RustFS has a gRPC Hardcoded Token Authentication Bypass

Vulnerability Overview Description RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally vali...

SUSE CVE-2025-68937

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later...

FreeBSD : Forgejo -- Symbolic Link (Symlink) Following (963f4e9d-e4d5-11f0-984f-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 963f4e9d-e4d5-11f0-984f-b42e991fc52e advisory. https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/13.0.2.md reports:...

CLSA-2025-1767003835 git-lfs: Fix of CVE-2025-26625

CVE-2025-26625: prevent git lfs checkout and git lfs pull write outside repo...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-hulud supply chain attacks. The malware functions as a self-replicating worm that spreads via npm dependencies to compromise developer environments;...

Arbitrary File Write

github.com/git-lfs/git-lfs is vulnerable to arbitrary file write. The vulnerability is due to Git LFS not validating symbolic or hard links before writing files during git lfs checkout or git lfs pull, which allows an attacker to craft a malicious repository that causes Git LFS to write to...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via inadequate enforcement of branch delete permissions after merging a pull request. An attacker can delete arbitrary branches. Remediation Upgrade code.gitea.io/gitea/services/repository to version 1.22.5 or...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via inadequate enforcement of branch delete permissions after merging a pull request. An attacker can delete arbitrary branches. Remediation Upgrade github.com/go-gitea/gitea/services/repository to version 1.22.5...

CVE-2025-68937

A flaw was found in Forgejo. This vulnerability allows a remote attacker to write to unintended files and potentially gain server shell access. The flaw occurs due to mishandling of symlink destinations that point outside of the repository when processing template repositories. This could lead to...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the mishandling of symlink destinations while evaluating template repos. An attacker can write to unintended files and potentially gain shell access on the server by creating out-of-repository...

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following via the mishandling of symlink destinations while evaluating template repos. An attacker can write to unintended files and potentially gain shell access on the server by creating out-of-repository...

CVE-2025-68937

Forgejo before 13.0.2 allows attackers to write to unintended files, and possibly obtain server shell access, because of mishandling of out-of-repository symlink destinations for template repositories. This is also fixed for 11 LTS in 11.0.7 and later...

RAW-CVE

This repository contai...

Forgejo 安全漏洞

Forgejo is a lightweight git service. A security vulnerability exists in Forgejo versions prior to 13.0.2 that stems from mishandling of the template repository symbolic link target, which could result in writing unexpected files and gaining server shell access...

Malicious Package

Overview streamixer is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

GO-2025-4243 Libredesk has Improper Neutralization of HTML Tags in a Web Page in github.com/abhinavxd/libredesk

Libredesk has Improper Neutralization of HTML Tags in a Web Page in github.com/abhinavxd/libredesk...

GO-2025-4250 Amazon S3 Encryption Client has a Key Commitment Issue in github.com/aws/amazon-s3-encryption-client-go

Amazon S3 Encryption Client has a Key Commitment Issue in github.com/aws/amazon-s3-encryption-client-go...

git-lfs: Git LFS may write to arbitrary files via crafted symlinks

A flaw was found in Git LFS. Running git lfs checkout and git lfs pull in a specially crafted repository, specifically with symbolic or hard links tracked by Git LFS and pointing to files outside the working tree or in a bare repository, can cause Git LFS to write to arbitrary file system locatio...

git-lfs: Git LFS may write to arbitrary files via crafted symlinks

A flaw was found in Git LFS. Running git lfs checkout and git lfs pull in a specially crafted repository, specifically with symbolic or hard links tracked by Git LFS and pointing to files outside the working tree or in a bare repository, can cause Git LFS to write to arbitrary file system locatio...

cve

My C...