CVE-2026-4900

A weakness has been identified in code-projects Online Food Ordering System 1.0. This affects an unknown part of the file /dbfood/localhost.sql. This manipulation causes files or directories accessible. The attack can be initiated remotely. The exploit has been made available to the public and...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-33661

CVE-2026-33661 affects the yansongda/pay library prior to 3.7.20. The verify_wechat_sign() function incorrectly bypasses RSA signature verification when the PSR-7 request Host header is localhost, allowing an attacker to POST to the WeChat Pay callback with Host: localhost and forge payment succe...

CVE-2026-33661 WeChat Pay callback signature verification bypassed when Host header is localhost

Pay is an open-source payment SDK extension package for various Chinese payment services. Prior to version 3.7.20, the verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this...

CVE-2026-30924

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a...

CVE-2026-32617

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the...

CVE-2026-33511

pyLoad is a free and open-source download manager written in Python. From version 0.4.20 to before version 0.5.0b3.dev97, the localcheck decorator in pyLoad's ClickNLoad feature can be bypassed by any remote attacker through HTTP Host header spoofing. This allows unauthenticated remote users to...

CVE-2026-33480

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching the...

Code-Projects Online Food Ordering System 安全漏洞

Code-Projects Online Food Ordering System is an open-source online meal ordering system developed by Code-Projects. Version 1.0 of the Code-Projects Online Food Ordering System has a security vulnerability. This vulnerability stems from incorrect operations on the file/dbfood/localhost.sql, which...

pay 安全漏洞

Pay is a PHP payment development tool developed by Yansongda’s individual developers, supporting multiple payment channels. Versions of Pay prior to 3.7.20 contained security vulnerabilities. These vulnerabilities stemmed from the verifywechatsign function, which unconditionally skipped signature...

PT-2026-28664

Name of the Vulnerable Software and Affected Versions code-projects Online Food Ordering System version 1.0 Description A weakness exists in code-projects Online Food Ordering System 1.0. The issue affects an unknown part of the file /dbfood/localhost.sql, potentially leading to unauthorized acce...

GHSA-Q537-8FR5-CW35 Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

Summary The v4isinvalid function in activitypub-federation-rust src/utils.rs does not check for Ipv4Addr::UNSPECIFIED 0.0.0.0. An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 GHSA-7723-35v7-qcxw,...

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

Summary The getRealIpAddr function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging. Vulnerable Code File:...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via the verifywechatsign function. An attacker can cause unauthorized order status changes by sending a crafted HTTP request with a Host: localhost header, which bypasses signature verification and allows forging...

WeChat Pay callback signature verification bypassed when Host header is localhost

Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...

GHSA-Q938-GHWV-8GVC WeChat Pay callback signature verification bypassed when Host header is localhost

Summary The verifywechatsign function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header,...

@grackle-ai/server has a Missing Secure Flag on Session Cookie

Impact The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections. Since the server binds to 127.0.0.1 by default and uses HTTP not HTTPS, this is acceptable for localhost use. However, when...