389099 matches found
Security Bulletin: Due to the use of OpenSSL, IBM EntireX is vulnerable to multiple vulnerabilities
Summary Due to the use of OpenSSL, IBM EntireX is vulnerable to multiple vulnerabilities CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34182, CVE-2026-42766, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447. To address the vulnerabilities, the version of OpenSSL used by IBM...
bugspray
🔴 Bugspray Multi-vector web application vulnerability scann...
Security Bulletin: IBM MQ for HPE NonStop is affected by vulnerabilities in OpenSSL
Summary IBM MQ for HPE NonStop is affected by OpenSSL vulnerabilities CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-28390, CVE-2026-31789, CVE-2026-31790, CVE-2026-2673. Vulnerability Details CVEID:CVE-2026-28387 DESCRIPTION: Issue summary: An uncommon configuration of clients performi...
GHSA-P9JG-FCR6-3MHF OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
Summary A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle MITM attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding, bypassing strict client-side enforcement...
OnGres SCRAM silent channel-binding authentication downgrade via unsupported certificate algorithms
Summary A flaw in com.ongres.scram:scram-client allows an attacker capable of performing a TLS man-in-the-middle MITM attack to silently downgrade a connection from SCRAM-SHA-256-PLUS with channel binding to standard SCRAM-SHA-256 without channel binding, bypassing strict client-side enforcement...
GHSA-8XWF-RJM4-XVHV oras-go has file store write outside workingDir via symlink traversal
The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...
oras-go has file store write outside workingDir via symlink traversal
The file content store in oras-go attempts to confine writes to workingDir when AllowPathTraversalOnWrite=false, but the guard is lexical and does not account for symlink traversal. If workingDir contains a symlink path component and an attacker-controlled blob title via ocispec.AnnotationTitle...
GHSA-JXPM-75MH-9FP7 oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...
oras-go blob upload vulnerable to credential forwarding via unvalidated Location header
Summary oras-go follows a registry-controlled Location header during the monolithic blob upload flow and reuses the Authorization header from the initial POST request for the subsequent PUT request. If a malicious registry returns a cross-host Location, oras-go can send the caller's credentials t...
GHSA-XF85-363P-868W oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....
oras-go: Malicious registry can hijack Bearer token realm to exfiltrate credentials and refresh tokens
Summary oras-go's auth.Client follows the realm URL from a registry's WWW-Authenticate: Bearer challenge without validating its scheme or host. The realm field is server-controlled by design in the OCI/distribution spec — registries legitimately point token requests at a separate auth endpoint e....
CVE-PoC-Hub
🔬 CVE-PoC-Hub — Curated Proof-of-Concept Exploits Working,...
GHSA-HHX9-57XQ-R5RW @hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Summary dist/clients/core/params.ts in @hey-api/openapi-ts ships a runtime template that is copied verbatim into every generated SDK as params.gen.ts. When a caller passes an object argument containing an unknown key starting with a slot prefix $body, $headers, $path, $query, the function strips...
@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
Summary dist/clients/core/params.ts in @hey-api/openapi-ts ships a runtime template that is copied verbatim into every generated SDK as params.gen.ts. When a caller passes an object argument containing an unknown key starting with a slot prefix $body, $headers, $path, $query, the function strips...
EUVD-2026-38009
Rancher vulnerable to command injection through unsanitized YAML parameter...
GHSA-MHC6-2GFQ-XX62 Rancher vulnerable to command injection through unsanitized YAML parameter
Impact A critical command injection vulnerability has been identified in the Rancher Manager cluster import endpoint /v3/import/tokenclusterId.yaml through unsanitized YAML parameters. This endpoint accepts an authImage query parameter that is rendered without sanitization into a generated...
Rancher vulnerable to command injection through unsanitized YAML parameter
Impact A critical command injection vulnerability has been identified in the Rancher Manager cluster import endpoint /v3/import/tokenclusterId.yaml through unsanitized YAML parameters. This endpoint accepts an authImage query parameter that is rendered without sanitization into a generated...
GHSA-6WQW-VHFR-9999 SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions
A record user could read records the table's SELECT permission expression should have hidden, when that expression referenced $value, $before, $after, or $event. Binding a chosen value to that name before registering a LIVE SELECT caused notifications to evaluate the permission against the...
SurrealDB: Authenticated subscribers can read records hidden by SELECT permissions via LIVE subscriptions
A record user could read records the table's SELECT permission expression should have hidden, when that expression referenced $value, $before, $after, or $event. Binding a chosen value to that name before registering a LIVE SELECT caused notifications to evaluate the permission against the...
GHSA-4V76-CW68-4VC9 SurrealDB: Crafting malicious LIVE queries writes to the database, resulting in DoS, without permission to the table required
A LIVE query whose WHERE clause evaluates to an error caused the source data modifier the user creating, updating, or deleting a record on the watched table to fail instead. Calling any arbitrary SurrealQL function with a typed parameter and passing a value of the wrong type — for example LIVE...