CVE-2026-32255 Kan is Vulnerable to Unauthenticated SSRF via Attachment Download Endpoint

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch server-side, and returns the...

PT-2025-33308 · Youki · Youki

Name of the Vulnerable Software and Affected Versions: Youki versions prior to 0.5.5 Description: If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. Container creation should be prohibited if /proc or /sys in the rootf...

webmention.js 跨站脚本漏洞

webmention.js is a client-side library from the PlaidWeb project for rendering webmentions from webmention.io. A cross-site scripting vulnerability exists in versions of plaidweb webmention.j prior to 0.5.5, which stems from susceptibility to DOM-based cross-site scripting XSS attacks...