git/verifier.go` unconditionally dereferences `certs[0]` after `sd.GetCertificates()` without checking the slice length. A CMS/PKCS7 signed message with an empty certificate set is a structurally valid DER payload; `GetCertificates()` returns an empty slic…
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
FileBrowser Quantum serves inline SVG files without a `Content-Security-Policy` header, allowing embedded JavaScript in SVG files to execute when accessed via public share links.
Verified on v1.3.0-stable.
## Affected product
– **Product:** FileBrowser Quantum (`gtsteffaniak/filebrows…
ShellHub has crash-DoS via field injection in filter and sort-by parameters
The device list endpoint accepts user-controlled identifiers in two places that are passed directly as BSON/SQL keys in the database layer without validation:
1. The `name` field of each filter property in the base64-encoded `filter`
query parameter.
2. The `sort_by` query param…
wger: trainer_login open redirect – ?next= parameter not validated against host
The `trainer_login` view in wger redirects to `request.GET['next']` directly via `HttpResponseRedirect()` without calling `url_has_allowed_host_and_scheme()`. After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in…
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion
## Summary
The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the `withXSRFToken` config prope…
CVE-2026-1677
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
On affected versions, matching server-side SNI names are cached via `computeIfAbsent(serverName, …)` in a serverName-keyed `SslContext` cache, and I could not find…
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Cache Middleware does not skip caching for responses that declare per-user variance via `Vary: Authorization` or `Vary: Cookie`. As a result, a response cached for one authenticated user may be served to subsequent requests from different users.
### Details
The Cache Middleware skips …
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
`gitsign verify` and `gitsign verify-tag` re-encode commit/tag objects through go-git's `EncodeWithoutSignature` before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate `tree` headers, git-core and go-git parse different …
Wagtail has improper restriction handling on Documents and Images API
The Documents and Images [API](https://docs.wagtail.org/en/stable/advanced_topics/api/index.html) incorrectly listed items in private collections. A user with access to the API could see the filename and name of documents and images in private collections.
### Patches
Patched versions …
CVE-2026-42190
vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.
### Details
It is still possible to get access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`.
### PoC
“`js
const {VM} = require("vm2");
const vm = new VM();
console.log(vm.run…
CVE-2026-44500
CVE-2022-26523
CVE-2026-41645
Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflation
**No authentication** is required to invoke **`PUT /api/echo/like/:id`**. The handler is registered on the **public** router group. The service increments **`fav_count`** for the given echo **without** checking identity, **without** a per-user limit, and **without** CSRF tokens. A remot…
Ech0 comment model's Email field returned on public /api/comments endpoints
The `Comment` model serializes its `Email` field through the public comment-listing API. `internal/model/comment/comment.go:33` uses `json:"email"`, while adjacent PII fields (`IPHash`, `UserAgent`) correctly use `json:"-"`. The public endpoints `GET /api/comments?echo_id=X` and `GET /ap…
Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers
## Summary
Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits were enforced. An unauthenticated or post-h…
Netty MQTT: Resource exhaustion in MqttDecoder
The MQTT 5 header Properties section is parsed and buffered _before_ any message size limit is applied.
Specifically, in `MqttDecoder`, the `decodeVariableHeader()` method is called before the `bytesRemainingBeforeVariableHeader > maxBytesInMessage` check. The `decodeVariableHeader()` ca…
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain `catch`, `import`, or `async` keywords. This fast-path bypass allows sandboxed code to directly access the internal `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL` variable, …
Goteberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Six conversion routes (`pdfengines/merge`, `pdfengines/split`, `libreoffice/convert`, `chromium/convert/url`, `chromium/convert/html`, `chromium/convert/markdown`) accept `stampSource=pdf` + `stampExpression=/path` and `watermarkSource=pdf` + `watermarkExpression=/path` from anonymous ca…
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
`FilterOutboundURL` resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostna…
OpenSearch Security plugin: DLS not applied on documents linked by has_child or has_parent relation
A flaw was identified in the OpenSearch Security plugin's document-level security (DLS) implementation. DLS restrictions were not correctly applied to search queries that use has_parent or has_child join relations. This could allow an authenticated user to access document contents t…
Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules`
“`ts
routeRules: {
"/api/orders/**": { proxy: { to: "http://upstream/orders/**" } }
}
“`
is intended to limit the proxy to URLs under `/api/orders/`. Before the patch, an attacker could bypass that scope by sending percent-encoded path traversal (`..%2f`) in the URL, c…
Lemmy may expose private community data through community, saved, liked, and modlog API views
Lemmy applies private-community checks in `PostView` and `CommentView`, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower, can read private community `sidebar` and `summary` fields. Alice, a former accepted follower, …
Private Lemmy instances expose multi-community metadata without authentication
`read_multi_community()` does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists.
## Details
Other read handlers load `local_site` and call…
Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds`
A missing authorization directive on the `GET /api/v1/stable/dags/tasks` endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user authenticated to any tenant on the same Hatchet instance could query the endpoint with another tenant's UUID and a DAG UUID belo…
Nokogiri XSLT transform has a memory leak
Nokogiri's `Nokogiri::XSLT::Stylesheet#transform` leaks a small heap allocation when passed a Ruby string parameter containing a null byte.
For applications that pass attacker-controlled input through `XSLT.transform` parameters, this may be a vector for a denial of service attack again…
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
`pyload-ng` WebUI returns full Python traceback details to clients on unhandled exceptions.
Because `/web/<path:filename>` is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception (for example by …
GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens
In patched versions, the Ruby lexer does count these tokens.
GraphQL-CParser is not affected by this…
CVE-2026-34527
OpenStack Horizon has Incorrect Behavior Order
Django has an Improper Handling of Length Parameter Inconsistency
As a reminder, Django expects a li…
Netty: Start-Line Injection in DefaultHttpRequest.setUri() Allows HTTP Request Smuggling and RTSP Request Injection
Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`.
The constructors reject CRLF and whitespace characters that would break the start-line, but `setUri()` does not apply…
ots has a negative expire override that can bypass its secret retention policy
The `/api/create` endpoint accepted negative `expire` query values. For the memory storage backend, negative values were passed to secret creation as a negative duration and treated as no expiry, allowing callers to create secrets that persisted longer than intended.
## Impact
Unauthen…
Apache Thrift has a Memory Allocation with Excessive Size Value Vulnerability
This issue affects Apache Thrift: before 0.23.0.
Users are recommended to upgrade to version [0.23.0](https://github.com/apache/thrift/releases/tag/v0.23.0), which fixes the issue.
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
The `FormDataPart` constructor in `lib/helpers/formDataToStream.js` interpolates `value.type` directly into the `Content-Type` header of each multipart part without sanitizing CRLF (`\r\n`) sequences. An attacker who controls the `.type` property of a Blob/File-like object (e.g., via a u…
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 (native http/https transport path). Oversized streamed uploads are sent fully even when the caller sets strict body limits.
### Details
Relevant flow in lib/adapters/http.js:
– 556-564: maxBodyLength …
Axios: HTTP adapter streamed responses bypass maxContentLength
When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption.
### Details
In lib/adapters/http.js:
– 786-789: for responseType === 'stream', Axios i…
CVE-2026-41572
`potato-annotation` has a Project-Boundary Bypass
`validate_path_security` uses string-prefix containment (`startswith`) for boundary checks. This allows paths that are **outside** the intended project directory but share its prefix string (e.g., `/tmp/potato_proj_demo_evil/…` vs `/tmp/potato_proj_demo`) to be accepted.
## Details
###…
Open WebUI's Mass Assignment via Pydantic extra='allow' Allows Creating Folders in Other Users' Accounts
## Affected Component
Folder creation endpoint and form model:
– `backend/open_webui/models/folders.py` (lines 72-77, `FolderForm` with `extra='allow'`)
– `backend/open_webui/models/folders.py` (lines 95-…
ExternalSecrets vulnerable to privilege escalation with secret overwriting
### Impact
A user who only has permission to create ExternalSecret resources can cause the operator to create a Secret that Kubernetes will automatically populate…
Open WebUI has Stored XSS in Pending User Overlay via Incorrect DOMPurify Application Order
**CWE-79**: Cross-site Scripting (XSS)
The `AccountPending.svelte` component renders the admin-configured "Pending User Overlay Content" using `marked.parse()` inside `{@html}` with an incorrect DOMPurify application order:
### Vulnerable Code
**`src/lib/components/layou…
Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS against subscribers
The public RSS/Atom feed at `/rss` renders two attacker-controlled surfaces without HTML escaping. Tag names flow through `fmt.Appendf(renderedContent, "<br /><span class=\"tag\">#%s</span>", tag.Name)` at `internal/service/common/common.go:120`, and the Markdown renderer at `internal/ut…
CVE-2026-40243
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
## Summary
The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any `Object.prototype` pollution to **silently suppress all HTTP error responses** (40…
utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol
The `utcp-http` plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. `register_manual()` validates the discovery URL against an HTTPS / loopback allowlist, but `call_tool()` and `call_too…
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output.
When untrusted input is used as a tag name via the programmatic `jsx()` or `createElement()` APIs during server-side rendering, specially crafted …
PPTAgent: Arbitrary File Write via `save_generated_slides`
> This vulnerability has been fixed in https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00.
The `save_generated_slides` MCP tool accepts a pptx_path argument and writes the generated PPTX file to that path without any workspace restriction or path valida…
PPTAgent: Arbitrary File Write + Directory Creation via markdown_table_to_image
The `markdown_table_to_image` tool accepts a caller-controlled path parameter and passes it directly to `get_html_table_image`:
“`python
# pptagent/mcp_server.py:127-143
def markdown_table_to_image(markdown_table: str, path: str, css: str) -> str:
"""
Args:
path (str):…
CVE-2026-7572
XWiki PlantUML Macro Vulnerable to Server-Side Request Forgery (SSRF) via 'server' parameter
The [PlantUML Macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/PlantUML+Macro) is vulnerable to Server-Side Request Forgery (SSRF). The macro allows users to specify an alternative PlantUML server via the `server` parameter. However, the application does not validate the supp…
CVE-2026-8194
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
The JSX renderer escapes `style` attribute object values for HTML but not for CSS. Untrusted input in a `style` object value or property name can therefore inject additional CSS declarations into the rendered `style` attribute. The impact is limited to CSS and does not allow JavaScript …
free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)
free5GC's UDR `nudr-dr` `DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions` handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks …
Wagtail has improper permission handling when viewing page history
A CMS user without the ability to edit a page could still access the history report for the page, potentially resulting in disclosure of sensitive information.
### Patches
Patched versions have been released as Wagtail 7.0.7 and 7.3.2. The new 7.4 LTS feature release also incorporates t…
CVE-2026-42282
Open WebUI Missing Access Check on Channel Members Endpoint for Standard Channels
## Affected Component
Channel members listing endpoint:
– `backend/open_webui/routers/channels.py` (lines 445-507, `get_channel_members_by_id`)
## Affected Versions
Current main branch and likely all versions with the chann…
Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection
## Affected Component
Retrieval collection access validation:
– `backend/open_webui/routers/retrieval.py` (lines 2330-2355, `_validate_collection_access`)
– `backend/open_webui/routers/retrieval.py` (query endpoints, e.g. `POS…
Bunsink has an SSRF bypass in `validate_webhook_url`
Bugsink’s webhook URL validation in versions 2.1.2 and earlier could be (partially) bypassed because of a mismatch in URL parsing.
In some malformed URLs, Python’s standard URL parser (urllib) and the HTTP client stack (requests / urllib3) do not agree on which host is actually bei…
Weblate vulnerable to XSS via crafted Markdown
The Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes.
### Patches
* https://github.com/WeblateOrg/weblate/pull/19259
### Workarounds
Even though the attacker might be able to inject code into the HTML, the Weblate's strict …
Weblate Vulnerable to Private Translation Enumeration via Screenshot API
The screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user.
### Patches
* https://github.com/WeblateOrg/weblate/pull/19258
### Acknowledgement
Weblate thanks Luay for reporting this vulnerability according to the org…
Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner data access without permission checks
The unprocessed entities read endpoints in `@backstage/plugin-catalog-backend-module-unprocessed` do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownership. This is
an information disclosure vulnerability …
CVE-2026-7946
CVE-2026-7904
Kubewarden vulnerable to RBAC Reconnaissance via unchecked can_i host capability call
Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe mann…
@workos/authkit-session has an Open Redirect via state-derived redirect target
The `state` parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCal…
CVE-2026-7996
CVE-2026-7912
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys
`setNestedProperty` in `packages/next-intl/src/extractor/utils.tsx` walks a dotted key path and assigns the final value without blocking the reserved keys `__proto__`, `constructor`, or `prototype`. When the next-intl Next.js plugin is configured with `experimental.messages` and `message…
in-toto-golang and in-toto-python have inconsistent negation behavior
_What kind of vulnerability is it? Who is impacted?_
in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should *not* be matched, but they used differ…
ciguard: SCA HTTP client reads response body without size cap
Both SCA HTTP clients (`src/ciguard/analyzer/sca/osv.py` and `src/ciguard/analyzer/sca/endoflife.py`) call `payload = json.loads(resp.read().decode('utf-8'))` without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev (or a successful TLS MITM) could return a multi-GB…
Mistune has XSS via unescaped figclass/figwidth in Figure directive
This allows attribute injection and XSS even when `HTMLRenderer(escape=True)` is used, because these values bypass the …
eml_parser has recursion DoS via nested message/rfc822 attachments
`EmlParser.get_raw_body_text()` recurses unconditionally for every nested `message/rfc822` attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested `message/rfc822` parts triggers an unhandled `RecursionError` and aborts parsi…
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
## Repository
`cdxgen/cdxgen`
## Affected product/package
– Ecosystem: npm
– Package: `@cyclonedx/cdxgen`
– Reviewed tree version: `12.3.3`
– Reviewed commit: `b1e179869fd7c6032c3d483c3f7bd4d7154ec22b`
– Affected…
MCP Registry has an unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist
The Registry's HTTP-based namespace verification (`POST /v0/auth/http`, `POST /v0.1/auth/http`) uses `safeDialContext` (`internal/api/handlers/v0/auth/http.go:67-110`) to refuse dialling private/internal addresses when fetching the well-known public-key file from a publisher-supplied do…
MCP Registry vulnerable to stored XSS in catalogue UI via attribute-quote breakout in publisher-controlled `websiteUrl`
The public catalogue UI served at `GET /` (file `internal/api/handlers/v0/ui_index.html`) is vulnerable to stored cross-site scripting via the `server.websiteUrl` field of any published `server.json`. Server-side validation in `internal/validators/validators.go` (`validateWebsiteURL`) on…
MCP Registry has open redirect via protocol-relative path in trailing-slash middleware
The TrailingSlashMiddleware in internal/api/server.go is vulnerable to an open redirect attack. An attacker can craft a URL with a protocol-relative path (e.g., //evil.com/) that, after trailing slash removal, results in a Location header of //evil.com — which browsers interpret as an …
rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding
gittuf's policy can be rolled back to prior valid versions
An attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.
## Impact
gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatic…
imageproc: integer overflow in kernel size check leads to out-of-bounds read
Af…
imageproc: Out-of-bounds read via NaN coordinates in bilinear/bicubic sampling
imageproc has fragile bounds check when sampling from image
hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
A malicious message with many records can both introduce many candidate l…
wasmtime has a panic when allocating a table exceeding the size of the host's address space
Wasmtime's allocation logic for a WebAssembly table contained checked arithmetic which panicked on overflow. This overflow is possible to trigger, and thus panic, when a table with an extremely large size is allocated. This is possible with the WebAssembly memory64 proposal where tables …
Spring Cloud AWS missing SNS message signature verification allows spoofing of HTTP/HTTPS endpoint notifications
Applications using Spring Cloud AWS SNS HTTP/HTTPS endpoint support (@NotificationMessageMapping, @NotificationSubscriptionMapping, @NotificationUnsubscribeConfirmationMapping) did not verify the signature of incoming SNS messages.
An unauthenticated attacker who knows the endpoint …
Lemmy resend-verification endpoint exposes registered email addresses to unauthenticated users
The unauthenticated resend-verification endpoint returns different responses for registered and unregistered email addresses. A malicious third party can submit candidate addresses to `/api/v4/account/auth/resend_verification_email` and distinguish accounts from misses.
## Details
`res…
Playwright Capture permits access to local files and internal network resources during page capture
Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
A vulnerability exists in the `X-Forwarded-Prefix` header processing logic within Angular SSR. The internal validation mechanism fails to properly account for URL-encoded characters, specifically dots (`%2e%2e`). This allows an attacker to bypass security filters by injecting encoded…
kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input
The `POST /v1/domain/_image` and `POST /v1/oauth2/{rs_name}/_image` handlers call `validate_image()` on the uploaded body **before** the ACL check that restricts image upload to admins. Any bug in an image validator is therefore reachable by an unauthenticated remote client rather than b…
Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
“`ts
routeRules: {
"/legacy/**": { redirect: "/**" }
}
“`
is intended to rewrite paths within the same host. Before the patch, an attacker could turn the rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. Example exploit:
“`
GET…
pyquorum: Timing side‑channel in mul_mod
The `mul_mod` function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the time of secret‑sharing operations (e.g., via a remote service) could progressively recove…
misp-modules has nsafe remote resource fetching in expansion
Hugo's Node tool execution allows file system access outside the project directory
When building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or wr…
astral-tokio-tar is Vulnerable to PAX Header Desynchronization
Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle une…
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
A flaw in Tauri's `is_local_url()` function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to `http://<scheme>.localhost/` because those platforms' WebView implementations cannot serv…
sse-channel: SSE Injection via unsanitized event fields
Implementations that allows user-provided values to be passed to `event`, `retry` or `id` fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream.
– **Event Spoofing:** Attacker can inject arbitrary SSE events into the stream
– **…
Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display
In the Prometheus server's legacy web UI (enabled via the command-line flag `–enable-feature=old-ui`), the histogram heatmap chart view does not escape `le` label values when inserting them into the HTML for use as axis tick mark labels.
An attacker who can inject crafted metrics (e.g.…
ip-address has XSS in Address6 HTML-emitting methods
`Address6.group()` and `Address6.link()` do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and `AddressError.parseMessage` (emitted by the `Address6` constructor for invalid input) can contain unescaped attacker-controlled content in one…
PocketBase vulnerable to account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade
In some situations, if an attacker knows the email address of the victim they can create and link an **unverified** PocketBase user in advance by authenticating with one of the OAuth2 ap…
Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized delet…
Fiber vulnerable to XSS in AutoFormat Content Negotiation
**Description**
A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying `Accept: text/html` on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects `github.com/gofi…
MinIO vulnerable to Path Traversal via msgpack Body in `ReadMultiple` Storage-REST Endpoint
_What kind of vulnerability is it? Who is impacted?_
A path traversal vulnerability in MinIO's `ReadMultiple` internode storage-REST
endpoint allows a caller holding the cluster root JWT to read files from
outside the configured drive roots, bounded only by the MinIO process UID.
Distr…
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands.
### Details
…
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands.
### Details
Symbol arguments represent IMAP "system flags", which are formatted as "atoms" (with no quoting) with a `"\"` prefix. Vulnerable versions…
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
When authenticating a connection with `SCRAM-SHA1` or `SCRAM-SHA256`, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value.
### Details
A hostile IMAP server can send an arbitrarily large PBKDF2 iteration co…
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected temp…
OpenClaw's Gateway Control UI bootstrap config required Gateway auth
Gateway Control UI bootstrap config required Gateway auth.
## Affected Packages / Versions
– Package: openclaw (npm)
– Affected versions: <= 2026.4.21
– Fixed version: 2026.4.22
## Impact
When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be re…
OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes
OpenShell FS bridge reads pin and verify the opened file before returning bytes
## Affected Packages / Versions
– Package: openclaw (npm)
– Affected versions: <= 2026.4.21
– Fixed version: 2026.4.22
## Impact
A time-of-check/time-of-use race around OpenShell sandbox filesystem reads cou…
jOpenDocument has an improper restriction of XML external entity reference vulnerability
This issue affects jOpenDocument: 1.5.