CVE-2026-33693 Lemmy's Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.7.0-beta.9, the v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the...

CVE-2026-33693

Lemmy’s Activitypub-Federation vulnerable component: Rust-based v4_is_invalid() in activitypub_federation-rust fails to check IPv4Addr::UNSPECIFIED (0.0.0.0). An unauthenticated attacker controlling a remote domain could direct 0.0.0.0 and bypass SSRF protections, reaching localhost services on t...

CVE-2026-32621

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

GHSA-Q537-8FR5-CW35 Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw, and reac...

📄 activitypub-federation-rust 0.7.1 Server-Side Request Forgery

activitypub-federation-rust versions 0.7.1 and below suffer from a server-side request forgery vulnerability. CVE-2026-33693: SSRF via 0.0.0.0 Bypass in activitypub-federation-rust v4isinvalid CVSS 6.5 Moderate Keywords: SSRF, 0.0.0.0, IP validation bypass, activitypub-federation, Lemmy, Rust,...

MAL-2026-1482 Malicious code in chacha-lite-encrypt (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 705b86da323a21b157504bf4833b60c8aa90a57d6db5111716afe31c114b6c1d During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

CVE-2026-32621

Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client m...

Improper Authentication

ZITADEL is vulnerable to Improper Authentication. The vulnerability is due to improper enforcement of organization login policies during the federation auto-linking process, which allows an attacker to authenticate through a disabled identity provider and link their external identity to an existi...

Apollo Federation 安全漏洞

Apollo Federation is an architecture in the Apollo community that combines APIs into a unified graph through declarative methods. Vulnerabilities exist in versions of Apollo Federation before 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2. These vulnerabilities stem from vulnerabilities in the query...

Malicious code in kvstore-pb2-grpc (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7208dedf651be9d1e330692ef042b89e5bcae7e8aeee7f2ab400d49e7a574de8 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in dgl-cu117 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4f9fcfe9f469df3c132eca5b08bac4a30c146c7b1305f506fd900b1e78581b0d During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

MAL-2026-1432 Malicious code in dgl-cu117 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4f9fcfe9f469df3c132eca5b08bac4a30c146c7b1305f506fd900b1e78581b0d During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in python-anchor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 914b16cbc506c57a77eeed5ae14955bcf3b58fa49da92c2686b56a1d531c5268 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

MAL-2026-1435 Malicious code in python-anchor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 914b16cbc506c57a77eeed5ae14955bcf3b58fa49da92c2686b56a1d531c5268 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in ariadne-federation (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3eb5492b220fedd5fedb29045328e749d659aea6e38ed743f7aace2d623d07d2 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

MAL-2026-1431 Malicious code in ariadne-federation (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3eb5492b220fedd5fedb29045328e749d659aea6e38ed743f7aace2d623d07d2 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Apollo Federation vulnerable to prototype pollution via incomplete key sanitization

Impact A vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target...

Prototype Pollution

Overview @apollo/federation-internals is an Apollo Federation internal utilities Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting...