1312214 matches found
HackerOne: Authenticated Elasticsearch Painless script execution via Query.search.sort_query on hackerone.com/graphql
The GraphQL query on hackerone.com/graphql allowed authenticated users to execute arbitrary Painless scripts through the sortquery argument, without server-side validation or allowlisting. This was confirmed by submitting requests with different Painless script payloads, and observing that the...
Brave Software: iOS Brave Playlist "Open in Private Tab" bypasses FaceID requirement for Private Tabs
A vulnerability was discovered in the Brave browser for iOS where adding or opening a song in the Brave playlist and holding for the "Open in new Private Tab" option bypassed the Face ID or passcode requirement for accessing Private Tabs. This affected Brave iOS version 1.88 and iOS version 26.4....
Node.js: Permission Model Bypass via `process.report.writeReport()` Path Misvalidation
A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the process.report.writeReport path misvalidation...
Node.js: Node.js unicode dot separator handling can lead to tls wildcard-depth authentication bypass due to resolver and verifier hostname normalization mismat
Vulnerability description not provided...
Rocket.Chat: Unauthenticated reading of every file via livechat auth and predicting MongoDB ObjectId()
Vulnerability description not provided...
curl: Heap-buffer-overflow in `Curl_ssl_push_certinfo_len()` — sole bounds check is `DEBUGASSERT`
Summary Curlsslpushcertinfolen in lib/vtls/vtls.c uses DEBUGASSERTcertnum numofcerts as its only bounds check before writing a heap pointer into ci-certinfocertnum. DEBUGASSERT is a no-op in every release/production build lib/curlsetup.h:1084. Any mismatch between the count passed to...
curl: Stack exhaustion in MIME multipart reading with deeply nested subparts
Summary: The MIME read path uses mutually recursive helpers for nested multipart structures without enforcing a recursion depth limit. A sufficiently deep tree of nested curlmimesubparts objects causes stack exhaustion when libcurl starts reading the MIME body. The attached PoC builds a deeply...
curl: Use-after-free in `curl_easy_ssls_export()` during callback re-entrancy
Summary: curleasysslsexport iterates the SSL session list and invokes a caller-provided callback for each entry. If that callback calls curleasysslsimport on the same easy handle, the import path can evict and free the current session node while the export loop still holds it. The subsequent...
curl: libcurl omits IPv6 zoneid from host identity and leaks credentials/cookies across scoped link-local realms
Summary: libcurl omits the IPv6 zoneid component from multiple security-sensitive host identity decisions even though the connection layer still routes by zoneid. As a result, two distinct scoped/link-local destinations such as fe80::X%zoneA and fe80::X%zoneB are treated as the same host by...
curl: libcurl reuses a learned RTSP Session header across different hosts on the same easy handle, enabling cross-host session leak and replay
Summary: libcurl automatically learns RTSP Session: headers from server responses and stores them in data-set.strSTRINGRTSPSESSIONID in lib/rtsp.c:1015-1033. On later RTSP requests using the same easy handle, rtspdo reads that easy-handle-scoped value at lib/rtsp.c:373 and unconditionally emits...
Revive Adserver: Stored XSS via malicious usernames in audit log details + Username validation bypass in XML‑RPC addUser
Vulnerability description not provided...
curl: Digest Auth State Leak on Cross-Origin Redirect via Netrc - Username and Password Hash Sent to Wrong Host
Summary When curl follows an HTTP redirect from hostA to hostB using --netrc --digest -L, Digest authentication state nonce, realm from hostA persists and is combined with hostB's netrc credentials to generate an unsolicited Digest Authorization header sent to hostB. This leaks hostB's username i...
Shopify: mruby-engine: UAF in MRubyEngine#initialize enables local RCE
Summary Double-init of MRubyEngine frees engine + unmaps mspace, but leaves Ruby DATAPTR dangling. Kernel reuses freed VA via mmapMAPFIXED. Attacker forges memrubyengine struct + mrbstate in reclaimed region, points mrbstate-allocf at libc.system, arranges bytes of mrbstate to also spell a shell...
Revive Adserver: Banner status override by advertiser‑level users
A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edi...
curl: CVE-2026-6429: netrc credential leak with reused proxy connection
Summary: libcurl can leak .netrc-derived host Authorization credentials across redirected hosts when an HTTP proxy connection is reused. In the PoC, .netrc contains credentials only for a.test, but after a.test redirects to b.test and then c.test over the same keep-alive proxy connection, libcurl...
Revive Adserver: Missing access control when modifying parent entities via XML‑RPC
Vulnerability description not provided...
Node.js: Unbounded memory growth in `node:http2` clients via attacker-controlled ORIGIN frames
Vulnerability description not provided...
CoinMate.io: POST /api/bitcoinWithdrawalFees returns financial data without authentication despite being documented as a USER OPERATION (private endpoint)
A vulnerability was discovered in the CoinMate API where the POST /api/bitcoinWithdrawalFees endpoint was accessible without authentication, despite being documented as a private endpoint. The endpoint returned real-time Bitcoin withdrawal fee data without requiring any authentication, unlike oth...
curl: lib/http2.c: SSL connections accept non-HTTP push schemes (incomplete fix for 2e8c922a)
Summary: settransferurl in lib/http2.c validates the :scheme pseudo-header of PUSHPROMISE frames only when !viasslconn — a guard added by commit 2e8c922a to block non-TLS connections from accepting TLS-scheme pushes. The symmetric case was not addressed: over TLS, viasslconn is TRUE, the guard at...
curl: libcurl stale CURLOPT_AUTOREFERER leaks a previous request URL to a different origin on a reused easy handle
Summary: libcurl keeps a stale data-state.referer after an HTTP redirect when CURLOPTAUTOREFERER is enabled. Curlhttpfollow stores the previous URL into data-state.referer at lib/http.c:1166-1189, and later requests reuse that value when building Referer: at lib/http.c:2954-2957. In my local...