NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

NPM: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...

CVE-2026-26189 Trivy Action has a script injection via sourced env file in composite action

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...

CVE-2025-65017 Decidim's private data exports can lead to data leaks

Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 an...

CVE-2025-66020 Valibot has a ReDoS vulnerability in `EMOJI_REGEX`

Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJIREGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service ReDoS attack. A short, maliciously crafted string e.g., 100 characters can cause the regex engine to consume excessive CPU...

CVE-2025-66020 Valibot has a ReDoS vulnerability in `EMOJI_REGEX`

Valibot helps validate data using a schema. In versions from 0.31.0 to 1.1.0, the EMOJIREGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service ReDoS attack. A short, maliciously crafted string e.g., 100 characters can cause the regex engine to consume excessive CPU...

Flux2 路径遍历漏洞

Flux2 is a tool from the Cloud Native Computing Foundation that keeps Kubernetes clusters synchronized with their configuration sources. A path traversal vulnerability exists in Flux2 versions v0.21.0 through v0.31.0, which stems from mishandling of user-supplied input and can be exploited by an...

Cross site request forgery (csrf)

It was found that the AMQ Online console is vulnerable to a Cross-Site Request Forgery CSRF which is exploitable in cases where preflight checks are not instigated or bypassed. For example authorised users using an older browser with Adobe Flash are vulnerable when targeted by an attacker. This...