Lucene search
K

610 matches found

OSV
OSV
added 2026/03/07 3:57 p.m.5 views

CVE-2026-30832 Soft Serve: SSRF via unvalidated LFS endpoint in repo import

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial batch request is...

9.1CVSS5.8AI score0.00328EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/06 10:16 p.m.5 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the --lfs-endpoint parameter during repository import. An attacker can cause the server to send HTTP requests to internal or private IP addresses, potentially accessing sensitive internal services or...

9.1CVSS5.8AI score0.00328EPSS
Exploits1References2
OSV
OSV
added 2026/03/06 10:16 p.m.5 views

GHSA-3FVX-XRXQ-8JVV soft-serve vulnerable to SSRF via unvalidated LFS endpoint in repo import

While auditing the codebase in the wake of the webhook SSRF fix shipped in v0.11.1 GHSA-vwq2-jx9q-9h9f, it was identified that the LFS import path was never given the same treatment. The webhook fix introduced dual-layer SSRF protection — ValidateWebhookURL at creation time and secureHTTPClient...

9.1CVSS6AI score0.00328EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2026/03/06 7:45 p.m.5 views

CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

9.3CVSS5.7AI score0.00327EPSS
Exploits1References1
OSV
OSV
added 2026/03/06 12:41 p.m.4 views

OESA-2026-1511 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.3 views

OESA-2026-1510 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.5 views

OESA-2026-1509 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.5 views

OESA-2026-1508 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:41 p.m.5 views

OESA-2026-1506 python-django security update

A high-level Python Web framework that encourages rapid development and clean, pragmatic design. Security Fixes: An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker ...

3.7CVSS5.8AI score0.00341EPSS
Exploits0References2
OSV
OSV
added 2026/03/06 12:3 p.m.6 views

RLSA-2026:3928 Important: git-lfs security update

Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while storing the file contents on a remote server. Security Fixes: crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted...

7.5CVSS6.8AI score0.01945EPSS
Exploits3References4
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.1 views

RHEL 9 : git-lfs (RHSA-2026:3931)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:3931 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

7.5CVSS7.3AI score0.01945EPSS
Exploits2References6
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.5 views

Oracle Linux 9 : git-lfs (ELSA-2026-3928)

The remote Oracle Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2026-3928 advisory. 3.6.1-7 - Rebuild with new Golang - Resolves: RHEL-146860, RHEL-149620 3.6.1-6 - Rebuild with new Golang - Resolves: RHEL-147080 3.6.1-5 - Rebuild with...

10CVSS5.9AI score0.01945EPSS
Exploits3References4
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.5 views

RHEL 9 : git-lfs (RHSA-2026:3929)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:3929 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

10CVSS6.7AI score0.01945EPSS
Exploits3References8
Tenable Nessus
Tenable Nessus
added 2026/03/06 12:0 a.m.3 views

RHEL 9 : git-lfs (RHSA-2026:3932)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:3932 advisory. Git Large File Storage LFS replaces large files such as audio samples, videos, datasets, and graphics with text pointers inside Git, while...

7.5CVSS5.9AI score0.01945EPSS
Exploits2References6
Snyk
Snyk
added 2026/03/05 9:13 p.m.5 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.5 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.7 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/05 9:13 p.m.6 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the handling of LFS object uploads. An attacker can overwrite existing LFS objects across different repositories by uploading objects with the same identifier, potentially leading to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References2
NVD
NVD
added 2026/03/05 7:16 p.m.12 views

CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

9.3CVSS0.00327EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/03/05 7:14 p.m.7 views

Gogs: Cross-repository LFS object overwrite via missing content hash verification

Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. Details Gogs store all LFS objects in the same place, no isolation between different repositories. repo id not concatenated to...

9.3CVSS5.8AI score0.00327EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder