@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing

Arbitrary Cloudinary API Parameter Signing in @jhb.software/payload-cloudinary-plugin Summary @jhb.software/payload-cloudinary-plugin v0.3.4 exposes a server-side signing endpoint POST /api/cloudinary-generate-signature that passes attacker-supplied paramsToSign directly to...

GHSA-H5X8-XP6M-X6Q4 @jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing

Arbitrary Cloudinary API Parameter Signing in @jhb.software/payload-cloudinary-plugin Summary @jhb.software/payload-cloudinary-plugin v0.3.4 exposes a server-side signing endpoint POST /api/cloudinary-generate-signature that passes attacker-supplied paramsToSign directly to...

githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow

Summary A GitHub Actions workflow is vulnerable to command injection through the issue title. The workflow is triggered when an issue is opened or closed, and it directly inserts github.event.issue.title into a Bash variable assignment. If an issue title contains command substitution syntax, Bash...

GHSA-C3XH-98XP-6QHF githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow

Summary A GitHub Actions workflow is vulnerable to command injection through the issue title. The workflow is triggered when an issue is opened or closed, and it directly inserts github.event.issue.title into a Bash variable assignment. If an issue title contains command substitution syntax, Bash...

Anki: User scripts in iframes have access to the internal Anki API

Summary Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API https://github.com/ankitects/anki/pull/3925 but it inadvertently allows access to scripts...

GHSA-CW6H-FFMH-X6VH Anki: User scripts in iframes have access to the internal Anki API

Summary Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API https://github.com/ankitects/anki/pull/3925 but it inadvertently allows access to scripts...

appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)

Unescaped Locator Data XSS in MCP-UI Resource createLocatorGeneratorUI Summary appium-mcp's createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector values — directly into an HTML template literal without any HTM...

GHSA-X975-RGX4-5FH4 appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)

Unescaped Locator Data XSS in MCP-UI Resource createLocatorGeneratorUI Summary appium-mcp's createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector values — directly into an HTML template literal without any HTM...

SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`

DNS-resolved Private Hostname SSRF in weburlread Summary The weburlread MCP tool in mcp-searxng is vulnerable to Server-Side Request Forgery SSRF via DNS rebinding bypass. The assertUrlAllowed function at src/url-reader.ts:85-93 validates only the syntactic hostname string against a private...

GHSA-MRVX-JMJW-VGGC SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`

DNS-resolved Private Hostname SSRF in weburlread Summary The weburlread MCP tool in mcp-searxng is vulnerable to Server-Side Request Forgery SSRF via DNS rebinding bypass. The assertUrlAllowed function at src/url-reader.ts:85-93 validates only the syntactic hostname string against a private...

SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`

Unbounded Response Body Read Bypasses URL Size Limit in weburlread Summary The weburlread MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the Content-Length header of a preliminary HEAD request. When a server omits Content-Length — a standard HTTP practice...

GHSA-XCQX-9JF5-W339 SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`

Unbounded Response Body Read Bypasses URL Size Limit in weburlread Summary The weburlread MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the Content-Length header of a preliminary HEAD request. When a server omits Content-Length — a standard HTTP practice...

Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data

Summary EnvironmentManager.restoreenv, backupId computes the backup path with joinenvDir, '.backups', backupId and only checks that this path exists. It does not resolve the result or verify that it remains under data//.backups. A caller can pass a traversal backup ID such as...

GHSA-48X2-6PR9-2JJF Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data

Summary EnvironmentManager.restoreenv, backupId computes the backup path with joinenvDir, '.backups', backupId and only checks that this path exists. It does not resolve the result or verify that it remains under data//.backups. A caller can pass a traversal backup ID such as...

Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions

Summary network-ai's ApprovalInbox lib/approval-inbox.ts is a shipped, exported, documented feature — "a web-accessible approval queue with REST API … and SSE streaming" SECURITY.md. It is the network surface of the human-in-the-loop Approval Gate, which ApprovalGate uses to require explicit huma...

GHSA-MXJX-28VX-XJJJ Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions

Summary network-ai's ApprovalInbox lib/approval-inbox.ts is a shipped, exported, documented feature — "a web-accessible approval queue with REST API … and SSE streaming" SECURITY.md. It is the network surface of the human-in-the-loop Approval Gate, which ApprovalGate uses to require explicit huma...

Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory

Summary AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandboxevil/secret.txt. An agent/user that can call...

GHSA-JVCM-F35G-W78P Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory

Summary AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandboxevil/secret.txt. An agent/user that can call...

GHSA-6V8J-33HC-MV84 symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...