GHSA-2FP4-5V5C-4448 gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 fixsubsonic: enforce playlist ownership on getPlaylist/deletePlaylist added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled...

gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 fixsubsonic: enforce playlist ownership on getPlaylist/deletePlaylist added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled...

EUVD-2026-38068

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host...

GHSA-4GXV-P5G5-J7W7 gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

Summary A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent...

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

Summary A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent...

GHSA-GJ8W-MVPF-X27X pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...

pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...

GHSA-5WX6-MG75-V57R pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

Summary Keep build approval for opaque dependency sources byte-exact for GHSA-5wx6-mg75-v57r / CAND-PNPM-123. Merged upstream commit bf1b731ee6 fixed the original name-only approval bypass by making build policy consume the resolved dependency identity. One collision remained: the generic...

pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

Summary Keep build approval for opaque dependency sources byte-exact for GHSA-5wx6-mg75-v57r / CAND-PNPM-123. Merged upstream commit bf1b731ee6 fixed the original name-only approval bypass by making build policy consume the resolved dependency identity. One collision remained: the generic...

CVE-2026-56414

A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of unexpected or...

CVE-2026-28701

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

CVE-2026-33560

The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable binaries and...

GHSA-3QHV-2RGH-X77R pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r - Advisory URL:...

pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r - Advisory URL:...

GHSA-9RC6-8CJV-RCVX Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection

Description The getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header: go func getRedirectURLc gin.Context string scheme := "http://" referer := c.Request.Referer if...

Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection

Description The getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header: go func getRedirectURLc gin.Context string scheme := "http://" referer := c.Request.Referer if...

GHSA-JG62-J5H6-8MPQ Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - POST /api/v1/terminal → createTerminal terminal.go:27-67 - POST /api/v1/file → createFM fm.go:28-67 Both call rpc.NezhaHandlerSingleton.CreateStreamstreamId, ... which inserts a...

Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - POST /api/v1/terminal → createTerminal terminal.go:27-67 - POST /api/v1/file → createFM fm.go:28-67 Both call rpc.NezhaHandlerSingleton.CreateStreamstreamId, ... which inserts a...

CSV Injection

Overview Affected versions of this package are vulnerable to CSV Injection in the export process. An attacker can execute arbitrary spreadsheet formulas by submitting specially crafted form values that begin with formula trigger characters, which are then interpreted as live formulas when the...

GHSA-5C25-7VPJ-9MQH Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key

Summary fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves...