Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added yesterday5 views

Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak

Impact In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a task ID and a payload, but it never checked whether the task actually belonged t...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries

Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added yesterday6 views

Waku has an Open Redirect via `unstable_redirect` Helper

Summary The unstableredirect helper exported from waku/router/server packages/waku/src/router/define-router.tsx:156–161 accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation, scheme restriction, or path-only enforcement. Any applicatio...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Waku: Cross-Origin CSRF on RSC Server Action Dispatch

Summary Waku's RSC request dispatcher invokes server actions without validating the request's Origin or Sec-Fetch-Site header. A cross-origin web attacker can therefore cause a victim browser to issue an authenticated POST to a registered server action endpoint using a CORS-safelisted content typ...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE

Unauthenticated Cross-Origin Plugin Upload Leads to RCE Joro ≤ v1.1.0 Severity: Critical CVSS v3.1: 9.6 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Affected versions: Joro ≤ v1.1.0, proxy mode default, Linux/macOS Reporter: cstover Date: 2026-05-27 --- Summary Joro's default proxy mode in versions = 1.1....

6.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

OneRingBuf has a Use After Free Vulnerability

Affected versions of oneringbuf exposed the obsolete IntoRef::intoref method through the public IntoRef trait. For heap-backed ring buffers, this method returned a DroppableRef handle. DroppableRef stored an owning raw pointer created from Box::intoraw. Its Clone implementation copied this raw...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

DSpace: Path Traversal is possible through LDN message generation

Overview A path traversal vulnerability is possible via the COAR Notify / LDN service in DSpace. This vulnerability impacts DSpace versions 8.0 = 8.3, 9.0 = 9.2. The attacker MUST already have DSpace administrator credentials in order to perform the attack. When reading a file input stream of an...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

DSpace: ORE resource URI does not validate scheme for non-web resources

Overview When ingesting an aggregated ORE resource by URI using the OAI-ORE Harvester, the ORE Ingestion Crosswalk does not validate the URI scheme. This may allow for local file inclusion via malicious paths like file:///etc/passwd. This vulnerability impacts DSpace versions = 7.6.6, 8.0 = 8.3,...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

DSpace has a possible Path Traversal Vulnerability in its Curation Task Reporter output path

Overview The Curation Task feature allows an output path to be used by the reporter -r parameter, typically used to stream results and status of curation task operations. It is not restricted to any particular base path, meaning that any path writable by the DSpace often 'tomcat' user is allowed...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

DSpace has possible Remote Code Execution (RCE) through Velocity Templates used by LDN

Overview Remote Code Execution RCE is possible via Velocity Templates used by DSpace for COAR Notify/LDN messages. This vulnerability impacts DSpace versions 8.0 = 8.3, 9.0 = 9.2. The attacker MUST already have DSpace administrator credentials in order to perform the attack. This attack is relate...

9CVSS6.8AI score0.22709EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler

Summary trapster.libs.dns.decodelabels decodes DNS names from attacker-supplied UDP packets and recurses once per RFC 1035 compression pointer with no cycle detection and no depth bound. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython's recursion...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Sharp Missing Authorization Check in Quick Creation Command Endpoints

Impact The create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entity could bypass the authorization layer and either retrieve the creation form or submit new records for that...

4.3CVSS6AI score0.00213EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Nuclio: Unsanitized cron trigger event headers/body injected into CronJob shell command leads to persistent RCE

Summary Nuclio controller builds a curl invocation string for each cron trigger and stores it as the args of a Kubernetes CronJob container /bin/sh, -c, . Two fields in the trigger specification flow into this string without adequate sanitization: - event.headers keys — interpolated verbatim insi...

6.4AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

async-tar PAX extension-header desync enables tar entry/content smuggling

Summary async-tar v0.6.0 mis-applies a buffered PAX size extension to an intermediary extension header a GNU longname L, a GNU longlink K, or a PAX x/g header instead of to the next file entry. POSIX requires a PAX extended-header record set to describe the next file entry, never an intervening...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Skipper: opaAuthorizeRequestWithBody filter bypasses OPA policy on Transfer-Encoding — chunked / HTTP/2 requests

Summary zalando/skipper's OpenPolicyAgent integration silently bypasses request-body inspection on HTTP/1.1 Transfer-Encoding: chunked and HTTP/2 requests that omit the content-length pseudo-header. When the opaAuthorizeRequestWithBody filter is configured, the...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes

lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:href Reporter: Guillem Lefait · Date: 2026-05-10 Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stable Confirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

Weblate SSRF: outbound URL guard misses some private ranges

Impact Weblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. Patches https://github.com/WeblateOrg/weblate/pull/19768 Resources The issue wa...

5.9CVSS6AI score0.00291EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

oasdiff does not enforce --allow-external-refs=false on the git-revision load path (SSRF / local file read)

Summary From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false library: openapi3.Loader.IsExternalRefsAllowed = false when loading a spec from a git revision the rev:path form, e.g. main:openapi.yaml. External $refs were resolved on that load path even when external ref...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

KEDA has PostgreSQL connection string parameter injection via incomplete whitespace escaping

Summary pkg/scalers/postgresqlscaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field host, port, userName, dbName, sslmode is passed through escapePostgreConnectionParameter: go func escapePostgreConnectionParameterstr...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Flask-Security-Too: WebAuthn reauthentication freshness bypass via cross-user assertion

Summary Flask-Security-Too 5.8.0 and 5.8.1 mark a session as reauthentication-fresh after processing a WebAuthn assertion whose proven credential belongs to a different user than the currently authenticated session user. The check that GHSA-97r5-pg8x-p63p added on the OAuth reauthentication path...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise

Click here to jump to the Simplified Chinese version 点击跳转到简体中文版本 Goploy System Arbitrary File Read Vulnerability Basic Information - Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal - Vulnerability Type: Path Traversal CWE-22 / Arbitrary File Read - Affected Product:...

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

Goploy: Cross-namespace IDOR and RCE via body-supplied row id in project and project_file handlers

Summary Project.AddFile, Project.EditFile, Project.RemoveFile, and Project.Edit in cmd/server/api/project/handler.go accept a project or project-file row id from the JSON body and act on it without checking that the project belongs to the caller's namespace. The corresponding...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

ha-mcp: Add-on settings and policy routes are reachable without authentication at the bare root path

Summary In add-on mode, the ha-mcp settings UI routes are mounted both under the MCP secret path and at the bare root of the published port :9583, so Home Assistant ingress can serve the "Open Web UI" button. The root-mounted routes perform no authentication — no secret, no Origin check, no CSRF...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path

Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3 Summary plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature. When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and U...

6.5AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address

Summary aiosmtplib's SMTP.mail, SMTP.rcpt, SMTP.vrfy and SMTP.expn send the caller-supplied email address to the server without rejecting embedded CR/LF \r\n bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Kite has an authenticated cluster RBAC bypass in /api/v1/overview

Summary Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware and GetOverview only checks lenuser.Roles 0, so it returns...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

Webauthn: SimpleFakeCredentialGenerator with an empty secret produces predictable fake credentials, weakening username enumeration protection

Impact Webauthn\SimpleFakeCredentialGenerator is the library-provided default implementation of the FakeCredentialGenerator interface. It returns a stable list of decoy PublicKeyCredentialDescriptor objects for a given username so that an assertion request for an unknown user looks the same as a...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago8 views

ratex-parser has unbounded parser recursion that leads to stack overflow (process abort)

Summary RaTeX’s recursive-descent parser recurses one or more native stack frame per nesting level at , \left, \sqrt, ^, etc, with no maximum depth limit. A short, 10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort" Cargo.toml:48, and...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

ratex-parser panics on `\verb` with a multibyte delimiter (UTF-8 byte-boundary slice)

Summary The public parser entrypoint ratexparser::parse&str panics on the 9-byte input \verbéxé i.e. \verb followed by the non-ASCII delimiter é. When handling a \verb command, the parser slices the verbatim argument with byte indices arg1..arg.len - 1; if the delimiter character is multibyte...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago8 views

@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers

Am I affected? Users are affected if all of these hold: - They install and register the @better-auth/scim plugin plugins: scim. - They create SCIM providers without an organizationId, that is, non-organization "personal" providers. Organization-scoped providers are not affected because they enfor...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago8 views

Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows

Am I affected? Users are affected if all of the following are true: - They configure secondaryStorage on betterAuth... Redis, KV, or any external session cache. - session.storeSessionInDatabase is left unset or set to false the default. - Their application's deployment uses one or more of: - The...

5.9AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2 days ago6 views

@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive

Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version = 1.6.0, = 1.4.8-beta.7, 1.6.0, or enables the legacy oidc-provider or mcp plugins from better-auth/plugins. - Their application exposes /api/auth/oauth2/token o...

6AI score0.00029EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2 days ago6 views

@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints

Am I affected? Users are affected if all of the following are true: - Their application uses @better-auth/sso at a version = 0.1.0, 1.6.11 on the stable line, or any 1.7.0-beta.x on the pre-release line. - The sso plugin is added to their application's betterAuth plugins: ... array. - Any user wi...

6.1AI score0.00025EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption

Am I affected? Users are affected if all of the following are true: - Their project depends on @better-auth/oauth-provider at a version = 1.6.0, = 1.4.8-beta.7, 1.6.0. - At least one OAuth client served by their application's authorization server requests the offlineaccess scope, so refresh token...

5.9AI score0.00029EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2 days ago8 views

Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth at a version below the patched release. - Their application enables oidcProvider from better-auth/plugins/oidc-provider or mcp from better-auth/plugins/mcp the mcp plugin delegates to...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago9 views

Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp

Am I affected? Check each condition. Users are affected when all of the first three hold. - Their application enables the oidc-provider plugin or the mcp plugin from better-auth/plugins. The mcp plugin wraps the same provider and carries the same defect. Both are on the migration path to...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth at a version 1.6.11 on the stable line, or any current next pre-release. - emailAndPassword.enabled: true is set in their application's betterAuth ... configuration. - At least one OAuth or SS...

5.9AI score0.00019EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth with the organization plugin import organization from "better-auth/plugins/organization". - Their application enables a sign-up surface that allows arbitrary unverified email registration. Mos...

6AI score0.00016EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators

Am I affected? Users are affected if all of the following hold: - Their application depends on @better-auth/oauth-provider on any stable 1.6.x release the stable line is not patched or on a pre-release before 1.7.0-beta.4. - Their application either configures validAudiences with more than one...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins

Am I affected? Users are affected if all of the following are true: - Their application uses better-auth and has enabled at least one of: oidcProvider imported from better-auth/plugins/oidc-provider, or mcp imported from better-auth/plugins/mcp. - Their application has at least one confidential...

6.1AI score0.00013EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

netfoil: Attacker controlled data written to logs

Summary Domain names were written to the log without first being validated to contain allowed characters. Impact Depends on how the logs were used...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago5 views

netfoil has a resource leak in LRU cache

Summary When an entry was removed from the LRU cache, a pointer to the removed element was not properly cleaned up. Impact A local attacker can get netfoil to use more memory. By default this is limited to 100MB via systemd, which would trigger service restarts when reached...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

netfoil has a domain name filter bypass via multiple questions

Summary Potential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate. Impact Depends on a local attackers ability to craft multiple questions and the remote DoH server supporting them...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

uutils coreutils: cp/install/mv/ln --suffix alone does not enable backup mode (silent data loss vs GNU)

determinebackupmode in src/uucore/src/lib/features/backupcontrol.rs only checks --backup/-b and returns BackupMode::None when only --suffix is given. GNU enables backup mode when --suffix is used alone defaulting to existing/numbered, or $VERSIONCONTROL. Affects cp, install, mv, ln which share th...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)

Summary A known vulnerability CVE-2026-33060 indicated tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exist...

5.7CVSS6.1AI score0.00289EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality

Summary There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be...

4.3CVSS5.9AI score0.00227EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages

Summary Manually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts and allow-same-origin set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS o...

7.3CVSS6.2AI score0.00198EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Open WebUI vulnerable to Stored XSS via iFrame in citations model

Summary Manually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponised document...

7.3CVSS6.1AI score0.00194EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions

Summary A vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be executed in the user's browser every time that chat transcript is opened, allowing attackers to retrieve the user's...

6.4CVSS6.4AI score0.00449EPSS
Exploits1References6Affected Software1
Total number of security vulnerabilities33100