526414 matches found
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...
GHSA-6G2F-W7G3-77VF 9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Summary 9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, a...
GHSA-JPHH-M39H-6GWX 9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
Summary 9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, a...
GHSA-5G75-477J-2C2F LaunchServer FileServerHandler has an unauthenticated path traversal issue
Summary An unauthenticated path traversal in the LaunchServer HTTP file server FileServerHandler lets any remote actor read any file readable by the LaunchServer process e.g. ../../../../etc/passwd. This is a generic arbitrary-file-read primitive, so the fix must address the traversal itself, not...
LaunchServer FileServerHandler has an unauthenticated path traversal issue
Summary An unauthenticated path traversal in the LaunchServer HTTP file server FileServerHandler lets any remote actor read any file readable by the LaunchServer process e.g. ../../../../etc/passwd. This is a generic arbitrary-file-read primitive, so the fix must address the traversal itself, not...
Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...
GHSA-MM6C-5J6X-HQ8M Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename
Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...
GHSA-4J9M-H44M-2HV8 Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Summary Configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS1 v1.5, which is the same algorithm as the DEFAULT setting. Impact Operators who configure encrypt:rsa:algorithm=OAEP to obtain...
Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Summary Configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS1 v1.5, which is the same algorithm as the DEFAULT setting. Impact Operators who configure encrypt:rsa:algorithm=OAEP to obtain...
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...
GHSA-8W6W-23MQ-H8RG Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Summary The HTMLInputElement.checkValidity method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop. Fix Fixed in commit...
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
Summary The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active UPDATESNAPSHOTS=1 or setUpdateMode'all', an attacker who controls test input could write arbitrary content to any filesystem path the...
zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary The...
GHSA-65JJ-FMW8-468Q zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary The...
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node participates in a network where chain forks occur mainnet, testnet, or any network with multiple miners. All default configurations are affected. The corruption persists across restarts because it is...
Mautic has Server-Side Template Injection (SSTI) in Theme Templates
Summary A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code...
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks on any Zcash network. Summary The finalized transparent address balance writer processes all newly-created outputs credits before processing spent outputs debits within the same block. A...