15 matches found
Volcano's webhook server vulnerable to OOM due to unbounded HTTP request body size
Impact The Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially causing the webhook server to be killed by OOM. All Volcano deployments with the webhook...
PT-2026-38406
Name of the Vulnerable Software and Affected Versions Vercel CLI versions 50.16.0 through 52.0.0 Description When running in non-interactive mode via the --non-interactive flag or auto-detected AI agent, commands that cannot complete autonomously emit JSON payloads containing suggested follow-up...
GHSA-CQMH-PCGR-Q42F @axonflow/openclaw fix introduces plugin cache and credential-file permission hardening
Summary Two related permission defects in this AxonFlow plugin allowed registration credentials and cache state to be readable by other local users on hosts where the calling user's home directory was at the conventional 0755 mode. Affected versions Versions 1.3.2 and below. Impact 1. Cache and...
axonflow-sdk-typescript: Webhook signing-key (HMAC-SHA256) not exposed by SDK type, preventing signature verification
Summary The AxonFlow SDK's WebhookSubscription or equivalent type did not expose the HMAC-SHA256 signing key returned by the platform's CreateWebhook endpoint. Without access to the secret through the typed SDK API, callers had no path to verify the X-AxonFlow-Signature header on incoming webhook...
PT-2026-30322
Name of the Vulnerable Software and Affected Versions @hapi/content versions through 6.0.0 Description @hapi/content is susceptible to Regular Expression Denial of Service ReDoS through crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition header...
CVE-2026-27812
Sub2API is an AI API gateway platform designed to distribute and manage API quotas from AI product subscriptions. A vulnerability in versions prior to 0.1.85 is a Password Reset Poisoning Host Header / Forwarded Header trust issue, which allows attackers to manipulate the password reset link...
Azure Linux 3.0 Security Update: nodejs (CVE-2024-24758)
The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-24758 advisory. - Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers...
CVE-2025-68113 ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
ALTCHA is privacy-first software for captcha and bot protection. A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to...
CVE-2025-54575 ImageSharp Triggers an Infinite Loop in its GIF Decoder When Skipping Malformed Comment Extension Blocks
ImageSharp is a 2D graphics library. In versions below 2.1.11 and 3.0.0 through 3.1.10, a specially crafted GIF file containing a malformed comment extension block with a missing block terminator can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. Th...
PT-2024-7207 · Microsoft · Edge
Name of the Vulnerable Software and Affected Versions: Microsoft Edge Chromium-based versions prior to 129.0.2792.52 Description: The issue is related to a use-after-free vulnerability in Microsoft Edge, which is based on Chromium. This vulnerability can be exploited by a remote attacker to execu...
CVE-2024-32973 Remote for TLS session may be trusted despite constraints in Pluto lang
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session...
PT-2024-3316 · Aruba · Arubaos
Name of the Vulnerable Software and Affected Versions: ArubaOS versions 8.10 through 10.5 Description: The issue is related to a buffer overflow vulnerability in the Utility daemon, which could lead to unauthenticated remote code execution by sending specially crafted packets to the PAPI UDP port...
PT-2023-6133 · Microsoft +1 · Quic +4
Name of the Vulnerable Software and Affected Versions: Microsoft QUIC affected versions not specified Windows affected versions not specified .NET affected versions not specified Visual Studio affected versions not specified Description: The vulnerability is related to insufficient input validati...
CVE-2020-15275 malicious SVG attachment causing stored XSS vulnerability in MoinMoin
MoinMoin is a wiki engine. In MoinMoin before version 1.9.11, an attacker with write permissions can upload an SVG file that contains malicious javascript. This javascript will be executed in a user's browser when the user is viewing that SVG file on the wiki. Users are strongly advised to upgrad...
PT-2021-1501 · Flatpak +9 · Flatpak +9
Name of the Vulnerable Software and Affected Versions: Flatpak versions prior to 1.10.4 and 1.12.0 Description: The issue is related to the lack of blocking in the seccomp filter for mount-related system calls, which can be exploited to gain access to confidential data, disrupt its integrity, and...