CVE-2024-41799

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via...

EUVD-2020-8102

Malware in sbrugna...

EUVD-2025-2571

Malicious code in bioql PyPI...

CVE-2023-34243

TGstation is a toolset to manage production BYOND servers. In affected versions if a Windows user was registered in tgstation-server TGS, an attacker could discover their username by brute-forcing the login endpoint with an invalid password. When a valid Windows logon was found, a distinct respon...

CVE-2023-32687

tgstation-server is a toolset to manage production BYOND servers. Starting in version 4.7.0 and prior to 5.12.1, instance users with the list chat bots permission can read chat bot connections strings without the associated permission. This issue is patched in version 5.12.1. As a workaround,...

CVE-2023-33198

tgstation-server is a production scale tool for BYOND server management. The DreamMaker API DMAPI chat channel cache can possibly be poisoned by a tgstation-server TGS restart and reattach. This can result in sending chat messages to one of any of the configured IRC or Discord channels for the...

CVE-2020-16136

In tgstation-server 4.4.0 and 4.4.1, an authenticated user with permission to download logs can download any file on the server machine accessible by the owner of the server process via directory traversal ../ sequences in /Administration/Logs/ requests. The attacker is unable to enumerate files,...

CVE-2025-21611

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611

CVE-2025-21611 affects tgstation-server (BYOND server management). Before version 6.12.3, the authorization check for API methods used OR between the user-enabled status and the role, instead of AND. This error allowed enabled users to access most authorized actions regardless of their permission...

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

CVE-2025-21611 tgstation-server's role authorization incorrectly OR'd with user's enabled status

tgstation-server is a production scale tool for BYOND server management. Prior to 6.12.3, roles used to authorize API methods were incorrectly OR'd instead of AND'ed with the role used to determine if a user was enabled. This allows enabled users access to most, but not all, authorized actions...

tgstation-server 授权问题漏洞

tgstation-server is a tgstation open source toolset for managing production BYOND servers. An authorization issue vulnerability exists in tgstation-server versions prior to 6.12.3, which arises from incorrectly performing an "or" operation instead of an "and"...

PT-2025-4299 · Unknown · Tgstation-Server

Name of the Vulnerable Software and Affected Versions: tgstation-server versions prior to 6.12.3 Description: The issue concerns improper role authorization in tgstation-server, a production-scale tool for BYOND server management. Prior to version 6.12.3, roles used to authorize API methods were...

Path Traversal

tgstation-server is vulnerable to Path Traversal. The vulnerability is due to low permission users with the "Set .dme Path" privilege potentially setting malicious .dme files to be compiled and executed, which can escalate into remote code execution via BYOND's shell proc...

Path Traversal

Overview Tgstation.Server.Api is a package that defines HTTP headers, default credentials, models, rights, and routes for communicating with the tgstation-server API Affected versions of this package are vulnerable to Path Traversal that allows low privileged users to set .dme files on the host t...

CVE-2024-41799

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via...

CVE-2024-41799 tgstation-server's DreamMaker environment files outside the deployment directory can be compiled and ran by insufficiently permissioned users

tgstation-server is a production scale tool for BYOND server management. Prior to 6.8.0, low permission users using the "Set .dme Path" privilege could potentially set malicious .dme files existing on the host machine to be compiled and executed. These .dme files could be uploaded via...

CVE-2024-41799

Summary: CVE-2024-41799 affects tgstation-server (BYOND server management). Prior to version 6.8.0, low-permission users with the “Set .dme Path” privilege could cause malicious .dme files on the host to be compiled and executed, potentially leading to remote code execution via BYOND’s shell() pr...