Security Report
Splunk Enterprise Missing Authentication for Critical Function Vulnerability
Widget Factory Joomla Content Editor Improper Access Control Vulnerability
CoreWCF: Authentication bypass in CoreWCF SAML 1.1 / 2.0 token signature validation
Full impersonation of any principal the trusted STS could have issued an assertion for — including administrative principals when the relying party grants them via SAML claims. Affects both SAML 1.1 and SAML 2.0.
#### Preconditions
Relying-party service is hosted with WSFederationHttpB…
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args
The Docker API server accepted a request-supplied `browser_config.extra_args`, which flowed into Chromium's launch arguments. An attacker could inject Chromium switches that replace a child-process launch command (`–utility-cmd-prefix`, `–renderer-cmd-prefix`, `–gpu-launcher`, `–bro…
Duplicate Advisory: PickleScan's pkgutil.resolve_name has a universal blocklist bypass
This advisory has been withdrawn because it is a duplicate of GHSA-vvpj-8cmc-gx39. This link is maintained to preserve external references.
### Original Description
picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist …
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
## Details
The vulnerability exists in the `get_flow_by_id_or_endpoint…
Network-AI: Improper Neutralization of Special Elements used in an OS Command
The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but `ShellExecutor` runs that string through `/bin…
npm PraisonAI codeMode sandbox escape via Function constructor
The published npm package `praisonai` exports a TypeScript built-in tool named `codeMode`. The package describes this tool as executing code in a sandboxed environment, marks its capability as `sandbox: true`, and registers it through the public tools facade.
The implementation does not…
gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
Fix (1.1.6): removed the broken shell:false doubl…
python-statemachine SCXML <data expr> Eval Injection
python-statemachine 3.1.2 evaluates `<data expr="…">` attributes in SCXML documents using Python's `eval()`. Any application that passes attacker-controlled SCXML content to `SCXMLProcessor` is vulnerable to arbitrary code execution in the context of the hosting process.
### Details
…
praisonai-platform: default JWT signing secret 'dev-secret-change-me' enables token forgery
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
—
**Package:** `praisonai-platform` on PyPI
**Latest version (and ve…
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
– CWE: CWE-1188 (Insecure Default I…
npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call
The published npm package `praisonai` exports a TypeScript `MCPServer` that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with:
“`ts
await server.start({ port: 3000 });
“`
The HTTP transport has no authentication or authorization path. `MCPServerConfig` doe…
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
The `codeMode` tool in `src/praisonai-ts/src/tools/builtins/code-mode.ts` uses `new Function()` with a `with(sandbox)` pattern to execute LLM-generated code. The blocklist-based "sandbox" can be trivially bypassed via `Function('return this')()` to recover the global object, followed by …
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
## Summary
PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send `POST /api/mcp/connect` with …
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
## Summary
PraisonAI's `AgentOS` FastAPI deployment surface remains unauthenticated in
current main and in releases after the published patched version for
`GHSA-pm96-6xpr-978x` / `CVE-2026-40151`.…
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
## Summary
PraisonAI's documented Python `AgentTeam.launch()` / `Agents.launch()` HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement.
The current imple…
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
—
**Package:** `praisonai` on PyPI
**Affected version (empir…
praisonai: recipe serve auth middleware silently disables itself when no secret is set
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
—
**Package:** `praisonai` on PyPI
**Ve…
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
## Summary
An unauthenticated attacker can execute arbitrary OS commands on any server running
the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two
weaknesses: the `/api/v1/runs` …
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
binds to 0.0.0.0 by default and builds its Starlette application with no authentication middleware
and no Origin-header validation. The module mcp/mcp_security.py provides exactly the needed controls
(…
Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call
This advisory has been withdrawn because it is a duplicate of GHSA-9m3x-qqw2-h32h. This link is maintained to preserve external references.
## Original Description
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to exec…
Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass
This advisory has been withdrawn because it is a duplicate of GHSA-7wx9-6375-f5wh. This link is maintained to preserve external references.
## Original Description
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-l…
Duplicate Advisory: Picklescan vulnerable to Arbitrary File Writing
This advisory has been withdrawn because it is a duplicate of GHSA-m273-6v24-x4m4. This link is maintained to preserve external references.
### Original Description
picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the d…
Duplicate Advisory: Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass
This advisory has been withdrawn because it is a duplicate of GHSA-9gvj-pp9x-gcfr. This link is maintained to preserve external references.
## Original Description
picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOB…
Duplicate Advisory: Picklescan does not block ctypes
This advisory has been withdrawn because it is a duplicate of GHSA-4675-36f9-wf6r. This link is maintained to preserve external references.
### Original Description
picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution …
Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Rclone: Unauthenticated command execution in `rclone rcd –rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
`rclone rcd –rc-serve` accepts unauthenticated `GET` and `HEAD` requests to paths of the form:
“`text
/[remote:path]/object
“`
The `remote` value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute loca…
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct
Object Reference (IDOR) in the bulk alarm deletion endpoint. An
authenticated user in any realm can delete alarms belonging to other
realms (tenants) by supplying arbitrary alarm IDs. The vulnerability
exists because the …
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
All components based on `BaseFileComponent` are vulnerable to the following vulnerability:
1. Docling (`DoclingInlineComponent`)
2. Docling Serve (`DoclingRemoteComponent`)
3. Read File (`FileComponent`)
4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`)
5. Video File (`VideoFileCo…
Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE
When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path (e.g. `/etc/cron.d/evil`) or `../` traversal escaped the downloads directory, giv…
netlicensing-mcp: REST Path Traversal Bypasses Token Redaction
### Summary
The `netlicensing_get_product` MCP tool in `netlicensing-mcp` interpolates a caller-controlled `product_number` argument directly into a REST URL path without any validation. Passing `../token` as the product number ca…
Avo: Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation
A critical missing authorization flaw exists in Avo's association attach workflow. The UI and `GET /resources/:resource/:id/:related/new` path can check `attach_<association>?`, but the actual write endpoint, `POST /resources/:resource/:id/:related`, does not run the same authorization c…
npm PraisonAI AgentOS exposes unauthenticated agent listing and invocation
The published npm package `praisonai` ships a TypeScript `AgentOS` HTTP server that defaults to `host: "0.0.0.0"` and registers sensitive agent routes without any authentication or authorization middleware.
When a developer starts `AgentOS`, a network attacker who can reach the service …
Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak
Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow.
This can lead to space exhaustion on the server.
In adition, in the response, the absolute path of the uploaded file is reported …
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
# Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives
**Target:** Jovancoding/Network-AI (npm `network-ai`), **latest v5.7.1**
**Status:** the advisory ("Unauthenticated Cross-Origin MCP Tool Invocation via Empty
Default Secret"…
PraisonAI: Arbitrary File Read/Write via `multiedit` Tool Without Path Validation
The `multiedit` tool in `src/praisonai/praisonai/tools/multiedit.py` allows LLM-controlled arbitrary file read and write without any path validation, workspace boundary check, or protected path guard. This enables an attacker who can influence agent tool arguments (via crafted prompts, u…
Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag
Crossplane allows package signature verification to be configured via the `ImageConfig` mechanism. When enabled, the package manager uses cosign to verify that packages are correctly signed before pulling and installing them.
When a package is installed using a tag reference (e.g., a se…
DotVVM: Missing authorization in AuthorizeActionFilter
All users of the `AuthorizeActionFilter` class are affected. The `AuthorizeActionFilter` simply does nothing, no “hacking” is needed to bypass the filter.
### Patches
DotVVM 4.3.15, 4.2.11 and 5.0.0-preview09 fix this.
### Workarounds
As a workaround, you can use the `AuthorizeAt…
Tilt: Missing authentication on the network-exposed Tilt HUD server
The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state inclu…
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()).…
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), the toolbox decodes the response into an introspectResp struct where…
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint (RFC 7662), it decodes the response into an introspectResp struct. However, t…
Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
Combined with `nbconvert.HTMLExporter`'s default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data …
HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory
`org.hl7.fhir.utilities.XsltUtilities` exposes two parallel families of XSLT
transform helpers. The `transform(…)` overloads obtain their
`TransformerFactory` from the project's hardened helper
`XMLUtil.newXXEProtectedTransformerFactory()` (which sets
`ACCESS_EXTERNAL_DTD=""` and `ACC…
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
`agentic-flow` versions `<= 2.0.13` MCP server tools interpolated attacker-influenceable tool parameters (e.g. `agent`, `task`, `name`, `language`, `agentdb` arguments) directly into shell command strings passed to `execSync()`. A malicious value reaching any of the affected MCP tools co…
CedarJava has policy injection vulnerability
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow policy injection.
### Impact
**Cedar-expression injection via unescaped `toCedarExpr()`**
The …
CedarJava has type confusion vulnerability
CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow type confusion across the Java-Rust FFI boundary.
### Impact
**Record-to-Entity type confusion …
Duplicate Advisory: PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
This advisory has been withdrawn because it is a duplicate of GHSA-766v-q9x3-g744. This link is maintained to preserve external references.
## Original Description
PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize ag…
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
`praisonai.sandbox.SandlockSandbox` is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its `SandboxConfig.native()` path lets callers configure allowed filesystem paths and `network=False`.
On systems where the optional `sandlock` module imports but…
PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web tools via attacker-controlled searxng_url parameter
A Server-Side Request Forgery (SSRF) vulnerability in the SearxNG / `search_web` search tools allows an attacker to make the server perform requests to arbitrary internal endpoints and read the responses back. The `searxng_url` argument is passed directly to `requests.get()` with no vali…
npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining
The published npm package `praisonai` ships `dist/tools/utility-tools.js`, which exports a `shell(command)` helper described in source as:
“`text
Execute shell command (safe version – read-only commands)
“`
The helper attempts to enforce a safe read-only command allowlist by checking…
npm PraisonAI AgentLoop onToolCall approval runs after tool execution
The published npm package `praisonai` exports `createAgentLoop()`, whose `onToolCall` callback is documented and exampled as an approval hook. The implementation calls PraisonAI's `generateText()` wrapper with the caller's executable tools first, receives `toolResults`, and only then cal…
npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining
The published npm package `praisonai` exports `SandboxExecutor`, `CommandValidator`, and `sandboxExec` as "safe command execution with restrictions." When `allowedCommands` is configured, `CommandValidator` checks only the first whitespace-delimited token of the command string. `SandboxE…
PraisonAI: Compute-bridged file tools allow shell command injection
## Summary
`LocalManagedAgent` / `SandboxedAgent` compute bridging wraps
`read_file`, `list_files`, and `write_file` when a compute provider is
attached. The bridge converts those file operations into shell command strings
using raw path a…
PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools
## Summary
`praisonai.bots.HTTPApproval` renders pending tool approval arguments directly
into the approval dashboard HTML. An attacker-controlled tool argument can
inject JavaScript …
PraisonAI DiscordApproval accepts unrelated channel messages as dangerous-tool approvals
## Summary
`praisonai.bots.DiscordApproval` approves a pending dangerous tool call when it
sees any later non-bot message in the configured Discord channel whose text is
classified as approval, such as `yes`.
The dec…
OpenClaw: Pairing-scoped device session could restore revoked node token authority
In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow.
This issue affe…
Duplicate Advisory: Picklescan Bypasses Unsafe Globals Check using pty.spawn
This advisory has been withdrawn because it is a duplicate of GHSA-hgrh-qx5j-jfwx. This link is maintained to preserve external references.
## Original Description
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attacker…
Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer
Me again.
Gitea's built-in 3D file viewer (powered by Online3DViewer) is vulnerable to stored cross-site scripting (XSS) through crafted `.gltf` files. When a glTF file declares an unsupported required extension, Online3DViewer generates an error message containing the extension name an…
Blocky DNSSEC validation bypass and validation-cache scope pollution
Blocky accepts and caches forged DNS answers while `dnssec.validate: true` is enabled. The issue has two related exploit paths:
1. **Basic DNSSEC validation bypass.** If an untrusted upstream returns an unsigned positive answer for a DNSSEC-signed public domain, Blocky classifies the re…
agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution
### Summary
`agent-coderag` unconditionally executes a repository-controlled `gradlew` script during its default `sync` dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradl…
Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)
The Docker API server applied its SSRF destination check (`validate_url_destination`) on the non-streaming `/crawl` path but not on the streaming path. `handle_stream_crawl_request` passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client…
PraisonAI: Webhook signature verification skipped (fail-open) when secret unset, allowing forged inbound webhooks (WhatsApp & Linear bots)
when a secret is configured. When the secret environment variable is unset — the
default on a fresh install and common in development — verification is skipped entirely
and the webhook body is parsed and dispatch…
PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing
## Summary
PraisonAI's LinearBot starts a public webhook listener on `0.0.0.0` and treats
`LINEAR_WEBHOOK_SECRET` as optional. When the secret is absent, startup only logs
a warning and `_handle_webhook()` sk…
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
**Weakness:** CWE-918 Server-Side Request Forgery (SSRF).
—
…
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks.
## Vulnerability
Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs:
1. The web UI PR-creat…
Gogs: Overwriting critical files results in a denial of service
**Impact:** DoS
**Exploitation prerequisite:** authorized user
**Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed value, allows the user …
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL
This advisory covers three distinct SQL Injection vulnerabilities within Budibase's database connectors (PostgreSQL, Microsoft SQL Server, and MySQL). Because user-controlled schema and table configurations are interpolated directly into raw SQL queries without proper escaping or paramet…
pdfkit: Path traversal in from_string
PraisonAI Slack app_mention bypasses configured user/channel authorization
## Summary
PraisonAI's Slack bot applies its configured `allowed_users`,
`allowed_channels`, and unknown-user pairing policy in the normal Slack
`message` event handler, but not in the adjacent Slack `app_mention` event…
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
## Summary
`praisonaiagents.mcp.ToolsMCPServer.run_sse()` builds a Starlette MCP
HTTP+SSE server around `mcp.server.sse.SseServerTransport`. The server exposes
`/sse` and `/messages/`, but it …
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
### Summary
`appium-mcp`'s `createLocatorGeneratorUI` function interpolates attacker-controlled element attributes — `text`, `content-desc`, `resource-id`, and locator selector values — directly into an HTML template l…
EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
Setting `PRAISONAI_CALL_AUTH=disabled` completely disables all authentication on the `/api/v1/agents/{id}/invoke` endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.
### Details
“`pyth…
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
The published npm package `praisonai` exports an `MCPSecurity` helper described in source as:
“`text
MCP Security – Authentication, authorization, and rate limiting
Provides security policies for MCP servers.
“`
Its `AuthMethod` type advertises five authentication methods:
“`ts
exp…
PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard
## Summary
PraisonAI's installed console entrypoint is Typer-first. In current releases,
the `recipe` command is registered in the Typer app and
`praisonai recipe serve` dispatches to the deprecated Typer comm…
OpenClaw: Discord allowFrom could bind to mutable display names
Discord allowFrom could bind to mutable display names. In affected versions, a Discord account able to change display or global name metadata could match a policy entry through mutable display metadata.
This advisory is scoped to the named feature and configuration. It does not change …
OpenClaw: Zalo allowFrom could bind to mutable display names
Zalo allowFrom could bind to mutable display names. In affected versions, a Zalo friend or contact with mutable display metadata could match a policy entry through mutable display metadata.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's tr…
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
Shell positional parameters could weaken strict inline-eval checks. In affected versions, a command request that combines allowlisted tools with shell positional arguments could place inline-eval content in a shell carrier not covered by the strict check.
This advisory is scoped to the…
PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters
The email search tool in `src/praisonai-agents/praisonaiagents/tools/email_tools.py` constructs IMAP SEARCH commands by interpolating LLM-controlled parameters (from_addr, subject, query) directly into IMAP protocol strings using f-string formatting with double-quote delimiters. An attac…
PraisonAI GitHub template cache path traversal allows outside-cache file write and directory deletion
PraisonAI's template loader accepts GitHub template URIs with refs, for example
`github:owner/repo/template@v1.0.0`. The resolver stores the user-controlled
template path and ref verbatim, and the cache layer later joins those values into
`~/.praison/cache/templates/github/<owner>/<repo>…
PraisonAI: Missing ownership check on DELETE endpoints allows members to delete others' content in Platform API
A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role…
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
`piscina`'s constructor and `run()` paths read the `filename` option via plain member access:
“`js
// dist/index.js line 92 (constructor)
const filename = options.filename
? (0, common_1.maybeFileURLToPath)(options.filename)
: null;
this.options = { …kDefaultOptions, …options, …
OpenClaw: Shell inline-command parsing could miss an allowlist check
Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision.
This advisory is scoped to the named feature an…
OpenClaw: Host environment sanitizer missed two Node.js control variables
Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace `.env`, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer.
This advisory is scoped to the named feat…
Gitea: Public-only tokens bypass private-resource restrictions on `/api/v1/user` self routes
Many authenticated self routes under `/api/v1/user/…` do not enforce the `public-only` token restriction. As a result, a token or OAuth grant marked `public-only`, but otherwise carrying the route-required read/write scope category, can access or modify private account resources throug…
Gitea: API Fork Missing CanCreateOrgRepo Check Allows Org Secret Exfiltration
The API endpoint `POST /api/v1/repos/{owner}/{repo}/forks` only checks `IsOrgMember()` when a user forks a repository into an organization, but does not check `CanCreateOrgRepo()`. The web UI fork handler correctly checks both. This allows a read-only organization member — in a team wi…
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(<token>:x-oauth-basic)` and perform write actions,…
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless `ctx.IsBasicAuth` is true — …
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
`forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`.
This lets a client se…
Deno: Command Injection via spawnSync & spawn on Windows
Deno's `node:child_process` implementation provided an `escapeShellArg()` helper used when callers passed `shell: true` to `spawn` / `spawnSync` / `exec` and friends. On Windows, the helper failed to quote arguments that contained `cmd.exe` metacharacters such as `&`, `|`, `<`, `>`, `^`,…
py7zr: Arbitrary File Write Vulnerability
There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library restores these symbolic …
Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature.
When the `watchedNamespace` field is used within the Topic or User operator (as part of the `Kafka.spec.entityOperator` field), the Cluster …
VCR.py: Arbitrary code execution via unsafe YAML deserialization of cassette files
vcrpy deserializes YAML cassette files with PyYAML's object-constructing loader (`yaml.CLoader` / `yaml.Loader`) instead of the safe loader (`yaml.CSafeLoader` / `yaml.SafeLoader`). A cassette containing a `!!python/object/apply:` (or similar) tag therefore executes arbitrary Python cod…
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
### Summary
`@tinacms/cli` contains a Remote Code Execution vulnerability in its
Forestry-to-Tina migration command. The internal helper `addVariablesToCode`
unquotes any value matching the marker `"__TINA_INTERNAL__:::(.*?):::"`
inside the stringified collection JSON. User-supplied…
PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml
PraisonAI recipe execution has a dangerous-tool policy that is supposed to block default-denied tools unless the caller explicitly passes `allow_dangerous_tools=True`. That policy only checks tools declared in `TEMPLATE.yaml` `requires.tools`.
For steps-based recipes, the actual executi…
PraisonAI recipe.run_stream skips dangerous-tool policy enforcement
## Summary
PraisonAI recipe execution blocks default-denied dangerous tools unless the
caller explicitly passes `allow_dangerous_tools=True`. The normal `recipe.run()`
path enforces this with `_check_tool_policy()`. The stre…
SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter
LangSmith SDK TracingMiddleware: Arbitrary server-side file read
An attacker who can send an HTTP request to a server running the LangSmith SDK's `TracingMiddleware` can cause that server to read an arbitrary file from its local filesystem and upload the contents to LangSmith as a trace attachment. Depending on how the distributed trace system is deplo…
Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles
Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who o…
Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN
The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the access token from con…
npm PraisonAI SandboxExecutor network-isolated mode does not block non-proxy-aware network clients
The published npm package `praisonai` exports a TypeScript `SandboxExecutor` with a `network-isolated` mode. The CLI lists that mode as:
“`text
network-isolated No network access (proxy blocked)
“`
The implementation does not create a network namespace, firewall rule, socket filter,…
LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector
The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating
filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate
escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL
context…
MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error
If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV.
If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack.
### Patches
v1.2.1
### Workarounds
Users should create a new Unpacke…
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`
### Summary
The `web_url_read` MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the `Content-Length` header of a preliminary HEAD request. When a server omits `Content-Length` — a st…
Langflow: Unauthenticated DoS through multipart form boundary file upload
An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time.
### Details
https://github.com/langflow-ai/langflow/blob/v1.0.…
Ultimate Sitemap Parser (USP): XML Entity Expansion (Billion Laughs) DoS in XMLSitemapParser
### Summary
`ultimate-sitemap-parser` version 1.8.0 and earlier parse attacker-controlled XML content using Python's `xml.parsers.expat` without any restriction on DTD declarations or recursive entity references. An attacker who can …
Ultimate Sitemap Parser (USP): Gzip Decompression Bomb Bypasses Sitemap Size Limit
### Summary
`ultimate-sitemap-parser` enforces a 100 MiB size limit on sitemap responses, but applies it only to the **compressed** bytes received over the network. When a `.gz` sitemap is fetched, `usp/helpers.py:239` calls `gzip_lib.decompre…
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
`convert()` builds the nested tree by using each flat record's `id` and `parent` field values directly as object keys, with no guard against `__proto__` / `constructor` / `prototype`. A record whose `parent` is the string `"__proto__"` makes `temp[parent]` resolve to `Object.prototype`…
CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake
An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.
#### Preconditions
An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedP…
Oj: Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input
`Oj::Doc#each_child`, when invoked recursively over a deeply nested JSON
document, overflows a fixed-size stack buffer and aborts the process. This is a
denial of service reachable from untrusted JSON.
### Details
Two-step chain in `ext/oj/fast.c`:
1. **`doc_each_child` (~line 1501)*…
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using `torch.load(…, weights_only=True)`, but automatically falls back to the fully unsafe `torch.load(…, weights_only=False)` when the safe load raises `pickle.UnpicklingError`. Because the `UnpicklingError` condition i…
Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters
## Summary
`Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth.
A crafte…
AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content
– **Location:** `app/controllers/alchemy/api/pages_controller.rb:28` (`Api::PagesController#nested`)
– **Affected version:** Alchemy CMS 8.3.0.dev (Rails 8.1.3)
## Description
The unauthenticated `GET /api/pages/nested` endp…
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL
Possible data exposure.
#### Summary
While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read.
This might allow disclosure of confidential information.
#### Details
OpenTofu relies on [go-getter](https://github.com/ha…
undici WebSocket client vulnerable to denial of service via fragment count bypass
The undici WebSocket client enforces `maxPayloadSize` on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-siz…
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
When using `Socks5ProxyAgent`, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination.
This c…
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
### Summary
The pipecat development runner registers a `/ws` WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote att…
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
The undici WebSocket client enforces `maxPayloadSize` per-frame but does not enforce the cumulative size of fragmented uncompressed messages. A malicious WebSocket server can stream many small fragments that each pass per-frame validation but collectively exceed the configured limit, caus…
PraisonAI A2U incomplete authentication fix leaves current serve command unauthenticated by default
The published A2U advisory `GHSA-f292-66h9-fpmf` says unauthenticated A2U event streaming was fixed in `praisonai` `4.5.115`. Current head still exposes the same A2U subscription and event routes without authentication when the operator starts the documented CLI entrypoint:
“`text
prai…
PraisonAI: Arbitrary File Read via `@file:` Mention Path Traversal
The MentionsParser in `src/praisonai-agents/praisonaiagents/tools/mentions.py` processes `@file:` mentions in agent prompts by reading arbitrary files from the filesystem. When a file path is not found relative to the workspace, the parser falls back to using the path as an absolute path…
PraisonAI: Unauthenticated Local File Inclusion via agent_file path in PraisonAI Jobs API
An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the `agent_file` field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs.
### Details
The `agent_file` field in …
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
## Summary
PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools
through `ctx.get_tools()`:
“`python
ctx = setup_dynamic_context()
agent = Agent(
instructions="You are a data …
PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal
## Summary
PraisonAI's Dynamic Context module provides filesystem-backed history and
terminal-log storage. The SDK reference describes the module as providing:
– artifact storage for to…
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables
The JLine3 Telnet server (`remote-telnet` module) does not limit the number of
environment variables a client may inject via the Telnet NEW-ENVIRON option. An
unauthenticated attacker can flood the server with a large number of unique
variable pairs before sending the terminating IAC SE…
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry
The JLine3 Telnet server (`remote-telnet` module) does not apply an upper bound to
terminal dimensions received via the Telnet NAWS (Negotiate About Window Size) option.
An unauthenticated remote attacker can send a NAWS subnegotiation advertising a
65535×65535 terminal and repeatedly …
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
`fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates each `req.body` key and…
Gotenberg: SSRF via LibreOffice document processing
Server-Side Request Forgery (SSRF) vulnerability affecting the `/forms/libreoffice/convert` endpoint in Gotenberg v8.33.0 running with the default configuration.
By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically retrieve external resour…
Hermes Agent contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation
HAPI FHIR: Incomplete fix for CVE-2026-45367: DSTU2 FHIRPathEngine.matches() missing RegexTimeout protection allows ReDoS
The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still calls the raw `String.…
handlebars.java FileTemplateLoader Path Traversal
Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request paramet…
Duplicate Advisory: picklescan has Arbitrary file read using `io.FileIO`
This advisory has been withdrawn because it is a duplicate of GHSA-9726-w42j-3qjr. This link is maintained to preserve external references.
### Original Description
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attac…
Multer vulnerable to Denial of Service via deeply nested field names
Multer is vulnerable to a Denial of Service (DoS) via deeply nested field names in multipart form data. The `append-field` dependency parses bracket notation in field names (e.g., `a[b][c]`) with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object …
Caddy: Windows `file_server` path authorization bypass via encoded backslash
On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk.
An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy path-scoped auth/deny rou…
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length
RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity.
### Details
…
Netty: Wrapping plain trust manager silently disables hostname verification
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error.
### Details
The vulnerability exists in `io.netty.handler.codec.http3.QpackDecoder#shouldWaitForDynamicTableUpdates`:
If a client sends a…
Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core SignalR and Blazor Server. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service v…
CoreWCF: SPNEGO SecurityContextToken proof key wrapped without confidentiality
When the proof key recovered from the RSTR can be observed by a party that is not the legitimate client, that party can impersonate the authenticated Windows principal for the lifetime of the SCT (default ~10 hours) and decrypt or forge any subsequent WS‑SecureConversation traffic that …
CoreWCF: XML Signature Wrapping in WS-Security endorsing/supporting signature verification allows replay of captured signed messages
The attacker, with one captured signed SOAP envelope from a victim and no other privileges, can invoke arbitrary operations on the service as the victim principal for the lifetime of the captured signing key. There is no rate limit on replays. The DetectReplays setting on transport-securi…
CoreWCF: SAML SubjectConfirmation methods and holder-of-key proof keys are not enforced
The relying application is given a ClaimsPrincipal for a subject whose authority over the assertion the sender never proved. There are two distinct exploit shapes:
– Holder-of-key downgrade. An attacker who obtains a holder-of-key SAML assertion that was issued without KeyInfo (issuer bug…
CoreWCF: SamlSerializer skips SignatureValue verification when SAML signing token is not an X.509 certificate
When a service is configured to validate SAML tokens using a method other than X.509 certificate signing, the final signature verification is skipped.
#### Preconditions
The service is configured to authenticate using SAML tokens and an out of band token resolver (commonly the IssuerToke…
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
undici's `ProxyAgent` silently drops the `requestTls` option when configured with a SOCKS5 proxy URI (`socks5://` or `socks://`). The target HTTPS connection through the SOCKS5 tunnel falls back to Node's default trust store, ignoring user-configured `ca`, `cert`, `key`, `rejectUnauthoriz…
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
Zitadel's OAuth2 / OIDC `CodeExchange` and `RefreshToken` implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates that the authorization…
Deno: Miller-Rabin Primality Test Allows Zero Rounds
`node:crypto.checkPrime(candidate[, options][, callback])` and `crypto.checkPrimeSync(candidate[, options])` ran no Miller-Rabin rounds at all when the caller left `options.checks` at its default of `0`. In that mode, the only test applied to the candidate was trial division by the prime…
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
The AWS Bedrock AgentCore Python SDK (bedrock-agentcore) is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the install_packages() method of the Code Interpreter client where crafted package name arguments can by…
PraisonAI Code agent tools fail open without a workspace boundary
## Summary
PraisonAI Code's agent-compatible `CODE_TOOLS` wrappers keep a global workspace root initialized to `None`. If an application uses `CODE_TOOLS`, `code_read_file`, `code_search_replace`, or `code_apply_diff` before calli…
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding
## Summary
PraisonAI's Async Jobs API validates `webhook_url` when a job request is parsed
and again when the internal `Job` object is constructed. That validation blocks
direct loopback/private targets, but it is not bound to the later netwo…
@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing
### Summary
`@jhb.software/payload-cloudinary-plugin` v0.3.4 exposes a server-side signing endpoint (`POST /api/cloudinary-generate-signature`) that passes attacker-supplied `paramsToSign` directly to `cloudin…
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
### Summary
The `web_url_read` MCP tool in `mcp-searxng` is vulnerable to Server-Side Request Forgery (SSRF) via DNS rebinding bypass. The `assertUrlAllowed()` function at `src/url-reader.ts:85-93` validates only the syntactic hostname string…
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
`EnvironmentManager.listBackups()` reads each backup's `_manifest.json` and trusts the manifest's `path` field. `EnvironmentManager.pruneBackups()` later passes that trusted `entry.path` directly to `rmSync(entry.path, { recursive: true, force: true })`.
An attacker who can place or mod…
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
`jupyterlab-git` 0.53.0 (latest, 2026-04-30) uses `fnmatch.fnmatchcase()` in `GitHandler.prepare()` (`jupyterlab_git/handlers.py:91`) to enforce the admin-configured `excluded_paths` security control. Because `fnmatchcase` is unconditionally case-sensitive, an authenticated user on a cas…
OpenClaw: Workspace-derived service PATH could influence trash command selection
Workspace-derived service PATH could influence trash command selection. In affected versions, a workspace-derived environment path could select an unintended `trash` executable during maintenance.
This advisory is scoped to the named feature and configuration. It does not change OpenCl…
OpenClaw: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. In affected versions, a workspace `.env` in a repository opened by a trusted operator could set `STATE_DIRECTORY` before runtime dependency root resolution.
This advisory is scoped to the named feature and…
OpenClaw: Workspace .env npm_execpath could influence bundled runtime dependency install
Workspace .env npm_execpath could influence bundled runtime dependency install. In affected versions, a workspace `.env` in a repository opened by a trusted operator could override the package-manager executable path used by the install helper.
This advisory is scoped to the named feat…
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
OpenClaw's exec allowlist supported optional `argPattern` entries to restrict the arguments accepted for an allowlisted executable. In affected releases, Linux and macOS gateways skipped `argPattern` checks and treated a matching executable path as sufficient to satisfy the allowlist.
…
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
– **Target:** nodemailer/nodemailer, npm `nodemailer` **v9.0.0** (HEAD `4e58450eb490e5097a74b2b2cce35a8d9e21856e`)
– **Verdict:** CONFIRMED (local …
OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace `.env` in a repository opened by a trusted operator could influence which Python runtime `gcloud` used through `CLOUDSDK_PYTHON`.
This advisory is scoped to the named feature …
OpenClaw: MCP Streamable HTTP redirects could forward configured custom headers to another origin
OpenClaw supports remote MCP Streamable HTTP servers with operator-configured custom headers. In affected releases, those headers could be forwarded when the MCP endpoint responded with a cross-origin redirect.
This issue is limited to configured MCP Streamable HTTP servers that use cu…
Daytona: Public sandbox previews remain accessible for up to one hour after being made private
Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed.
### Impact
When a sandbox owner changed a previe…
Anki's local HTTP server does not sufficiently validate requests
Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways:
1. No sufficient validation of the Origin header.
2. Some endpoints are vulnerable to path traversal attacks.
This allows malicio…
Lokka: Azure Resource Manager URL path validation issue
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
Uni-CLI versions before 0.225.2 exposed the legacy JSON-RPC-over-HTTP MCP transport on loopback without validating browser Origin headers before routing requests. A malicious web page could send a CORS simple POST request, such as text/plain, to the local /mcp endpoint and deliver a JSON-…
stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)
On a multi-tenant stigmem node, a caller holding a `write` credential for **one** tenant can run a decay sweep that acts on **every** tenant's facts. The candidate-selection queries in `lifecycle/decay.py` (`_select_ttl_candidates`, `_select_confidence_candidates`) carried no `tenant_id`…
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
On a multi-tenant stigmem node, a tenant administrator could list, read, and **admit or reject** quarantined facts belonging to **other** tenants. The list/count queries and `_get_quarantined_fact` in `routes/quarantine.py` lacked an `f.tenant_id = identity.tenant_id` predicate, and the …
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)
On a multi-tenant stigmem node, RTBF (right-to-be-forgotten) tombstones were mis-scoped two ways. (1) `issue_tombstone` defaulted the tenant to `"default"` instead of the caller's tenant, so tombstones could be written to the wrong tenant. (2) The read-suppression path — `_get_tombston…
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
Gogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.
### Details
Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:
https://gith…
http4k: `HmacSha256.hash` (despite the `Hmac` naming) computed a plain unkeyed digest; clarified by deprecation in favour of `Sha256.hash` / `Sha256.hmac`
The `HmacSha256` class contained two functions:
– `hash(payload)` — a plain unkeyed SHA-256 digest. The `Hmac` prefix in the class name was misleading; this function has no key parameter, so it could never have been an HMAC.
– `hmacSHA256(key, data)` — a properly keyed HMAC-SHA256.
…
TinaCMS: Cross-origin postMessage handlers and rich-text URL-sanitization bypass enable stored XSS and session takeover
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized –workspace Argument
A command injection vulnerability exists in `@cyclonedx/cyclonedx-npm` when the CLI is invoked with the `–workspace <value>` option while the environment variable `npm_execpath` is unset or empty.
User‑supplied `–workspace` values are passed to a subshell without proper sanitization…
Concurrent Ruby : `AtomicReference#update` livelocks when the stored value is `Float::NAN`
`Concurrent::AtomicReference#update` can enter a permanent busy retry loop when the current value is `Float::NAN`.
The issue is caused by the interaction between:
– `AtomicReference#update`, which retries until `compare_and_set(old_value, new_value)` succeeds.
– Numeric `compare_and_set…
Oj: Integer Overflow in Oj.load 2GB String Handling
`Oj.load` is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in `buf_append_string` (`buf.h:61`) converts the string length to a large negative `size_t`, causing `memcpy` to copy an astronomically large amount of data out of bounds. This cr…
Oj: Use-After-Free in Oj::Parser SAJ Long Key Callback
`Oj::Parser` in SAJ mode does not protect cached object keys (≥ 35 bytes) from garbage collection. A Ruby callback that triggers GC inside `hash_end` can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALU…
Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking
`Oj::Parser` in usual mode does not mark `array_class` and `hash_class` references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent `parse` call dereferences t…
Oj: Negative-Size memcpy in Oj::Parser create_id Attribute Handling
`Oj::Parser#parse` in usual mode with `create_id` enabled is vulnerable to heap corruption via a negative-size `memcpy`. When a JSON object key is exactly 65,535 bytes long, an integer truncation in `form_attr` (`usual.c:63`) converts the length to `-1` before passing it to `memcpy`. Th…
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
## Issues
1. **MCP HTTP server lacked DNS-rebinding protection.** The Streamable HTTP transport is unauthenti…
Oj: Use-After-Free in Oj::Parser SAJ Callback via Input Mutation
`Oj::Parser#parse` is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw `const byte *` pointer into the Ruby string's internal buffer. If a callback (e.g. `hash_start`) resizes the string — for example b…
Oj: Use-After-Free in Oj::Doc Iterators via Reentrant Close
`Oj::Doc` iterators (`each_value`, `each_child`, `each_leaf`) are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls `doc.close` or `d.close`, the document's heap memory is freed while the C iterator is still running. When control returns from the bloc…
Oj: Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent
`Oj.dump` in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large `:indent` value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With `indent: 5000`, the a…
jupyterlab-git extension: Stored XSS leading to RCE
Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method passes Git filenames dir…
containerd CRI checkpoint restore CDI annotation smuggling
containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint arc…
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`.
### Patches
This bug has been fixed in the following containerd versions…
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations.
…
Oj: Stack Buffer Overflow in Oj.dump via Large Indent
`Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the `…
Oj: Use-After-Free in Oj::Parser Symbol Key Cache Toggle
Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call reads from the freed ca…
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)
The default `security.http.urls` policy denies requests to loopback, internal,
and cloud-metadata IPv4 literals (e.g. `http://127.0.0.1/`,
`http://169.254.169.254/`). The deny rule only matched dotted-decimal notation,
so alternate IPv4 encodings of the same addresses — integer…
ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys
The CVE-2026-47211 fix (0.39.0) added `_UNTRUSTED_ENV_DENYLIST` to stop an untrusted project-directory `.env` from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary…
ReDoS in DotVVM routing
This impacts users which use multiple unconstrained route parameters not separated by a `/`. For instance, the following code is vulnerable:
“`
var route = new DotvvmRoute("edit/{a}-{b}-{c}/done", null, "testpage", null, null, configuration);
var adversarialInput = "edit/" + new string…
parse-server: Denial of service via exponential-time processing of deeply nested query operators
Parse Server is vulnerable to denial of service. A remote attacker can send a single, small query (~1 KB) containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the se…
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
The Tilt HUD WebSocket (`/ws/view`) is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an `Origin` header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session sta…
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
The Tilt HUD server mounts Go's `net/http/pprof` handlers under `/debug` with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.
## Details
A blank import of `net/htt…
[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat
[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions
[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat
AgenticMail: Unauthenticated inbound mail triggers bypassPermissions resume of the operator's Claude Code session (bridge-wake)
Two inbound-mail handlers act on a privileged effect without verifying that the sender is the operator, while a sibling handler in the same repo does. The higher-impact one: any external email routed to the bridge inbox causes the dispatcher to resume the operator's Claude Code session wi…
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
A low-privileged authenticated AgenticMail agent can enumerate another agent's pending/claimed tasks by supplying the target agent name to `GET /api/agenticmail/tasks/pending?assignee=<name>`. The returned task objects include the task IDs and payloads. The same task IDs can then be used…
MCP Toolbox for Databases: authenticated authorization bypass
While the 2025-11-25 protocol version handler correctly enforces per-tool restrictions defined by scopesRequired, older supported protocol version…
Heimdall: Forwarded Header Injection via Unsanitized Host Header in Proxy Mode
When Heimdall operates in proxy mode, it constructs the `Forwarded` HTTP header after executing the matched rule pipeline by inserting the incoming request's `Host` header value directly into the header string without sanitizing commas or semicolons. This allows an attacker to inject ad…
Heimdall: IP Spoofing via Unvalidated Forwarding Headers
When the `trusted_proxies` option is configured, heimdall extracts client IP addresses from the `Forwarded` (`for=` parameter) and `X-Forwarded-For` headers and exposes them as `Request.ClientIPAddresses` to the rule pipeline. However, extracted values are not validated to be syntactica…
Karate Mock Server RCE via embedded expression evaluation of request-derived data
Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as `request`, `requestHeaders`, or `requestParams` to variables.
In affected scenarios, an unauthenticated remote attacker c…
Docker MCP Gateway: Argument injection via OCI image label YAML
A maliciously crafted OCI image label can inject arbitrary arguments into the `docker run` command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via `docker://`, or that the victim's catalog pulls a snapshot from, can mount the host fil…
Duplicate Advisory: Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
This advisory has been withdrawn because it is a duplicate of GHSA-97f8-7cmv-76j2. This link is maintained to preserve external references.
## Original Description
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attac…
Apache Shiro: LDAP DN Injection in DefaultLdapRealm
Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS configuration through an exact, c…
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
There is a high severity vulnerability in Traefik's domain-fronting protection (`SNICheck`) that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router `TLSOptions`. When a router uses a wildcard host rule such as `Host(`*.example.com`)` with stricter TLS …
OpenBao: LDAPi ldaputil (wrong escape func)
### Component
`sdk/helper/ldaputil/client.go` — the shared LDAP utility library used by both the LDAP authentication backend and OpenLDAP secrets engine to construct LDAP search filters and bind DNs.
### Root Cause
The LDAP utility contains a **function selection error** that…
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
### Summary
The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without any form of authentication or host-origin validation. After a user completes the OAuth login flow ag…
OpenFGA: OIDC audience validation skipped when –authn-oidc-audience is unset
OpenFGA's OIDC authenticator skipped JWT audience (`aud`) validation when no audience was configured.
In deployments where one identity provider issues tokens for multiple services,
a token minted for an unrelated service could authenticate to OpenFGA.
## Preconditions
This applies…
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in System.Formats.Tar. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A tampering vulnerability exists in the `…
OpenClaw: macOS Swift exec allowlist missed combined POSIX inline flags
macOS Swift exec allowlist missed combined POSIX inline flags. In affected versions, a command request using combined POSIX inline-command flags could miss inline-command content expressed through combined flags.
This advisory is scoped to the named feature and configuration. It does n…
SurrealDB: Denial of Service via deep operator chains
Such a query — for example `RETURN 1 + 1 + 1 + …` with tens of thousands of terms — is parsed into an expression tree one level deep per operator. Because the chain is flat and the p…
Anki: User scripts in iframes have access to the internal Anki API
Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API (https://github.com/ankitects/anki/pull/3925) but it inadvertently allows access to scripts in…
Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory
`AgentRuntime` promises scoped file access under a configured sandbox `basePath`, but its path containment checks use raw string prefix tests. A sandbox base such as `/tmp/network-ai-sandbox` also matches a sibling path such as `/tmp/network-ai-sandbox_evil/secret.txt`.
An agent/user th…
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types
with `derived: true`. The server return…
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
`ujson.dumps()` (or `ujson.dump()` or `ujson.encode()`) have a `reject_bytes=False` option. When set, they may accept malformed or truncated UTF-8 byte sequences, silently rewriting them into different Unicode characters instead of rejecting them. This leads to input validation bypass an…
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be using and saves this…
CoreWCF: Kafka consume pump halts permanently on a Kafka tombstone (null-value record), causing persistent endpoint denial of service.
A CoreWCF service is running and listening on a Kafka topic receiving a null-value record will stop processing new records from that topic.
#### Preconditions
The attacker has produce/write permission on a topic that CoreWCF is consuming from. If the broker permits anonymous publishes, n…
OpenClaw: memory-wiki shared search could miss session visibility checks
memory-wiki shared search could miss session visibility checks. In affected versions, a caller able to search shared memory could skip the session visibility guard on the affected search path.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's…
OpenClaw: Hostname checks could treat trailing-dot hosts inconsistently
Hostname checks could treat trailing-dot hosts inconsistently. In affected versions, a request path that accepts model- or workspace-derived URLs could present the same hostname with a trailing dot and avoid a blocklist comparison.
This advisory is scoped to the named feature and confi…
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was **incomplete**: documents remained downloadable by any authenticated u…
BBOT: Arbitrary File Write in postman_download Module
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder
The `execute_code` tool's subprocess sandbox advertises a three-layer defense (AST validation, text-pattern blocklist, restricted `__builtins__`). In **sandbox mode** (the default) only two layers are active — the text-pattern blocklist is skipped — and both remaining layers are bypa…
PraisonAI: SpiderTools redirect-target SSRF protection bypass
## Summary
`SpiderTools.scrape_page()` validates the initial URL and rejects direct
loopback, private, link-local, metadata, and internal hostnames. It then calls
`requests.Session.get()` without disabling automatic redirects or validating
redir…
Apache DolphinScheduler: An incorrect authorization vulnerability allows authenticated users to access alert instances associated with alert groups they do not have permission to access.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue.
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
Daytona: Cross-tenant data leak in notification WebSocket gateway via unverified organizationId join
A cross-tenant authorization flaw in Daytona's notification WebSocket gateway allowed any authenticated user to subscribe to another organization's realtime notification channel and passively receive that organization's events.
### Impact
The notification gateway's JWT handshake joined …
Deno: Node TCPWrap numeric hostname aliases bypass –deny-net resolved-IP deny checks
Deno's network permission model is designed so that `–deny-net` rules apply to the **resolved IP address** of a destination, not just the literal string supplied by the caller. That means `–deny-net=127.0.0.1` (or `–deny-net=127.0.0.0/8`) is expected to block any attempt to reach loop…
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
The built-in HTTP server started by `allure serve` and `allure open` is vulnerable to path traversal. The server resolves request URI paths directly against the report directory without normalizing or validating that the resolved path stays within the report directory. An attacker who ca…
CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution
Race condition in POSIX peer identity resolution may attribute one connection’s identity to another (getpwuid/getgrgid non-reentrant) and may crash the host process under contention.
### Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
### Workarounds
Restrict UDS filesystem permissions so …
Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data
`EnvironmentManager.restore(env, backupId)` computes the backup path with `join(envDir, '.backups', backupId)` and only checks that this path exists. It does not resolve the result or verify that it remains under `data/<env>/.backups`.
A caller can pass a traversal backup ID such as `..…
Langflow: Logout button does not clear session
The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.
### Details
Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf` remains present in Coo…
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
The `ansi.js` Handlebars helper in allure-generator passes user-controlled `statusMessage` and `statusTrace` values from test result files through the `ansi-to-html` library and wraps the output in Handlebars `SafeString` without HTML escaping. Since `ansi-to-html` does not escape HTML e…
tract: Arbitrary file read via unsanitized ONNX external_data `location` (path traversal) on model load in tract-onnx
`tract` (the `tract-onnx` crate) resolves an ONNX tensor's external-data `location` by joining it onto the model directory **without any sanitization**. Because `location` comes from the (untrusted) `.onnx` file, a malicious model can make `tract` open and read an **arbitrary local file…
OpenClaw: Exported session HTML could keep unsafe markdown links
Exported session HTML could keep unsafe markdown links. In affected versions, content rendered into an exported session could preserve unsafe `javascript:` or `data:` links in generated HTML.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's …
tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load
– **Affected versions:** `< 0.21.16`, `0.22.0`–`0.22.2`, `0.23.0`–`0.23.1` — the dense `DatLoader` path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1
– …
marimo contains a reflected cross-site scripting vulnerability in the notebook page
OpenStack Horizon RC file generation does not escape special characters in project names
Zeep: Server-Side Request Forgery (SSRF)
When parsing a WSDL or XSD document, python-zeep follows transitive references — xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution — and will fetch http/https URLs found in those references. The Settings.forbid_external option, intended to disable this transitive r…
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions
`network-ai`'s `ApprovalInbox` (`lib/approval-inbox.ts`) is a shipped, exported, documented feature — *"a web-accessible approval queue with REST API … and SSE streaming"* (SECURITY.md). It is the network surface of the **human-in-the-loop Approval Gate**, which `ApprovalGate` uses t…
CoreWCF: SAML token replay protection is inoperative
When enabling DetectReplayedTokens, a token can be replayed and will be detected despite it being reused.
### Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
### Workarounds
Provide your own implementation of `ITokenReplayCache` with the correct behavior.
CoreWCF: WS-Security signature substitution via document-wide Signature lookup
An unauthenticated remote attacker who can place a SOAP header lexically before `wsse:Security` can embed a `ds:Signature` of their choosing inside that header and cause the server to verify the attacker-supplied signature instead of the one carried in the security header.
#### Precondit…
TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)
Blind SQL injection vulnerability in `UpdateQueryBuilder` and `SoftDeleteQueryBuilder` affecting MySQL and MariaDB users.
`UpdateQueryBuilder` and `SoftDeleteQueryBuilder` (including their `addOrderBy` variants) do not validate the `order` parameter against an allowlist of permitted val…
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
undici's cookie parser in `parseSetCookie` percent-decodes cookie values via `qsUnescape`, turning encoded sequences like `%0D%0A`, `%00`, `%3B`, and `%3D` into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.
Applications th…
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream `Cache-Control` header uses whitespace-padded qualified `private` or `no-cache` field names such as `private=" authorization"` or `no-cache="\tauthorization"`. The parser preserves the surround…
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
The remediation shipped in mailpit v1.29.2 for [GHSA-mpf7-p9x7-96r3](https://github.com/axllent/mailpit/security/advisories/GHSA-mpf7-p9x7-96r3) (CVE-2026-27808) is incomplete. The `tools.IsInternalIP` deny-list relies on Go's stdlib classification helpers (`IsLoopback`, `IsPrivate`, `Is…
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled `host`, `port`, `useTLS`, …
Capsule: Incomplete fix of CVE-2026-30963: singular/plural typo leaves namespaces/finalize unprotected
Capsule v0.13.2 webhook rules contain `namespace/finalize` (singular) instead of `namespaces/finalize` (plural). K8s requires plural. The finalize defense from CVE-2026-30963 fix is absent.
### Details
PUT to `/api/v1/namespaces/<ns>/finalize` has resource=namespaces (plural). The singu…
Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions
Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions.
The `quiche_connection_id_iter_next` and `quiche_conn_retired_scid_next` functions would return a pointer to a `ConnectionId` to the applications via function arguments, but t…
ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer
ChatterBot's `UbuntuCorpusTrainer.extract()` uses a predictable, home-rooted output directory (`~/ubuntu_data/ubuntu_dialogs`) with a check-then-create pattern (`if not os.path.exists: os.makedirs`) followed by `tar.extractall(path=self.data_path)`. A local attacker who pre-plants a syml…
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
`EnvironmentManager.backup()` recursively collects files using `_collectBackupFiles()`. `_collectBackupFiles()` uses `statSync(full)`, which follows symlinks. If `data/<env>` contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies e…
Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
This advisory has been withdrawn because it is a duplicate of GHSA-ffp3-3562-8cv3. This link is maintained to preserve external references.
## Original Description
PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowin…
OpenClaw: Config recovery could restore openclaw.json with broad file permissions
Config recovery could restore openclaw.json with broad file permissions. In affected versions, a local recovery path after configuration repair could leave the restored config file more readable than intended.
This advisory is scoped to the named feature and configuration. It does not …
Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)
Deno: BYONM module resolution allows `package.json` main path traversal to bypass `–allow-read` restrictions
When Deno was run in BYONM mode (`nodeModulesDir: "manual"`), the module resolver did not validate that a package's resolved entrypoint stayed within its `node_modules/<pkg>/` directory. A malicious `package.json` whose `main` field contained `..` segments was able to resolve to an arbit…
Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
When only the Topic or only the User operators are deployed as part of the Entity Operator in the `Kafka` custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. Th…
pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size
`NestedSecretsSettingsSource` reads secret values from files in a configured `secrets_dir`. When `secrets_nested_subdir=True`, a directory entry inside `secrets_dir` that is a symbolic link pointing **outside** `secrets_dir` is followed, so files outside the configured directory are rea…
Oj: intern.c form_attr (uninitialized stack read)
`Oj.load` in `:object` mode reads uninitialized stack memory (and, for long
keys, reads out of bounds) when parsing a JSON object whose key is 254 bytes
or longer. The interned bytes can surface to the caller, disclosing process
stack memory.
### Details
In `ext/oj/intern.c`, `form_at…
DotVVM: Unrestricted file upload
All users of DotVVM with configured file upload storage are affected.
DotVVM allows anyone to upload files to the application, potentially causing denial of service by filling the disk.
### Patches
Since version 4.3.15, 4.2.11 and 5.0.0-preview09, DotVVM requires all file upload requ…
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
The public GraphQL resolvers `getFormDefinitionByObjectenApiUrl(url)` and the deprecated `getFormDefinitionById(id)` fetch a caller-supplied URL using the **privileged Objecten-API token**. Because the `/graphql` endpoint is `permitAll()` and these resolvers do not declare a `CommonGroun…
ts-deepmerge: Prototype Method Override leads to DoS
OpenClaw: Slack reaction events could ignore reaction notification settings
Slack reaction events could ignore reaction notification settings. In affected versions, a Slack reaction event delivered to the configured app could enter the agent pipeline even when reaction notifications were disabled.
This advisory is scoped to the named feature and configuration.…
opentelemetry-collector-contrib sentryexporter: Path traversal in Sentry exporter via attacker-controlled service.name reaches privileged Sentry API endpoints with operator bearer token
The Sentry exporter constructs Sentry API URLs by interpolating the span's service.name resource attribute into the URL path without validation. Because
service.name is controlled by remote OTLP senders and the operator-configured bearer token is attached to ever…
BBOT: Path traversal (Zip-Slip) in unarchive module – incomplete fix for CVE-2025-10284
Podman: WORKDIR symlink traversal vulnerability
Running a malicous container image where the WORKDIR path contains a symlink can create a directory or modify ownership on the host filesystem. Modified ownership is less likely to happen as that requires help from an untrusted/malicious process that mutates the host filesystem tree dur…
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
When a user-configured proxy on `webpack-dev-server` has a broad context (e.g. `/`) and `ws: true`, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and `Origin` header to the backend, bypasses the dev server's Ho…
Multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
A vulnerability in Multer allows an attacker to trigger a Denial of Service (DoS) by aborting or sending malformed multipart uploads, causing orphaned partial files to accumulate on disk when using diskStorage.
### Patches
Users should upgrade to `2.2.0`, `3.0.0-alpha.2` or higher
###…
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset.
### Details
There is a setting in the http2 specification called `SETTINGS_MAX_HEADER_LIST_SIZE`. According to[ the RFC](https://www.rfc-editor.org/rfc/rfc9113.html#name-defined-settings): “This adv…
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Before reading the first request-line, `HttpObjectDecoder` skips every byte for which
`Character.isISOControl(b)` is `true` (0x00–0x1F and 0x7F) as well as all whitespace.
RFC 9112 §2.2 only asks servers to ignore **empty CRLF lines** preceding the request-line —
a carefully scoped …
Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)
Deno's permission system enforces filesystem and execution restrictions by
comparing the requested path against the path supplied to `–deny-read`,
`–deny-write`, `–deny-run`, or `–deny-ffi`. On macOS, that comparison was
done at the raw-byte level while the APFS filesystem treats dif…
Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access
In Deno, environment access is gated by the `env` permission. You can deny it
with `–deny-env`, or restrict it to a specific allowlist with
`–allow-env=FOO,BAR`. The expectation is that a program running without `env`
permission cannot change `process.env`.
`process.loadEnvFile()` (th…
Deno: WebSocket API sandbox bypass via missing post-DNS check
When a WebSocket connection was opened, Deno checked the destination hostname
against `–deny-net` rules but did not re-check the IP addresses that hostname
resolved to. An attacker-controlled script could use a specially crafted domain
name that passes the hostname check yet resolves to…
Deno: `fetch()` API sandbox bypass via missing DNS resolution check
When `fetch()` was called, Deno checked the destination hostname against
`–deny-net` rules but did not re-check the IP addresses that hostname
resolved to. An attacker-controlled script could use a specially crafted domain
name that passes the hostname check yet resolves to a denied IP,…
Apache DolphinScheduler: Incorrect Authorization vulnerability allows users with system login privileges to delete task definitions in unauthorized projects
This issue affects Apache DolphinScheduler versions prior to 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes this issue.
NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation
A denial-of-service (DoS) vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow …
Netty: QUIC stateless reset token material exposed through header-visible connection IDs
Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers …
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure
A Stored Cross-Site Scripting (XSS) issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using `dangerouslySetInnerHTML`
### Steps to Reproduce
1. Create a new dashboard.
2. Add a **Text widget**.
3. Insert the following payl…
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade
A CoreWCF service hosted on Unix Domain Sockets with the PosixIdentity client credential type (UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity) does not require the client to perform the application/unixposix…
SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals
When a table was readable at the table level but carried a field hidden by a field-level perm…
SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field
praisonai-platform: Authorization Bypass Through User-Controlled Key
The issue create and update endpoints in `praisonai-platform` accept a `project_id` in the request body and persist it without validating that the project belongs to the URL workspace. A user who is a member of workspace `W_B` (and has no access to workspace `W_A`) can create issues that…
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint
The SSE (Server-Sent Events) server in `src/praisonai-agents/praisonaiagents/server/server.py` exposes a `/publish` endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The `ServerConfig` dataclass (line 24) defines an `auth_token` field, but t…
Deno: Denial of service via non-ASCII bytes in WebSocket response headers
A Deno program that opens a client `WebSocket` connection could be crashed by
the remote server. While handling the WebSocket handshake response, Deno parsed
the `Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` response headers in
a way that assumed their bytes were always printab…
katello: missing repository authorization in content_uploads exposes cross-product content existence
Gitea: Missing repository-unit authorization on issue-template API endpoints
Three Gitea API endpoints — `GET /repos/{owner}/{repo}/issue_templates`,
`GET /repos/{owner}/{repo}/issue_config` and `GET /repos/{owner}/{repo}/issue_config/validate`
— read files from the repository's **Code** default branch (`.gitea/ISSUE_TEMPLATE/*`
and `issue_config.yaml`) and r…
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Two related issues in the token public-only scope enforcement introduced by PR #32204 (CVE-2025-68941 fix). A public-only scoped API token can access private organization data.
## Issue 1: /user/orgs missing checkTokenPublicOnly()
`routers/api/v1/api.go` line 1599:
“`go
m.Get("/user/o…
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
A sandbox volume reference (`volumeId`, which may also be a volume name) was forwarded to the
runner and used to build the host bind-mount source path without confinement. A reference
containing path-traversal sequences could in principle resolve the mount source outside the
intended per-…
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.
When validating JSON Web Tokens (JWTs) from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer (`iss`), but it fails to vali…
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider (IdP) implementation.
Specifically, within the validation pipeline:
* **Missing Expiration (`exp`) Enforcement:** If an incoming JWT omits the `exp` claim entirel…
Caddy: stripHTML template function bypass
Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `<<>img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This …
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch
MCPVault: PathFilter restricted directories (.git/.obsidian/node_modules) only denied at vault root, not nested
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
PackInfo._read() uses an O(n^2) cumulative sum pattern where
numstreams is read directly from the archive header. A crafted .7z
archive with a large numstreams value causes excessive CPU consumption
during SevenZipFile.__init__() — no extraction is needed. A 50 KB
archive tak…
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio).
**Proof of concept:**
“`python
import py7zr, tempfile, os…
Open Redirect Bypass in miniflux-v2
The URL restrictions in `miniflux-v2` can be bypassed by attackers, leading to an open redirect vulnerability.
### Details
Normally, the redirect URL needs to be validated using `IsRelativePath`.
<img width="1728" height="1386" alt="QQ20260526-175356-26-1" src="https://github.com/user…
http4k: `ServerFilters.DigestAuth` / `DigestAuthProvider` defaulted to an always-true nonce verifier, disabling replay protection in default deployments
`ServerFilters.DigestAuth` and the underlying `DigestAuthProvider` both defaulted their `nonceVerifier` parameter to `{ true }` — i.e. every nonce was accepted regardless of value, age, or prior use. Any deployment using the default configuration had **no replay protection** on Digest …
http4k: BasicCookieStorage` (renamed `InsecureCookieStorage`) did not enforce RFC 6265 cookie scoping; new `DefaultCookieStorage` is now the default
The previous `BasicCookieStorage` did not enforce RFC 6265 scoping rules around cookie domain, path, and `Secure` attribute. A client using a single storage instance to talk to multiple origins could have cookies leak across domains, or have `Secure` cookies sent over plain HTTP — the …
http4k: `reverseProxy()` defaulted to substring (`Contains`) matching on `Host`; tightened to `Exact`
`reverseProxy()` and `reverseProxyRouting()` matched configured vhosts by substring on the `Host` header (`Contains` matcher) by default. The intended use of these functions in http4k is **outbound dispatch** (e.g. matching AWS service subdomains, per the `Contains` docstring) and **test…
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
There is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported `nginx.ingress.kubernetes.io/auth-type` and `auth-secret` annotations, but th…
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)
The go.qbee.io/transport library is affected by a symlink-chain path traversal vulnerability in its extractTar routine. The library's path validation is strictly lexical and fails to account for on-disk symlinks created earlier in the extraction process. Consequently, a crafted tar archi…
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName
### Summary
The Grafana Operator supports loading dashboards & library panels using the jsonnet data templ…
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags
Given a malformed `{% case %}` tag without associated `{% when %}` or `{% else %}` block, and no terminating `{% endcase %}` tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack.
### Patches
T…
containerd: CRI checkpoint import allows local image tag poisoning
containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd to pull a malicious im…
parse-server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
A relation query using the `$relatedTo` operator could read the membership of a `Relation` field even when that field was hidden from the requesting client by `protectedFields`, and even when the object owning the relation was not readable by the client under its ACL or class-level permi…
parse-server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Apps that enable MFA and deny `get` on the `_User` class via Class-Level Permissions could expose sensitive user data through the `/login` and `/verifyPassword` endpoints.
These endpoints re-fetch the user through the access-controlled query pipeline (CLP, `protectedFields`, auth-adapte…
parse-server: Server option routeAllowList is bypassable through batch sub-requests
The `routeAllowList` server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so the `/batch` handler dispatches each sub-request to the internal router without re-running …
containerd image-triggered runtime DoS via unbounded group parsing
A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the container runtime API unav…
Hugo: Symlink confinement bypass in os.ReadFile
**Fixed in:** v0.163.1.
**Severity:** Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme unde…
Hugo: XSS via unescaped code-fence language in default code block renderer
Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
`Nokogiri::XML::NodeSet#[]` (and its alias `#slice`) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is…
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind
A path traversal vulnerability in Entire CLI allows an attacker with push access to the checkpoints repository to craft malicious checkpoint metadata that causes `entire session resume` or `entire checkpoint rewind` to write attacker-controlled transcript data outside of the expected ses…
Canonical MicroCeph: path traversal issue in the remote-import AP
OpenClaw: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
Internal/webchat command auth could inherit ownerAllowFrom wildcard state. In affected versions, a sender on an affected internal or webchat path could inherit wildcard ownerAllowFrom state across channel boundaries.
This advisory is scoped to the named feature and configuration. It do…
OpenClaw: Focus command could miss controlScope enforcement
Focus command could miss controlScope enforcement. In affected versions, a caller able to trigger the focus command could run the command without enforcing the expected control scope.
This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-…
OpenClaw: Active Memory write scope could mutate global config
Active Memory write scope could mutate global config. In affected versions, a Gateway caller with `operator.write` access to the affected command could change global configuration without requiring `operator.admin`.
This advisory is scoped to the named feature and configuration. It doe…
[Eclipse Theia] Data Exfiltration via Markdown Image Rendering in AI Chat
Armeria: External Control of File Name or Path in xDS SDS DataSource
### Summary
`DataSourceStream` in the `:xds` module resolves control-plane-supplied `filename` and `environment_variable` fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromi…
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
### Summary
The githubreceiver webhook handler does not enforce the `required_headers` configuration. Headers are validated at startup (config rejects empty keys/values) but never checked on incoming requests. This follo…
MCPVault: PathFilter restricted-directory deny-list bypass via case and trailing dot/space equivalence
pypdf: Missing stream length values ignore defined limits
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage, as `MAX_DECLARED_STREAM_LENGTH` is sometimes ignored. This requires parsing a content stream without a `/Length` value.
### Patches
This has been fixed in [pypdf==6.13.3](https://github.com/py-pdf…
DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
DOMPurify 3.4.7 shipped a security fix ("permanent hook pollution") that makes a registered `uponSanitizeAttribute` hook's mutation of `data.allowedAttributes` **non-persistent** — so allowing an attribute for one element does not leak into later `sanitize()` calls. The fix clones `ALL…
TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes
Hydro: Insufficient session expiration when recreating sessions
Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token.
As a result…
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
`http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a superstring match for a co…
jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
`Jodit.modules.Helpers.set(chain, value, obj)` walks the dot-separated `chain`, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with (or contains) `__proto__`, `constructor`, or `prototype` lets the final assignment reach and mutat…
OpenClaw: Tool group policy callers could accept unvalidated group IDs
Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id.
This advisory is scoped to the named feature and configuration. It does not change O…
Gitea: Open Redirect via redirect_to
Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.
### PoC
When a user uses this URL to login:
`https://gitea.com/user/login?redi…
Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the `crossProviderNamespaces` allowlist. For `HTTPRoute` rules that declare multiple (WRR) backendRefs, Traefik evaluates the allowlist against the target `backendRef.namespace` instead of the route…
Gitea: Token scope bypass on web archive download endpoint
PR #37698 added checkDownloadTokenScope to /raw/*, /media/*, and attachment download web endpoints. The /archive/* endpoint (repo.Download in routers/web/repo/repo.go:372) was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 (registered at routers/web/…
Hugo: Symlink confinement bypass in resources.Get
**Affected versions:** v0.123.0 through v0.161.1. Earlier versions are not affected.
**Fixed in:** v0.162.0.
**Severity:** Medium. Requires the attacker to be ab…
Hugo: security.http.urls allow-list bypass via HTTP redirects
**Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1.
**Fixed in:** v0.162.0.
**Severity:** Only relevant for sites that re…
Hugo: XSS via text/html content files
**Affected versions:** all Hugo versions prior to v0.162.0.
**Fixed in:** v0.162.0.
**Severity:** Low to Medium, depending on threat model. Not an issue if you fully trust every file u…