GHSA-8GMG-3W2Q-65F4 OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR

Summary A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted TMPDIR from the target process and used unsafe file creation...

Pingora 安全漏洞

Pingora is a library open sourced by Cloudflare, used to build fast, reliable, and scalable network services. Prior to Pingora v0.8.0, there were security vulnerabilities. These vulnerabilities stemmed from the use of the HTTP request interleaving technique when handling HTTP/1.1 connection...

CVE-2026-2836 Cache poisoning via insecure-by-default cache key

A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...

EUVD-2019-3701

Malware in sbrugna...

Gitsign's Rekor public keys fetched from upstream API instead of local TUF client.

Impact In certain versions of gitsign, Rekor public keys were fetched via the Rekor API, instead of through the local TUF client. If the upstream Rekor server happened to be compromised, gitsign clients could potentially be tricked into trusting incorrect signatures. There is no known compromise...

Validating input parameters with the max value of uint

Lines of code Vulnerability details Impact Validating input values with uint256.max will not revert in any condition as solidity v0.8.0 reverts on overflow and underflow. Detailed description of the impact of this finding. Due to solidity v0.8.0 which reverts on overflow and underflow of integer...

CVE-2022-36747

Razor v0.8.0 was discovered to contain a cross-site scripting XSS vulnerability via the function uploadchannel...

CVE-2022-36747

Razor v0.8.0 was discovered to contain a cross-site scripting XSS vulnerability via the function uploadchannel...

Cross site scripting

Razor v0.8.0 was discovered to contain a cross-site scripting XSS vulnerability via the function uploadchannel...

CVE-2022-36747

Razor v0.8.0 was discovered to contain a cross-site scripting XSS vulnerability via the function uploadchannel...

CVE-2022-36747

Razor v0.8.0 contains a cross-site scripting (XSS) vulnerability in the uploadchannel() function (CVE-2022-36747). The issue affects Razor version 0.8.0 and is caused by insecure handling in the uploadchannel() path, enabling attacker-controlled input to be reflected in the web context. Public re...

CVE-2020-24829

GPAC vulnerable in versions v0.5.2–v0.8.0 due to a heap-based buffer overflow in gf_m2ts_section_complete (media_tools/mpegts.c) that can cause a denial-of-service via crafted MP4 files. Affected software: GPAC (mp4box usage demonstrated). Root cause: heap overflow in mpegts handling. Impact: DOS...

CVE-2020-24829

An issue was discovered in GPAC from v0.5.2 to v0.8.0, as demonstrated by MP4Box. It contains a heap-based buffer overflow in gfm2tssectioncomplete in mediatools/mpegts.c that can cause a denial of service DOS via a crafted MP4 file...

Control character injection in console output in github.com/ipfs/go-ipfs

Impact Control characters are not escaped from console output. This can result in hiding input from the user which could result in the user taking an unknown, malicious action. Patches - Patched via https://github.com/ipfs/go-ipfs/pull/7831 in v0.8.0 For more information If you have any questions...

HMAC-BLAKE2 algorithms compute incorrect results

When used in conjunction with the Hash-based Message Authentication Code HMAC, the BLAKE2b and BLAKE2s implementations in blake2 crate versions prior to v0.8.1 used an incorrect block size 32-bytes instead of 64-bytes for BLAKE2s, and 64-bytes instead of 128-bytes for BLAKE2b, causing them to...

CVE-2019-12047

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by childprocess.exec and the "img src= onerror='evalnew Buffer" substring...

CVE-2019-12047

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by childprocess.exec and the "img src= onerror='evalnew Buffer" substring...

Design/Logic Flaw

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by childprocess.exec and the "img src= onerror='evalnew Buffer" substring...

CVE-2019-12047

Gridea v0.8.0 has an XSS vulnerability through which the Nodejs module can be called to achieve arbitrary code execution, as demonstrated by childprocess.exec and the "img src= onerror='evalnew Buffer" substring...