GHSA-M2M6-CFF5-3W7C RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions

Summary Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. Impact An attacker who controls any origin the browser...

CVE-2026-22819

Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5...

Wire 跨站脚本漏洞

Wire is a chat software by an individual developer. The software supports Web, WindowsiOS, Android, and OS X platforms, has a group feature, allows voice calls, sends photos, and its original greeting method, PING. A cross-site scripting vulnerability exists in Wire Wire-server, which can be used...

Hiro: Can view all username leaked in https://core.blockstack.org

Hello team, This should be private hide all username who registered in blockstack.org the attacker can get the information of a user https://core.blockstack.org/v1/subdomains?page=10 i thought it is a demo users but i found my username in the list this should be private "demoaccount1.stealthy.id"...