wger: trainer_login open redirect - ?next= parameter not validated against host

Summary The trainerlogin view in wger redirects to request.GET'next' directly via HttpResponseRedirect without calling urlhasallowedhostandscheme. After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in the ?next= parameter,...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the resetuserpassword and gympermissionsuseredit function when both the attacker and victim have gym=None. An attacker can gain unauthorized access to another user's account, obtain their new plaintext passwor...

GHSA-MHC8-P3JX-84MM wger: cross-tenant password reset and plaintext disclosure via gym=None bypass

Summary The resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment gym=None. A user with...

wger: cross-tenant password reset and plaintext disclosure via gym=None bypass

Summary The resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment gym=None. A user with...

GHSA-XQ9M-HMP9-FW87 wger: CSV/TSV formula injection in gym member export (first_name/last_name)

Summary The gym member TSV export endpoint in wger writes firstname and lastname profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member including newly self-registered users can pre-load a spreadsheet formula into their own profile. When a gym admin later exports...

wger: CSV/TSV formula injection in gym member export (first_name/last_name)

Summary The gym member TSV export endpoint in wger writes firstname and lastname profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member including newly self-registered users can pre-load a spreadsheet formula into their own profile. When a gym admin later exports...

GHSA-7545-FCXQ-7J24 GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...

GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...

kernel: crypto: algif_aead - Revert to operating out-of-place

A flaw was found in the Linux kernel's algifaead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive...

Your Redis Server Looks Fine. That’s the Problem.

Introduction There’s an automated attack circulating right now that breaks into unprotected Redis servers, takes over the underlying machine, and then carefully puts everything back the way it found it. It restores the database filename. It deletes the tools it used. It detaches from the...

Information Exposure

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Information Exposure via the global exception handling process in the WebUI. An attacker can obtain sensitive internal implementation details, such as stack...

GHSA-C3GC-9PF2-84GG PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

Summary pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception for example by requesting a...

PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI

Summary pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception for example by requesting a...

Exploit for Incorrect Implementation of Authentication Algorithm in Google Android

CVE-2026-0073 PoC Wireless ADB TLS Auth Bypass This directo...

CLSA-2026-1773479178 python: Fix of CVE-2025-12084

CVE-2025-12084: fix quadratic algorithm when building nested XML elements with appendChild...

CLSA-2026-1773479849 python: Fix of CVE-2025-12084

CVE-2025-12084: fix quadratic algorithm when building nested XML elements with appendChild...

kernel: crypto: algif_aead - Revert to operating out-of-place

A flaw was found in the Linux kernel's algifaead cryptographic algorithm interface. An incorrect in-place operation causes source and destination data mappings to differ during cryptographic processing. A low-privileged local attacker can exploit this flaw to corrupt the contents of sensitive...

GHSA-R27J-894H-3W3P mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...

mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...

Exploit for Incorrect Implementation of Authentication Algorithm in Google Android

🔓 CVE-2026-0073: Android adbd Authentication Bypass Proof...