Security Report
Drupal Core SQL Injection Vulnerability
Langflow Origin Validation Error Vulnerability
Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
Microsoft Windows Buffer Overflow Vulnerability
Microsoft DirectX NULL Byte Overwrite Vulnerability
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Defender Link Following Vulnerability
Microsoft Defender Denial of Service Vulnerability
BoxLite: Permission Bypass Allows Modification of Read-Only Files
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to run untrusted code.
One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode (read_only=True) i…
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Between 2026-05-11 20:19 UTC and 22:56 UTC, an attacker used a compromised npm publish token to publish 18 malicious versions of `@beproduct/nestjs-auth` (0.1.2 through 0.1.19). The packages contained payloads from the **Mini Shai-Hulud** npm supply-chain worm campaign described by [Aiki…
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with **zero prerequisites** and **no credentials required**.
The vulnerability exists because t…
Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
`nezha`'s dashboard supports two user roles: `RoleAdmin` (Role==0) and `RoleMember` (Role==1). The cron routes `POST /api/v1/cron` and `PATCH /api/v1/cron/:id` are wired through `commonHandler` (any authenticated user) rather than `adminHandler`, and the per-server permission check on cr…
Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs
Arcane's huma-based REST API exposes nine endpoints under `/api/customize/git-repositories` and `/api/git-repositories/sync` for managing GitOps source repositories and their stored credentials. Eight of those endpoints (`list`, `create`, `get`, `update`, `delete`, `test`, `listBranches`…
Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger
The Fission router registers an internal-style route — `/fission-function/<name>` and `/fission-function/<ns>/<name>` — for every `Function` object, independent of whether any `HTTPTrigger` exists for that function. The route was mounted on the same listener as user-defined `HTTPTri…
Kopia: RCE via SSH ProxyCommand Injection
Kopia's HTTP server, when started with `–without-password `, accepts unauthenticated requests to `/api/v1/repo/exists`. The handler forwards an attacker-supplied storage configuration to `blob.NewStorage`. For SFTP backends with `externalSSH: true`, that path constructs a process comman…
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not accoun…
Malicious code in guardrails-ai 0.10.1 (supply chain compromise)
On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI.
**Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026.
Security researchers identified the malicious package within approxim…
Malware in @opensearch-project/opensearch
The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of `@opensearch-project/opensearch`. Users are instructed to immediately take…
Malicious dropper in mistralai 2.4.6 PyPI package
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
`azureidentity.Validate()` verifies that the PKCS#7 signer certificate chains to a trusted Azure CA but never verifies the PKCS#7 signature itself. An attacker can embed a legitimate Azure certificate alongside arbitrary content e.g. `{"vmId":"<target>"}` and the forged `vmId` will be ac…
Algernon: handler.lua discovery walks parent directories above the server root
When Algernon is asked for any URL path that resolves to a directory *without* an index file, `DirPage` walks **upward through parent directories — past the configured server root** — looking for a file named `handler.lua` to execute as the request handler. The loop terminates only …
FileBrowser Quantum: Path traversal in public share PATCH allows file ops outside shared directory
`publicPatchHandler` in `backend/http/public.go` joins user-controlled `fromPath` and `toPath` body fields with the trusted `d.share.Path` BEFORE the downstream sanitizer runs. Because `filepath.Join` collapses `..` segments during the join, the sanitizer in `resourcePatchHandler` never …
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
Patched in 1.3.2: the AW…
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
On April 29, 2026, compromised versions of `@cap-js/sqlite@2.2.2`, `@cap-js/postgres@2.2.2`, and `@cap-js/db-service@2.10.1` were published.
The malicious packages harvested credentials and attempted self-propagation.
If a compromised version was installed, all credentials accessible on t…
MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path
The MCP router (ext_proc) exposes an `initialize`-method code path that, when a
request carries an `mcp-init-host` header, bypasses the gateway JWT session
validator and rewrites the upstream `:authority` header to whatever the caller
chooses, gated only by a single shared header value …
rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths
Alice exposes a Python SDK `ProxyShare` with a fixed target URL. Bob sends a request to the share with an absolute URL in the path. The Flask handler passes that path to `urllib.parse.urljoin`, which replaces Alice's configured target host with Bob's host and returns the server-side resp…
HAXcms: Private Key Disclosure via Broken HMAC Implementation
The `hmacBase64()` function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing key and forge arbitrary admin-level JSON Web Tokens (JWTs) allowing them to get f…
Arcane: Missing admin authorization on global variables endpoint
The `PUT /api/environments/{id}/templates/variables` endpoint, which writes the system-wide `.env.global` file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their beare…
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
`mcp-server-kubernetes` exposes three environment variables (`ALLOW_ONLY_READONLY_TOOLS`, `ALLOW_ONLY_NON_DESTRUCTIVE_TOOLS`, `ALLOWED_TOOLS`) documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer …
Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives
The Fission `storagesvc` component registers archive CRUD handlers (`/v1/archive` GET / POST / DELETE and `/v1/archives` list) directly on its HTTP router without performing any authentication or authorization. Any caller able to reach the `storagesvc` ClusterIP — including any other…
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
The MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:4403`) and exposes a `/execute` endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main `PenpotMcpServer` was partially fixed for a similar b…
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
The `POST /api/global/users/onboard` endpoint is protected by `workspaceBuilderOrAdmin` middleware, allowing any user with builder permissions to access it. When SMTP email is not configured (the default for self-hosted Budibase instances), this endpoint bypasses the admin-restricted inv…
Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
In a default dozzle deploy (the documented quickstart, no `DOZZLE_AUTH_PROVIDER` set), `POST /api/notifications/test-webhook` is reachable without authentication and forwards an attacker-controlled URL into a `WebhookDispatcher` that:
– Sends an HTTP POST to the supplied URL with attack…
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
nezha's dashboard supports two user roles: `RoleAdmin` (Role==0) and `RoleMember` (Role==1). The notification routes `POST /api/v1/notification` and `PATCH /api/v1/notification/:id` are wired through `commonHandler` rather than `adminHandler` — so a `RoleMember` user can call them. The…
wger: cross-tenant account deletion / deactivation / activation by gym.manage_gym + gym=None
GHSA-mhc8-p3jx-84mm (CVE-2026-43948) reported that wger's `reset_user_password` and `gym_permissions_user_edit` views in `wger/gym/views/user.py` performed a gym-scope authorization check using Django ORM object comparison (`if request.user.userprofile.gym != user.userprofile.gym`) which…
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance…
OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users
In OpenMetadata 1.12.1, a non-admin SSO user can trigger a `TEST_CONNECTION` workflow for a Database Service and receive, in …
Caddy Defender trusted proxy client IP bypass
Caddy Defender used `r.RemoteAddr` when evaluating whether a request should be blocked. `RemoteAddr` is the address of the immediate peer connected to Caddy.
In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the ori…
auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
## Severity
The `download_media` and `auth_fetch` MCP tools accept arbitrary URLs and reach them as the MCP server process, with `download_media` additionally persisting the fetched response body to a user-con…
TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection
Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce
## Ecosystem / Package
– **Ecosystem:** `Go` (or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry)
– **Package name:** `github.com/DatanoiseTV/tinyice…
@tmlmobilidade/utils has prototype pollution in its setValueAtPath
Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath().
### Patches
A fix is available in versions 20260509.0340.15 and up.
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
`parseFormData()` walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with `__proto__`, or contains `.__proto__.` mid-path, causes the parser to traverse onto `Object.prototype` and as…
Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover
The unauthenticated `GET /api/app-images/logo` endpoint reflects a user-supplied `color` query parameter into the body of an SVG document via `strings.ReplaceAll` with no escaping. The substitution lands inside a `<style>` element of the embedded `logo.svg`, allowing an attacker to close…
form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
`form-data-objectizer` walks bracket-notation form keys (e.g. `name[sub]`) into nested objects without filtering `__proto__`, `constructor`, or `prototype`. A single HTTP form field whose name starts with `__proto__[…]` causes the library to mutate `Object.prototype`, which is a protot…
ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation
The `pullArtifact` methods in `Registry` and `OCILayout` use the `org.opencontainers.image.title` annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this an…
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
When `ENABLE_MULTI_TENANT=true`, the HTTP transport documents that the target n8n instance is selected per-request from `x-n8n-url` / `x-n8n-key` headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level `N8N_API_URL` / `N8N…
Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files
The FastCGI transport's `splitPos()` in [`modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go`](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a …
lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out
>
> The accurate description of this vulnerability is:
> **"`get_model_arch` and related helpers hardcode `trust_remote_code=True`
> with no opt-out, creating an implicit unsafe remote-code load path
> on every mo…
LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization
lmdeploy hardcodes `trust_remote_code=True` in multiple HuggingFace model-loading call sites.
The affected code paths are in:
“`text
lmdeploy/archs.py
lmdeploy/utils.py
““
The vulnerable call sites pass `trust_remote_code=True` into HuggingFace Transformers APIs such as `AutoConfig…
Graphite Has a Pickle Deserialization Vulnerability
**Type of vulnerability:** Insecure Deserialization via Python's `pickle` module.
**Who is impacted:**
Users of *Graphite graph database engine* versions **before 0.2** who load database files from untrusted or third-party sources.
An attacker could craft a malicious database file th…
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
| Field | Value |
| —————- | —– |
| Repository | Jovancoding/Network-AI |
| Affected version | v5.4.4 (commit c12686e181f231cf8d7bcf836a96d78f0f0877ac) |
## Summary
The MCP SSE server default…
Budibase: Unrestricted Upload of File with Dangerous Type
The file upload endpoint `POST /api/attachments/process` does not enforce active-content restrictions for authenticated users. The checks for dangerous file extensions (`html`, `svg`, `js`, `php`, etc.) are conditionally wrapped inside `if (isPublicUser)` or `if (isPublicUser || !env.SEL…
aiosend: Deserialization of request body before signature verification (Pre-auth DoS) in webhook handler
In `aiosend/webhook/base.py`, the `WebhookHandler.feed_update()` method performs full deserialization of the incoming JSON via Pydantic **before** verifying the HMAC signature. Anyone can send a request with an arbitrary body — the server will parse it, spend CPU and m…
js-libp2p: Memory DoS via subscription flood of unique topics
Three cooperating omissions in `@libp2p/gossipsub` allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options.
1. **`defaultDecodeRpcLimits.maxSubscriptions = Infinity`** (`packages/gossipsub/src/message/decodeRpc.ts:11`): no decode-level…
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
`js-cookie`'s internal `assign()` helper copies properties with `for…in` + plain assignment. When the source object is produced by `JSON.parse`, the JSON object's `"__proto__"` member is an *own enumerable* property, so the `for…in` enumerates it and the `target[key] = source[key]` w…
Russh: Unchecked CryptoVec allocation and growth handling is reachable
Unchecked `CryptoVec` allocation and growth handling was reachable from local agent inputs in current `russh` releases and from remote SSH traffic in historical pre-`0.58.0` releases
### Summary
`CryptoVec` used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation…
nimiq-primitives: Panic DoS in trie chunk processing via ROOT-keyed item
A remote, unauthenticated denial-of-service vulnerability in `MerkleRadixTrie::put_chunk` allows any state-sync peer to crash any node performing state synchronization (freshly joining nodes and recovering nodes).
A malicious peer can respond to a `RequestChunk` with a `ResponseChunk::C…
Diffusers: TOCTOU Trust Remote Code Bypass
This vulnerability is found in the `diffusers` package – the `transformers`-equivalent library for diffusion models.
It is found in the `DiffusionPipeline.from_pretrained` flow, which is used to load a pipeline from the HuggingFace Hub.
This function has a `trust_remote_code` guard:…
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.
### Patches
Versions 4.2.0 and up contain a configurable parse …
SQLFluff: Recursive Stack Overflow in Parser
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
### Patches
Versions 4.1.0 and up …
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal
`dasel`'s selector lexer enters a non-terminating loop when tokenizing an unterminated regex pattern such as `r/abc`. A 2-byte input (`r/`) is sufficient to cause the tokenizer to consume 100% CPU on one core indefinitely.
I confirmed the issue on `v3.3.1` (`fba653c7f248aff10f2b89fca93…
Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string
`dasel`'s selector lexer panics with an index-out-of-range error when tokenizing a quoted string that ends with a trailing backslash (e.g., `"\` or `'\`). A 2-byte input causes an immediate process crash via Go runtime panic.
I confirmed the issue on `v3.3.1` (`fba653c7f248aff10f2b89fc…
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
An unauthenticated remote peer can exhaust the disk storage of any `@libp2p/kad-dht` node running in server mode by sending an unbounded stream of `PUT_VALUE` messages whose keys bypass all content validation. No credentials, no prior relationship, and no protocol deviation beyond a craf…
Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service
## Maintainer summary
Wire's protobuf group-skipping logic did not reject negative lengths before skipping a
length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an
unchecked runtime exception during decoding instead of the documented `IOExce…
Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes
The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value (0 ⇒ "no limit"). The same applies to the HTTP /api/v1/send endpoint, whose request body…
Algernon: Single-file mode unconditionally enables debug mode
When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow (`algernon foo.lua`, `algernon page.po2`, `algernon index.html`, `algernon mywebsite.alg`) — `singleFileMode` is set to true and **`debugMode` is forcibly enabled** with no…
ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion
ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions
HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions `matches()`, `matchesFull()`, and `replaceMatches()` pass user-controlled regular expressions directly to Java's `Pattern.compile()` and `String.…
NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()
`ui.restructured_text()` renders reStructuredText server-side with Docutils without disabling file insertion directives.
When a NiceGUI application passes attacker-controlled content to `ui.restructured_text()`, an attacker can use standard Docutils directives (`include`, `csv-table` w…
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI
A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as `set`, `add`, `replace`, `append`, `prepend`, or `cas`, OBI accepts extremely large `<bytes>` values and a…
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages
Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validat…
Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Loop with unreachable ex…
Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A tampering vulnerabil…
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads
The Postgres protocol parser assumes `BIND` message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic.
### Details
The vulnerable logic is in [pkg/ebpf/common/sql_detect_postg…
multiparty vulnerable to ReDoS via filename parsing
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the `Content-Disposition` filename parameter parser. A multipart upload with a long header value containing `!filename="1` repeated can cause regex matching to take seconds, blo…
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a `multipart/form-data` request with a `Content-Disposition: filename*=utf-8''` header containing a malformed percent-encoding (e.g., `%FF`, `%GG`), the parser invokes `decodeURI` o…
multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a `multipart/form-data` request with a field name that collides with an inherited `Object.prototype` property (e.g., `__proto__`, `constructor`, `toString`), the parser invokes `.pu…
dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport
dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive `rmcp` dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local `dynoxide mcp –http` or `dynoxide serve –mcp` server with a non-loopback…
iskorotkov/avro: CPU Exhaustion in Decoder
## Summary
The Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. `Reader.ReadBlockHeader` returns the count as a Go `int`, …
iskorotkov/avro: Integer Overflow in Decoder
## Summary
Several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized `int` before bounds-checking, or summed them with overflow-prone signed-`int` arithmetic. On 32-bit targets (`GOARCH=386`,…
iskorotkov/avro: Denial-of-Service Vulnerability in Decoder
## Summary
The Avro map decoder accepted attacker-controlled block-element counts from the wire format and grew the destination map without enforcing an upper bound. The slice decoder already had `Config.MaxSliceAllocSize` for the e…
ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351
`OpenSSL::HMAC.digest('SHA256', '', payload)` returns a valid digest under an empty key, and no `raise
InvalidKeyError if key.empty?` precondition exists in the HMAC algorithm.
“`
JWT.decode(token, "", true, algo…
async-http-client: Cookie header not stripped on cross-origin redirect
async-http-client leaks `Cookie` headers to cross-origin redirect targets. When following a redirect across a security boundary (different origin, or HTTPS→HTTP downgrade), the `propagatedHeaders()` method in `Redirect30xInterceptor.java` strips `Authorization` and `Proxy-Authorization…
Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
Two primitive integrators in `apm-cli` enumerate package files with bare `Path.glob()` / `Path.rglob()` calls and read each match with `Path.read_text()`, transparently following symbolic links.
A symlink committed inside a remote APM dependency under `.apm/prompts/<x>.prompt.md` or `.a…
Argo CD: Stored XSS in application link annotations enables developer-to-admin privilege escalation
A user with **application write access (developer role)** can set `link.argocd.argoproj.io/*` annotations on any ArgoCD Application. These annotation values are rendered in the Summary tab's **URLs section** as `<a href>` elements without URL validation. Using the pipe-separator trick (…
Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Improper input validatio…
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
A cross-site scripting (XSS) vulnerability exists in the application’s Markdown rendering logic. When user-supplied Markdown content is rendered, embedded raw HTML—including <script> tags—is processed and injected into the resulting page without sanitization, allowing arbitrary Jav…
Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path
Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable, w…
Docker: Race condition in docker cp allows bind mount redirection to host path
A race condition during `docker cp` mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service.
## Details
When copying files into a container, the daemon sets up a temporary filesy…
Docker: `PUT /containers/{id}/archive` executes container binary on the host
When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon (host root) privileges.
## Details
When handling `PUT /containers/{id}/archive` requests with compressed archives, the daemon decompresses them using external system bina…
Spring AI MCP Security: Unvalidated URL Fetching (SSRF)
The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol (MCP) [security specifications](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices#mitigation-3). Specifically, it processes untrusted URLs fo…
Parse Server: Pre-authentication denial of service via client version header regex backtracking
An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and befo…
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for…in without hasOwnProperty
The _copyProps function in lib/src/object/copy.ts uses for…in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys (__proto__, constructor, prototype). This allows an attacker to pollute the prototype chain of all objects i…
containerd user ID handling bypass allows runAsNonRoot evasion
A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the container ultimately ru…
@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails
Patched in 1.3.2: …
@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies
Patched in 1.3.2: the validator inspects the affected policy shapes and includes r…
@hulumi/policies: HULUMI-H1 SecureBucket parent spoof bypass
Patched in 1.3.2: the validator now correlates evidence to the expected component/resource relationship and includes regression …
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans
Patched in 1.3.2: execute-plan handling now validates provenance and rejects untrusted plans, with regressi…
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
– **Key**: `challenger/src/multi_field_challenger.rs` | `MultiField32Challenger::duplexing` | `transcript_malleability`
– **Affected files**: `challenger/src/multi_field_challenger.rs`, `field/src/helpers.rs`
– **Violated invariant**: The Fiat-Shamir sponge must bind challenges to the ex…
Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read
Fission runtime pods were created with `ServiceAccountName: fission-fetcher`, and the `fission-fetcher` ServiceAccount was granted namespace-wide `get` on `secrets` and `configmaps` (it needs that to load function code, env vars, and config). The runtime pod's automounted token was reac…
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
samlify’s template substitution only escapes attribute contexts. Values inserted into element text (e.g., `<saml:AttributeValue>`) are not escaped. A normal user can inject XML markup into an attribute value (e.g., email, name) and add new `<saml:Attribute>` elements inside the signed …
Windows-MCP: HTTP transports expose unauthenticated PowerShell control with wildcard CORS
There is an issue in the SSE and Streamable HTTP transport modes. The default stdio mode is not affected, but the documented HTTP modes expose the MCP control plane without authentication and add wildcard CORS handling aro…
@angular/platform-server: SSRF via Hostname Hijacking
A Server-Side Request Forgery (SSRF) vulnerability exists in `@angular/platform-server`. The issue stems from how the server-side rendering (SSR) engine processes the request URL provided to the rendering entry points.
When an absolute-form URL (e.g., `http://evil.com`) is passed to the…
FileBrowser Quantum: unauthenticated user share share info
Some sensitive info — such as source and path can get exposed.
### Patches
Update to the latest version
### Workarounds
no
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
## Summary
`camofox-mcp` exposed a Streamable HTTP MCP endpoint at `/mcp` with rate limiting but no inbound MCP-layer authentication. When HTTP mode was enabled, any client that could reach `/mcp` could list and invoke browser-con…
libcrux-ml-dsa: Signature Verification on AVX2 Platforms Mishandles Edge Case
the `use_hint` function, mishandling an edge case that should lead to
signature rejection.
## Impact
An attacker could make the ML-DSA verifier accept a crafted invalid
signature under a maliciously generated verification key, i…
libcrux: Potential Panic on Overlong Ciphertext Buffer
than `ptxt.len() + TAG_LEN` to `libcrux_chacha20poly1305::encrypt` or
`libcrux_chacha20poly1305::xchacha20_poly1305::encrypt` would
experience a panic.
## Impact
An application where the length of the ciphertext buffer is under
att…
zrok copy writes attacker-controlled WebDAV paths outside the destination root
Alice runs `zrok2 copy` from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV `href` such as `/../outside.txt`. The sync pipeline stores that path in the source inventory and passes it to `FilesystemTarget.WriteStream`, which joins it with the ta…
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
An attack chain utilizing **Stored XSS** alongside dynamic token exposure in the `/system/api/connectionSettings` endpoint allows an authenticated attacker to perform a complete cross-tenant account takeover. The API dynamically leaks the active session's authentication tokens (including…
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of `<iframe>` elements.
The application allows `javascript:` URIs in the `src` attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary Java…
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis
Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication.
### Details
[api/services/website/cacheAddress.js](https://g…
HAXcms createSite SSRF Enables Arbitrary File Read
An authenticated Server-Side Request Forgery (SSRF) vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access.
### Details
The `createSite` endpo…
Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString
`ArrayFunctions.InsertAt` in Scriban allocates `index – list.Count` null entries in a tight C# `for` loop with no bound on `index`. The function is exposed to template authors as `array.insert_at`, and the fill loop ignores every existing safety control: `LoopLimit`, `LimitToString`, `Ob…
CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion
eduMFA Passkeys: missing expiration flag may allow replay attacks and reuse of old challenges
In eduMFA < 2.9.1 userless Passkey/WebAuthn challenges might be replayed and do not expire
### Patches
Fixed in eduMFA >= 2.9.1 by adding validity information to the userless challenges.
### Workarounds
No known workarounds besides disabling userless login altogether.
eduMFA: Incorrect InnoDB snapshot isolation possibly allows token reusage
For deployments using MySQL or MariaDB < 11.6.2 (or newer with innodb_snapshot_isolation=off) reusage of token values might be possible due to faulty transaction isolation inside the database. Exploiting this requires racing this transaction.
Affected are all tokentypes whose values are …
n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
The `POST /rest/dynamic-node-parameters/options` endpoint allowed any authenticated user to cause the n8n server to issue HTTP requests including credentials bypassing the intended restrictions on which hosts could be contacted for that credential (Allowed HTTP Request Domains). The user n…
Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler
Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing s…
Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)
When an application using Pydantic AI opts a URL into `force_download='allow-local'` (which disables the default block on private/internal IPs), the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form (IPv4-mapped IPv6, 6to4, or NAT64). Dual-…
Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by `HasPermission`, but the WebSocket stream treats the presence of any authenticated u…
instagrapi: Unsafe signup challenge path handling in instagrapi
aiograpi: Unsafe signup challenge path handling
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL
A Server-Side Request Forgery (SSRF) vulnerability in get_image_info() allows any authenticated user to force the server to send HTTP requests to arbitrary internal endpoints, including cloud metadata services (e.g., AWS 169.254.169.254). This is a blind SSRF with confirmed internal port …
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
The `uploadViaURL` path in the v1/v2 attachment API did not enforce `NC_ATTACHMENT_FIELD_SIZE` against the remote `content-length` or against the response stream. An authenticated user (Editor+) could direct the server to download arbitrarily large files, exhausting disk space and causi…
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
Unauthenticated semi-blind Server-Side Request Forgery (SSRF) via the Azure instance identity endpoint (`POST /api/v2/workspaceagents/azure-instance-identity`). An external attacker can force the Coder server to issue HTTP GET requests to arbitrary internal or external hosts by submittin…
HAX CMS: Denial of Service using Malicious Import Request
The HAX CMS NodeJS application crashes when an authenticated attacker sends a specially crafted site creation request to the createSite endpoint. A single request is sufficient to take the entire application offline, requiring a manual server restart to restore service.
### Details
Th…
OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages
OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis …
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
**Affected Software:** Budibase
**Affected Component:** `packages/server/src/api/controllers/view/viewBuilder.ts`, `packages/server/src/api/routes/view.ts`
**CWE:** CWE-94 (Improper Control of Genera…
brace-expansion: Large numeric range defeats documented `max` DoS protection
When expanding a single large numeric range like `{1..10000000}`, the sequence generation loop generates all 10 million intermediate elements before the `max` limit is applied With `max=10`, the output is correctly limited to 10 items, but the process st…
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check
If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased.
### Patches
This, along with other issues, was fixed in eduMFA v2.9.1.
### Workarounds
Limiting access to `/validate/check` to client applications (i.e. Shibb…
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
In affected versions of n8n-mcp, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry backend. Values placed in HTTP-Request-style node parameters — such as customer or tenant ide…
n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions
The `ExecuteWorkflow` node's `localFile` source option read workflow files from disk without applying checks enforced by other file-reading nodes. An authenticated user with permission to create or modify workflows could supply an arbitrary file path via the REST API, bypassing the `N8N_RE…
Klever-Go KVM read-only execution can commit contract delete and upgrade side effects
**Fixed in `v1.7.17`.** Operators running `< v1.7.17` should upgrade. Contract delete and upgrade host-core paths now reject execution when `runtime.ReadOnly()` is true. The invariant is regression-tested for delete, upgrade, storage writes, value transfers, and any VM output fiel…
Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations
The original fix for [GHSA-3v3m-wc6v-x4x3](https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3) is incomplete. argocd app diff –server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation.…
Arcane Backend: OS Command Injection in Volume Browser ListDirectory via path query parameter
`GET /environments/{id}/volumes/{volumeName}/browse` accepts a `path` query parameter that is passed to a shell command (`sh -c "find … | while …"`) inside an Arcane helper container. The path sanitiser blocks `../` traversal but does not strip Bourne-shell metacharacters such as `$(…
ImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix
OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle
The BST name-lookup loop in `DirectoryTree.TryGetDirectoryEntry` (`OpenMcdf/DirectoryTree.cs:35-46`) walks directory entries by repeatedly calling `directories.TryGetSibling(child, siblingType, validateColor)`. A crafted CFB file with cyclic Left/Right sibling links among directory entri…
ImageMagick: Stack overflow in fx operation
ImageMagick: Use-After-Free in MSL decoder.
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
A reflected XSS vulnerability exists in the Page Leaving Warning page. The `ncRedirectUrl` and `ncBackUrl` query parameters are used in `window.location.href` and `<a>` tag bindings without validation, allowing `javascript:` URI injection.
### Details
`PageLeavingWarning.vue` reads `ncR…
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
The `fetch-apify-docs` tool validates URLs against a domain allowlist using `String.startsWith()` instead of proper URL hostname comparison. This allows bypass via attacker-controlled subdomains (e.g., `https://docs.apify.com.evil.com/`), enabling the tool to fetch and return arbitrary w…
Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap
A race condition during `docker cp` mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem.
This advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked…
nimiq-primitives: BlockInclusionProof interlink issue when hops are empty
A logic flaw in `BlockInclusionProof::is_block_proven` causes the function to return true without performing any cryptographic verification when `get_interlink_hops` yields an empty hop list. This occurs when the target block is at the election block position immediately preceding the ele…
Mailpit: Concurrent map read & write in proxy CSS rewriter – remote unauth crash (fatal error: concurrent map read and map write)
The screenshot/print proxy (/proxy?data=…) maintains a package-level assets map[string]MessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and (re-entrant) CSS-rewriting code path concurrently write to it under the lock. When the un…
Mailpit: Path traversal & arbitrary file write in mailpit dump –http via attacker-controlled message IDs
The mailpit dump –http <base-url> <out-dir> sub-command downloads every message from a remote Mailpit instance and writes each one as <id>.eml inside the user-supplied output directory. The message ID field is taken verbatim from the JSON response of the remote server and concatenated i…
OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size
The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry.
### Details
https://github.com/open-teleme…
OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU
OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval.
### Details
The vulnerable loo…
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
Shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID (`xc-shared-base-id`), an attacker could enumerate base members and invite an arbitrary email into the base as a real member. The invited user could then redeem …
Mailpit has an incomplete fix for GHSA-6jxm: HTML check still permits SSRF to private/loopback/IMDS via missing IP-filter dialer
The fix for GHSA-6jxm-fv7w-rw5j (CVE-2026-23845, "Server-Side Request Forgery (SSRF) via HTML Check API"), shipped in mailpit `v1.28.3`, hardened `internal/htmlcheck/css.go::downloadCSSToBytes` with a 5MB size cap, a `text/css` content-type check, login-info stripping in `isValidURL`, an…
ImageMagick: Heap Buffer Over-Read in distributed pixel cache server
ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define
fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression
OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent
OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language.
### Details
`…
Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)
`createAlertRule` and `createService` (and their `update*` siblings) accept `FailTriggerTasks []uint64` and `RecoverTriggerTasks []uint64` — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's `Rules.Ignore` server map; it never ch…
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could be intercepted on the network; without `sameSite`, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh e…
Umbraco.Cms: Open Redirect Vulnerability in Surface Controllers
Some of the Surface Controllers in the CMS provide to support member related operations fail to validate redirect URLs, making Razor templates that derive 'RedirectUrl' from user-controlled query parameters vulnerable to malicious redirect attacks.
### Patches
The issue is resolved in ve…
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**.
In this case, a path authorized for one config object is accepted, but then resolves to a **diffe…
go-git: Crafted repositories may modify main and submodule .git directories
A path validation issue in `go-git` could allow crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory.
These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from tho…
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
The row action trigger endpoint (`POST /api/tables/:sourceId/actions/:actionId/trigger`) fails to validate that the user-supplied `rowId` is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, inclu…
qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
### Details
In the com…
nimiq-blockchain: Genesis batch set request
A remote peer can crash any full node by sending a RequestBatchSet message containing the genesis block's hash. The handler calls `get_epoch_chunks` which iterates backwards through macro blocks using `Policy::macro_block_before`. When it reaches the genesis block number, `macro_block_bef…
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
protobufjs could recurse without a depth limit while expanding nested JSON descriptors through `Root.fromJSON()` and `Namespace.addJSON()`.
A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading.…
Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication
When auto-refresh is enabled, Algernon spins up an SSE handler that streams a `data:` line for every filesystem event under the watched directory. The handler performs **no authentication** of any kind — no shared token, no cookie check against the `permissions2` userstate, no IP allo…
ImageMagick: Policy Bypass in MNG coder could
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled `RuntimeError` inside Starlette's `FileResponse`, which Uvicorn writes to the serv…
ImageMagick: Policy Bypass in PSD decoder
ImageMagick: Out-of-Bounds Read of a single byte in meta encoder
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
When webpack-dev-server is running on a non-HTTPS origin (the default), cross-origin requests from malicious websites can load the dev server's JavaScript bundles via `<script>` tags. The fix introduced in v5.2.1 (CVE-2025-30359) relied on `Sec-Fetch-Mode` and `Sec-Fetch-Site` request he…
ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.
OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals
The custom `CappedConcurrentHashMap` introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory.
### D…
ImageMagick: Heap Buffer Over-Read in IPTC encoder
pyload-ng: SSRF via HTTP Redirect Bypass in parse_urls API
The SSRF mitigation added in commit `33c55da` for GHSA-7gvf-3w72-p2pg is incomplete. The `PREREQFUNCTION`-based private IP check was correctly applied to `HTTPChunk` (download path) but not to `HTTPRequest` (used by the `parse_urls` API). An authenticated attacker can supply a URL pointi…
OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers
OBI's log enricher mishandles `writev` buffers by reading only the first `iovec` entry but using the total `iov_iter.count` as the copy length. When log injection is enabled, a crafted multi-segment `writev` call can make OBI read and overwrite memory beyond the first segment.
### Deta…
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding.
### Patches
This issue has been patched in 17.4.0
Rust OneNote File Parser: Path traversal in `Parser::parse_notebook` allows reading files outside the notebook directory
A maliciously crafted `.onetoc2` table-of-contents file can cause `Parser::parse_notebook` to open arbitrary files on the host filesystem outside the notebook's directory. The parser reads entry names listed inside the `.onetoc2` and joins them against the notebook's base directory withou…
ws: Uninitialized memory disclosure
The `websocket.close()` implementation is vulnerable to uninitialized memory disclosure when a `TypedArray` is passed as the reason argument.
### Proof of concept
“`js
import { deepStrictEqual } from 'node:assert';
import { WebSocket, WebSocketServer } from 'ws';
const wss = new WebS…
SQLAdmin: Authorization Bypass on `ajax_lookup`
The `ajax_lookup` endpoint in `application.py` bypasses the `is_accessible()` access control check that all other endpoints enforce.
If a developer restricts model access by overriding `is_accessible()`, an authenticated user can still query that model's data through the `ajax_lookup` e…
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
The `request-filtering-agent` SSRF protection was non-functional in the four notification webhook plugins (Slack, Discord, Mattermost, Teams) because `httpAgent` / `httpsAgent` were passed as part of the request **body** rather than the axios **config**. An authenticated user with hook-…
nimiq-keys: Denial of service in Ed25519 multisig delinearization via invalid curve points
A denial-of-service vulnerability exists in the Ed25519 multisig delinearization code path. `Ed25519PublicKey::delinearize()` in `keys/src/multisig/mod.rs` called `.unwrap()` on curve point decompression, which panics when a public key is
constructed from 32 bytes that do not represent a…
Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *
The SSE event server's `Access-Control-Allow-Origin` response header was hardcoded to the wildcard `*` regardless of the caller's `Origin`. Because `EventSource` does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits ope…
Algernon: Auto-refresh SSE event server binds to all interfaces by default on Linux/macOS
The SSE event server bound to `0.0.0.0:5553` on Linux/macOS by default because the platform-dependent host default in `engine/flags.go:39-46` set `host = ""` for non-Windows, and `utils.JoinHostPort("", ":5553")` resolves to `":5553"` — a Go `http.Server.Addr` of `":5553"` listens on …
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path
`pymdownx.snippets` has a regression of the CVE-2023-32309 / GHSA-jh85-wwv9-24hv fix. With `restrict_base_path: True` (the default), the current `filename.startswith(base)` containment check does not enforce a directory boundary. As a result, a markdown snippet directive can read files fr…
Caddy: Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path Matching
I used an LLM to help review the source code, reason about attack surface, and help draft and refine this report.
I manually validated the finding by reproducing it locally, confirming the vulnerable code path, and verifying the HTTP behavior with `curl -v`.
## Summary
Ca…
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
The public API role unassignment endpoint (`POST /api/public/v1/roles/unassign`) updates user documents in CouchDB but does not invalidate the corresponding Redis user cache entries. Because the authentication middleware resolves user identity and permissions from this cache (TTL: 3600 s…
ImageMagick: Information Disclosure in distributed pixel cache server because it is not using a challenge–response authentication model
ImageMagick: Race Condition in distributed pixel cache server can result in file descriptor hijacking
ImageMagick: Heap Buffer Over-Write in distributed pixel cache server
ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.
Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance
Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a
session as fresh after verifying an OAuth account that belongs to a
different user.
If an attacker can operate an already-authenticated but stale victim
session, they can complete OAuth verification using their…
@hulumi/baseline: CloudTrail selector tampering events were not fully detected
Patched in 1.3.2: detection coverage and regression tests were expanded.
Remediation: upgrade @hulumi/baseline to 1.3.2 or late…
Fission builder accepts arbitrary buildcmd strings from Environment.spec.builder.command, allowing the builder pod to invoke arbitrary executables
Before the round-1 security sweep, `pkg/builder/builder.go` passed `Environment.spec.builder.command` directly into `exec.Command(…)` after a `strings.Fields` split, with no validation of the executable path or its arguments. A user who could create or update `Environment` CRDs in a n…
@sveltejs/kit: `query.batch` cross-talk
Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing
The `fileID` field from `Manifest.db` (a SQLite database inside iOS backups, generated by the device) is used directly in filesystem path construction without validation. This affects two commands through a shared code path:
– **`mvt-ios decrypt-backup`** (`decrypt.py`): `file_id` is u…
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
The `/api/v1/chatflows/apikey/:apikey` endpoint (whitelisted, accessible with API key auth only) returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A…
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
A Mass Assignment vulnerability in the PUT /api/v1/user endpoint allows authenticated users to directly modify restricted user fields, including the credential (password hash), bypassing the intended password change workflow.
Because the endpoint forwards the entire request body to the …
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
The TTS generation endpoint sets `Access-Control-Allow-Origin: *` as a hardcoded response header, independent of the server's CORS configuration. This enables any webpage to make cross-origin requests to generate speech using stored credentials.
### Root Cause
“`typescript
// package…
RTK improperly trusts project-local filter configuration, allowing silent tampering of command output shown to LLM
rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
Trubo: Login callback CSRF/session fixation
Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before th…
Diesel: Command injection in Diesel's implementation of `COPY FROM`/`COPY TO`
Diesel did not check if any these user-provided options contain a quote character `'`, which can lead to the injection of ad…
Diesel: Possible unaligned data access for implementations of `SqliteAggregate`
To store an instance of the custom aggregate processor Diesel relied on the `sqlite3_aggregate_context` function provided by sqlite. This function doesn't provide any guarantees about alignment …
Caddy CVE-2026-30852 Fix Bypass
## TL;DR
CVE-2026-30852 fixed double expansion in `vars_regexp` when the variable key is a placeholder (e.g. `{http.vars.x}`). The fix does NOT protect literal key names (e.g. `tenant_id`). An attacker injects `{env.AWS_SECRET_ACCESS_KEY}` or `{file./etc/passwd}` via a request header → Caddy …
Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation
A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode (where the `GatewayClass` lacks an unmanaged annotation), the Gateway TLS translator skips critical…
Kong Ingress Controller for Kubernetes (KIC): Secret-backed plugin configurations leak through non-sensitive diagnostics endpoint
A vulnerability in the Kong Ingress Controller (KIC) allows for the unauthorized exposure of sensitive plugin credentials through the diagnostics interface. Even when configured to redact sensitive information (using `–dump-sensitive-config=false`), KIC fails to sanitize the `Plugins` f…
Envoy AI Proxy – MCP Message Smuggling Vulnerability
According…
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
This is an incomplete fix for [GHSA-4gf7-ff8x-hq99](https://github.com/nuxt/nuxt/security/advisories/GHSA-4gf7-ff8x-hq99). Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. `nuxt dev –host`) and the de…
Nuxt: Reflected XSS in `navigateTo()` external redirect
`navigateTo()` with `external: true` generates a server-side HTML redirect body containing a `<meta http-equiv="refresh">` tag. The destination URL is only sanitized by replacing `"` with `%22`, leaving `<`, `>`, `&`, and `'` unencoded. An attacker who can influence the URL passed to `na…
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
A stored cross-site scripting (XSS) vulnerability exists in HAX CMS due to improper sanitization of the `<video-player>` component.
The component allows `javascript:` URIs in the `source` attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary …
Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
### Im…
Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds
The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.
This impacts the use of the *DirectX Tool Kit* **SpriteFont** class file loading ctor if given untrusted data files.
> Note this only applies to x86/ARM builds of the library…
Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds
The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE.
This impacts the use of the *DirectX Tool Kit* **SpriteFont** class file loading ctor if given untrusted data files.
> Note this only applies to x86/ARM builds of the library…
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the h…