Server-side Request Forgery (SSRF)

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the hover summary process. An attacker can cause authenticated requests to be sent to internal or private-network endpoints by dispatching...

GHSA-5624-2PMV-JX46 Summarize contains a missing authorization vulnerability

Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

CLEANSTART-2026-HM31566 Security fixes for CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499 applied in versions: 0.15.0-r0

Multiple security vulnerabilities affect the configmap-reload package. These issues are resolved in later releases. See references for individual vulnerability details...

Linux Distros Unpatched Vulnerability : CVE-2026-44310

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index through the CertVerifier.Verify function. An attacker can cause the process to panic and exit with a success code by providing a CMS/PKCS7 signed message containing an empty certificate set, which lead...

CVE-2026-44310

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with...

CVE-2026-44310 gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify in pkg/git/verifier.go unconditionally dereferences certs0 after sd.GetCertificates without checking the slice length. A CMS/PKCS7 signed message with...

CVE-2026-41604 affecting package thrift for versions less than 0.15.0-6

CVE-2026-41604 affecting package thrift for versions less than 0.15.0-6. A patched version of the package is available...

Incorrect Permission Assignment for Critical Resource

Overview @steipete/summarize is a Link → clean text → summary. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the creation of the daemon.json configuration file with overly permissive filesystem permissions. An attacker can gain...

CVE-2026-26015

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution RCE...

CVE-2026-26015 Unauthenticated RCE in DocsGPT MCP STDIO Configuration

DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the "MCP test" behavior to achieve arbitrary remote code execution RCE...

DocsGPT 命令注入漏洞

DocsGPT is a cutting-edge open-source solution developed by Arc53. It simplifies the process of finding information in project documents. In versions 0.15.0 to 0.16.0 of DocsGPT, there was a command injection vulnerability. This vulnerability stemmed from bypassing MCP testing behaviors, which...

CVE-2026-33752

curlcffi is the a Python binding for curl. Prior to 0.15.0, curlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata...

curl_cffi 代码问题漏洞

curlcffi is a Python HTTP client library developed by Lexiforest personal developers, which supports browser fingerprint simulation. Versions of curlcffi prior to 0.15.0 have code vulnerabilities. These vulnerabilities stem from the lack of restrictions on requests directed to internal IP ranges,...

CVE-2026-24048

CVE-2026-24048 affects Backstage FetchUrlReader in @backstage/backend-defaults prior to v0.12.2, v0.13.2, v0.14.1, and v0.15.0. The component would follow HTTP redirects, enabling an attacker who controls a host in backend.reading.allow to redirect requests to internal/sensitive URLs outside the ...

CVE-2022-23638

svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scripting vulnerability impacts all users of the svg-sanitizer library prior to version 0.15.0. This issue is fixed in version 0.15.0. There is currently no workaround available...

Linux Distros Unpatched Vulnerability : CVE-2025-61779

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to...

CVE-2025-61779

Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated had the right key...

EUVD-2025-33556

Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated had the right key...

CVE-2025-61779 Trustee's attestation-policy endpoint is not protected by admin autentication

Confidential Containers's Trustee project contains tools and components for attesting confidential guests and providing secrets to them. In versions prior to 0.15.0, the attestation-policy endpoint didn't check if the kbs-client submitting the request was actually authenticated had the right key...