GHSA-MCWW-4HXQ-HFR3 LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

GHSA-FCM4-4PJ2-M5HF Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

GHSA-2WFH-RCWF-WH23 Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Summary The plugin file upload endpoint POST /api/plugin/upload passes the user-supplied filename directly to createTempFolder without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary...

Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Summary The plugin file upload endpoint POST /api/plugin/upload passes the user-supplied filename directly to createTempFolder without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary...

FastMCP OpenAPI Provider Has An SSRF & Path Traversal Vulnerability

Technical Description The "OpenAPIProvider" in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The "RequestDirector" class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the "buildurl" method. When an OpenAP...

Poetry Has Wheel Path Traversal Which Can Lead To Arbitrary File Write

Summary A crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. Impact Arbitrary file write path traversal from untrusted wheel content. Impacts users/CI/CD systems installing malicious o...

PhpMyFAQ Has A LIKE Wildcard Injection In Search.php — Unescaped % And _ Metacharacters Enable Broad Content Disclosure

Summary The "searchCustomPages" method in "phpmyfaq/src/phpMyFAQ/Search.php" uses "realescapestring" via "escape" to sanitize the search term before embedding it in LIKE clauses. However, "realescapestring" does not escape SQL LIKE metacharacters "%" match any sequence and "" match any single...

GHSA-2WVG-62QM-GJ33 pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission...

pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission...

PT-2026-30319

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parse urls API function in src/pyload/core/api/ init .py line 556 fetches arbitrary URLs server-side via get urlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permissi...

PT-2026-30318

Summary: The file lightrag/api/config.py line 397 uses a default JWT secret "lightrag-jwt-default-secret" when the TOKEN SECRET environment variable is not set. The AuthHandler in lightrag/api/auth.py lines 24-25 uses this secret to sign and verify tokens. An unauthenticated attacker can forge...

openSUSE 16 Security Update : gnutls (openSUSE-SU-2026:20446-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20446-1 advisory. - CVE-2025-14831: Fixed DoS via excessive resource consumption during certificate verification. bsc1257960 - CVE-2025-9820: Fixed a buffer...

openSUSE 16 Security Update : tomcat10 (openSUSE-SU-2026:20444-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20444-1 advisory. Update to Tomcat 10.1.52: - CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. - CVE-2025-55754:...

Linux Distros Unpatched Vulnerability : CVE-2026-35387

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is...

Perceptual Gaps: ASCII Art and Overlapping Audio As CAPTCHA

As multimodal large language models LLMs advance, traditional CAPTCHAs have become obsolete at distinguishing humans from bots. To address this shift, this paper aims to investigate the possibility of using tasks for which humans have evolved highly specialised neural processing. We introduce two...

Linux Distros Unpatched Vulnerability : CVE-2026-2950

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the .unset and .omit functions. The fix for CVE-2025-13465:...

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

GHSA-4Q27-4RRQ-FX95 AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

SUSE CVE-2026-23469

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Synchronize interrupts before suspending the GPU The runtime PM suspend callback doesn't know whether the IRQ handler is in progress on a different CPU core and doesn't wait for it to finish. Depending on timing,...