CVE-2025-5819 Incorrect Permission Assignment for Critical Resource in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819 Incorrect Permission Assignment for Critical Resource in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances...

CVE-2025-5819

CVE-2025-5819 affects GitLab CE/EE versions 15.7–before 18.0.6, 18.1–before 18.1.4, and 18.2–before 18.2.2. The issue allows authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. The provided documents confirm the affected versions and t...

What Security Should Look Like When Built for Developers

Security tools should support the way developers actually work. Here’s how we’re reimagining what that looks like...

cherry 代码注入漏洞

cherry is an HTTP server for Chee Personal Developers. A code injection vulnerability exists in cherry versions 1.4.8 through 1.5.0, which stems from improper handling of custom URLs and could lead to remote code execution...

pybbs 安全漏洞

pybbs is a community platform for Java development by iuiu individual developers. A security vulnerability exists in pybbs 6.0.0 and earlier versions, which stems from a guessable CAPTCHA issue in the function adminlogin/login in the CAPTCHA handling component...

ELADMIN 安全漏洞

ELADMIN is a backend management system for elunez individual developers. A security vulnerability exists in ELADMIN 2.7 and earlier versions, which stems from the use of default credentials that allow an attacker to remotely log in directly and disclose sensitive information...

MINI-8W3M-F3JR-MXXP

Bulletin has no description...

EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware

The financially motivated threat actor known as EncryptHubaka LARVA-208 and Water Gamayun has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms e.g., Norlax AI, mimicking...

OAuth Dynamic Client Registration Permissive Redirect URI

OAuth Dynamic Client Registration requires specifying redirect URIs during the registration process. When the OAuth server accepts permissive redirect URIs, such as those allowing arbitrary hosts or ones starting with javascript://, an attacker could exploit this to perform Open Redirect or...

OAuth Dynamic Client Registration Permissive Metadata Field

OAuth Dynamic Client Registration allows for various metadata fields such as 'clientname', 'websiteuri' during the registration process. When the OAuth server accepts permissive values for such fields, such as ones starting with javascript://, an attacker could exploit this to perform Cross-Site...

arxiv-daily 路径遍历漏洞

arxiv-daily is an automated paper updater for OMAR Individual Developers. A security vulnerability exists in arxiv-daily version 2025-05-06, which stems from a directory traversal vulnerability when parsing the topic.yml file...

CVE-2025-45582

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file,...

gorobbs 路径遍历漏洞

gorobbs is a full-text search engine by letseeqiji's individual developers. A path traversal vulnerability exists in gorobbs 1.0.8 and earlier versions, which stems from a path traversal caused by the parameter filename operation...

Bridging the Security Knowledge Gap: Introducing AI ExplAIn for Imperva Cloud WAF

The challenge of maintaining robust web application security often comes down to communication. Security teams frequently spend countless hours explaining WAF blocking decisions to application developers who may lack security expertise. This communication gap not only creates friction between tea...

Remote Code Execution (RCE)

CrafterCMS is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper control of dynamically-managed code resources due to a Groovy Sandbox bypass that allows authenticated developers to execute OS commands...

Characterising Bugs in Jupyter Platform

As a representative literate programming platform, Jupyter is widely adopted by developers, data analysts, and researchers for replication, data sharing, documentation, interactive data visualization, and more. Understanding the bugs in the Jupyter platform is essential for ensuring its...

GHSA-5644-3VGQ-2PH5 Crafter Studio Groovy Sandbox Bypass

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE Remote Code...

CrafterCMS 安全漏洞

CrafterCMS is a Java-based CMS from CrafterCMS, Inc. A security vulnerability exists in CrafterCMS versions 4.0.0 through 4.2.2 that stems from a Groovy sandbox bypass resulting in OS commands that can be executed by certified developers...

[SECURITY] Fedora 41 Update: python3.9-3.9.23-1.fc41

Python 3.9 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.9, see other distributions that support it, such as CentOS or RHEL or older Fedo...