GHSA-4C4X-JM2X-PF9J Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL

Summary /api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the calle...

GHSA-F67F-6CW9-8MQ4 Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass

Summary A flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be...

CVE-2022-31027

OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuthenticator package, and lets users log in to a JupyterHub via CILogon. This is primarily used to restrict a JupyterHub only to users of a given institute. The allowedidps...

CVE-2025-13353

In gokey versions 0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any...

CVE-2025-13353

In gokey versions 0.2.0, a flaw in the seed decryption logic resulted in passwords incorrectly being derived solely from the initial vector and the AES-GCM authentication tag of the key seed. This issue has been fixed in gokey version 0.2.0. This is a breaking change. The fix has invalidated any...

EUVD-2023-2056

Malicious code in bioql PyPI...

EUVD-2022-0169

Malicious code in bioql PyPI...

OESA-2025-2232 python-eventlet security update

Eventlet is a concurrent networking library for Python that allows you to change how you run your code, not how you write it. Security Fixes: Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to...

Cross-site Request Forgery (CSRF)

Overview github.com/justinas/nosurf is a HTTP package for Go that helps you prevent Cross-Site Request Forgery attacks. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to the misuse of the net/http library. An attacker can bypass CSRF checks and issue...

Fedora 40 : rpki-client (2025-d5fdbedb7f)

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-d5fdbedb7f advisory. rpki-client 9.5 - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client...

Fedora 41 : rpki-client (2025-17fed14cc3)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-17fed14cc3 advisory. rpki-client 9.5 - rpki-client now includes arin.tal which is no longer legally encumbered. See https://www.arin.net/announcements/20250116-tal/ - rpki-client...

Potential Denial-of-Service condition leading to temporary disability in IBC transfers to the native chain

Impact Chains using affected versions of Packet Forward Middleware in their IBC Transfer stack are vulnerable to an attack in which there is a potential denial of service. This affects IBC transfers for any asset which is being transferred between another chain and its native chain. We recommend...

GHSA-6FGM-X6FF-W78F Potential Denial-of-Service condition leading to temporary disability in IBC transfers to the native chain

Impact Chains using affected versions of Packet Forward Middleware in their IBC Transfer stack are vulnerable to an attack in which there is a potential denial of service. This affects IBC transfers for any asset which is being transferred between another chain and its native chain. We recommend...

AZL-52266 CVE-2024-51744 affecting package prometheus for versions less than 2.37.9-4

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

AZL-52201 CVE-2024-51744 affecting package keda for versions less than 2.14.1-7

golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by...

PT-2024-5315 · Ibm · Ibm I

Name of the Vulnerable Software and Affected Versions: IBM i versions 7.2 through 7.5 Description: The issue is related to insufficient authority requirements, allowing a local user without administrator privileges to configure a physical file trigger. This can lead to the execution of the trigge...

GHSA-2J6R-9VV4-6GF5 github.com/bincyber/go-sqlcrypter vulnerable to IV collision

There is a risk of an IV collision using the awskms or aesgcm provider. NIST SP 800-38D section 8.3 states that it is unsafe to encrypt more than 2^32 plaintexts under the same key when using a random IV. The limit could easily be reached given the use case of database column encryption...

Laravel Guard bypass in Eloquent models

In laravel releases before 6.18.34 and 7.23.2. It was possible to mass assign Eloquent attributes that included the model's table name: $model-fill'users.name' = 'Taylor'; When doing so, Eloquent would remove the table name from the attribute for you. This was a "convenience" feature of Eloquent...

Laravel Cookie serialization vulnerability

Laravel 5.6.30 is a security release of Laravel and is recommended as an immediate upgrade for all users. Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic. Refer to laravel advisory for more details and read the notes carefully when upgrading your...

Design/Logic Flaw

mx-chain-go is the official implementation of the MultiversX blockchain protocol, written in golang. When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on ...