Hackney has CRLF / header injection in WebSocket upgrade request

Summary CRLF injection in hackney's WebSocket upgrade request builder src/hackneyws.erl. init/1 copies the host, path, headers, and protocols options from the caller-supplied opts map verbatim into wsdata, and dohandshake/1 splices them directly into the raw HTTP/1.1 upgrade request by binary...

GHSA-J9WQ-VXXC-94WF Hackney has CR/LF injection in query parameter

Summary hackneyurl:makeurl/3 passes the URL query component directly into the HTTP/1.1 request target without percent-encoding \r or \n. RFC 3986 §3.4 requires characters outside the query grammar to be percent-encoded, but no validation or escaping occurs. An attacker who controls any portion of...

Hackney has CR/LF injection in query parameter

Summary hackneyurl:makeurl/3 passes the URL query component directly into the HTTP/1.1 request target without percent-encoding \r or \n. RFC 3986 §3.4 requires characters outside the query grammar to be percent-encoded, but no validation or escaping occurs. An attacker who controls any portion of...

GHSA-GP9C-PM5M-5CXR Hackney: `ssl:connect/2` post-handshake upgrade has no timeout

Summary The SOCKS5 transport in src/hackneysocks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the tunnel to TLS using ssl:connect/2 the two-argument form, which defaults to infinity. The Timeout value is in scope at that call site but is...

Hackney: `ssl:connect/2` post-handshake upgrade has no timeout

Summary The SOCKS5 transport in src/hackneysocks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the tunnel to TLS using ssl:connect/2 the two-argument form, which defaults to infinity. The Timeout value is in scope at that call site but is...

GHSA-4HF8-5MJM-RFGQ Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication Summary line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to 0.0.0.0 and exposes the MCP /mcp endpoint without an MCP-layer...

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication Summary line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to 0.0.0.0 and exposes the MCP /mcp endpoint without an MCP-layer...

GHSA-JQ42-7MFV-HM57 Cargo crates in third party registries can override the cached source of other crates

The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. This vulnerability is tracked as CVE-2026-5223. The...

Cargo crates in third party registries can override the cached source of other crates

The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. This vulnerability is tracked as CVE-2026-5223. The...

GHSA-P688-R7JV-FM6F Cargo can be coerced to share credentials between registries

The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol1. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a...

Cargo can be coerced to share credentials between registries

The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol1. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a...

GHSA-F5GC-QXF8-MH9G php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)

Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...

php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)

Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...

Malicious code in @osmura/treeify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4643c1f27e4916ea6090f1e6196c980fa1d65b96899a80b1f57633eaf16a61a9 The package republishes the upstream treeify library Luke Plaster, repo notatestuser/treeify verbatim under the unrelated @osmura scope, preserving t...

MAL-2026-6542 Malicious code in @osmura/treeify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4643c1f27e4916ea6090f1e6196c980fa1d65b96899a80b1f57633eaf16a61a9 The package republishes the upstream treeify library Luke Plaster, repo notatestuser/treeify verbatim under the unrelated @osmura scope, preserving t...

Malicious code in express-initial (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095 package.json declares "postinstall": "node index.js", so npm install express-initial automatically runs the package's main script. index.js is heavil...

MAL-2026-6543 Malicious code in express-initial (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d292a4664135ed1869f907d62fb6472839ab54a59aedb2f3a88022a0c70095 package.json declares "postinstall": "node index.js", so npm install express-initial automatically runs the package's main script. index.js is heavil...

Security Bulletin: Multiple Vulnerabilities in IBM Operator for PostgreSQL

Summary Multiple vulnerabilities were addressed in IBM Operator for PostgreSQL version v28.3.3. Vulnerability Details CVEID:CVE-2026-45447 DESCRIPTION: Issue summary: A specially crafted PKCS7 or S/MIME signed message could trigger a use-after-free during PKCS7 signature verification. Impact...

Unlock of a Resource that is not Locked

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Unlock of a Resource that is not Locked in the editUser and updateUserRights processes. An attacker can gain unauthorized SuperAdmin privileges or grant...

GHSA-985R-Q3QP-299H phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards

Advisory / Disclosure phpMyFAQ 4.1.3 — incomplete fix for the admin-API IDOR/privilege-escalation class Target: thorsten/phpMyFAQ composer: thorsten/phpmyfaq, phpmyfaq/phpmyfaq Affected: "Only SuperAdmins may change other users' attributes. Self-service is always allowed." and "a non-SuperAdmin...