GHSA-3G33-6VG6-27M8 Fission router exposes /fission-function/<ns>/<name> on its public listener, allowing invocation of any function without an HTTPTrigger

Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...

PT-2026-42589

Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the Delete function. An attacker can permanently remove entire repositories, including all associated data and history, by sending a DELETE request to the API endpoint while possessing only read-level access...

GHSA-PHM4-WF3H-PC3R Remote Code Execution in Gogs

Gogs 0.13.2 is vulnerable to symbolic link path traversal that enables remote code execution via the editFilePost function of internal/route/repo/editor.go...

Open Redirect

getgrav/grav is vulnerable to open redirect. The vulnerability exists because the function redirect in Common/Grav.php does not validate the internal route parameter route and redirect to another location, allowing attackers to provide a malicious route to a location or file...