250 matches found
Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes
Summary IsPublicIP in pkg/gotenberg/outbound.go incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations e.g., cloud metadata services at 169.254.169.254 via a single crafted DNS AAAA record. This...
CVE-2026-8450
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...
UBUNTU-CVE-2026-8450
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...
CVE-2026-8450
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...
CVE-2026-8450 HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...
CVE-2026-8450
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...
CVE-2026-9495
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
CVE-2026-48689
FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamicbinarybuffert class src/dynamicbinarybuffer.hpp. Five methods appenddynamicbuffer, appenddataaspointer, appenddataasobjectptr, memcpyfromptr, memcpyfromobjectptr use an incorrect bounds chec...
MAL-2026-4730 Malicious code in wml-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d65cdf836cae85d721f6a982c5941bd18037d4a3554ec4b69cd5828591ee0e20 [email protected] declares preinstall: node poc.js in package.json, so npm install automatically runs poc.js with no consent step. poc.js iterate...
Malicious code in cxpher-linux-arm32 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd6c14d2899b638880b25bf1c35973ed1c9cf6fcb99331447e3da7c2478124c7 The package's main is an ARM ELF binary that, when loaded, mkdtemp's a working directory under /dev/shm/.cxpher.XXXXXX or /tmp/.cxpher.XXXXXX, writes...
OESA-2026-2396 mariadb security update
MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon mariadbd and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs a...
OESA-2026-2395 mariadb security update
MariaDB is a community developed fork from MySQL - a multi-user, multi-threaded SQL database server. It is a client/server implementation consisting of a server daemon mariadbd and many different client programs and libraries. The base package contains the standard MariaDB/MySQL client programs a...
Exploit for Improper Authentication in Litellm
CVE-2026-35030 — LiteLLM Authentication Bypass via OIDC Userin...
CVE-2026-6342
Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...
EUVD-2026-30745
Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID:...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI that is open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of prefixes for the toolservers and terminalservers keys in the utils/tools.py...
GHSA-4G37-7P2C-38R9 Open WebUI Vulnerable to IDOR: Retrieval API Bypasses Knowledge Base Access Controls
IDOR: Retrieval API Bypasses Knowledge Base Access Controls Author: Andrew Orr Summary validatecollectionaccess PR 22109 checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any authenticated user who...
EUVD-2026-30364
Nuxt OG Image generates OG Images with Vue templates in Nuxt. The isBlockedUrl denylist introduced in [email protected] to remediate GHSA-pqhr-mp3f-hrpp Dmitry Prokhorov / Positive Technologies, March 2026 is incomplete. It has an incomplete IPv6 prefix list and is missing redirect re-validatio...
EUVD-2026-30317
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...
CVE-2026-42597 Gotenberg: Chromium URL conversion routes read arbitrary files under /tmp via file:// scheme
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can lo...