31476 matches found
GHSA-4W3Q-QPFQ-V992 Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
Summary Apollo ConfigService may allow unauthorized access to configuration data when AccessKey / management key authentication is enabled and ConfigService accepts a non-canonical appId variant during authentication while downstream request handling resolves it to the protected app. Details...
GHSA-4CHG-4752-W88R NukeViet: Pre-authentication SSRF via X-Forwarded-Host
Summary An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the X Forwarded-Host and X-Forwarded-Proto request headers. The forwarded host is used, without validation, to build the URL that serverinfoupdate fetches with cURL, resulti...
Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities
Summary IBM Guardium Data Security Center has addressed these vulnerabilities with an update. Vulnerability Details CVEID:CVE-2026-41683 DESCRIPTION: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3,...
PYSEC-2026-2389 BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py Summary BabelDOC's vendored PDF parser babeldoc/pdfminer/cmapdb.py deserializes untrusted pickle data when loading CMap files. The loaddata method strips only NUL bytes from a PDF-controlled CMap name, then...
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py SummaryBabelDOC's vendored PDF parser babeldoc/pdfminer/cmapdb.py deserializes untrusted pickle data when loading CMap files. The loaddata method strips only NUL bytes from a PDF-controlled CMap name, then...
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:hrefReporter: Guillem Lefait · Date: 2026-05-10Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stableConfirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8 libxml...
PYSEC-2026-2614 `lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:href Reporter: Guillem Lefait · Date: 2026-05-10 Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stable Confirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8...
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Summaryjoserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when thecaller-supplied verification key is the empty string or None.HMACAlgorithm.sign and HMACAlgorithm.verify insrc/joserfc/rfc7518/jwsalgs.py:62-70 feed whateverOctKey.getopkey... produced into hmac.new..., and...
PYSEC-2026-2528 joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/rfc7518/jwsalgs.py:62-70 feed whatever OctKey.getopkey... produced into hmac.new..., and...
PYSEC-2026-2580 Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read
Summary SQLChatAgent in langroid ships a validatequery defense-in-depth layer whose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQL primitives by specific function name. The list misses the canonical PostgreSQL filesystem-disclosure family pgreadfile, pgstatfile, pglslogdir,...
PYSEC-2026-2589 Lemur: JWT verifier honors attacker-supplied alg, enabling ATO
Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure Vulnerability Summary Field | Value -- | -- Title | Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap;...
motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
SummarymEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem.The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...
PYSEC-2026-2667 motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read
Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...
PYSEC-2026-3435 python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
Impact AsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
ImpactAsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
PYSEC-2026-3437 zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion
Impact DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...
zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood
ImpactDNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...
zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion
ImpactDNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...
PYSEC-2026-3439 zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood
Impact DNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...
local-deep-research has an SSRF bypass in `safe_get`
SummaryThe URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. DetailsThe current project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...