33122 matches found
Cargo crates in third party registries can override the cached source of other crates
The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. This vulnerability is tracked as CVE-2026-5223. The...
Cargo can be coerced to share credentials between registries
The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol1. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a...
php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)
Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...
Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)
Summary The web UI /ui/ does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator for example, one created via self-registration or OIDC can access resources belonging to other operators. Impact A non-admin operator can: - Block...
phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards
Advisory / Disclosure phpMyFAQ 4.1.3 — incomplete fix for the admin-API IDOR/privilege-escalation class Target: thorsten/phpMyFAQ composer: thorsten/phpmyfaq, phpmyfaq/phpmyfaq Affected: "Only SuperAdmins may change other users' attributes. Self-service is always allowed." and "a non-SuperAdmin...
@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url
Summary @cardano402/mcp-server versions = 0.1.1 ship three security gaps that can lead to unauthorized fund movement when the package is used as designed an MCP server exposing Cardano payment tools to an Impact 1. No spending limits on signed payments An LLM or prompt-injected LLM calling tools...
mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind
Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...
Relyra SAML SignatureValue not cryptographically verified -> authentication bypass
Summary Relyra 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. Details In 1.0.0 and 1.1.0, the XMLDSig trust boundary was incomplete. :publickey.verify over the exclusive-C14N...
mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call
Summary The HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call storememory and deletememory through MCP even though the corresponding REST endpoints...
deepstream is vulnerable to prototype pollution
Impact Prototype pollution in deepstream server v =10.0.4. Potential privilege escalation from any authenticated user with write permission to any record. Patches Yes, upgrade to v10.0.5 Workarounds Filter out all messages containing the path proto, constructor, prototype, before they reach the...
Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers
Summary The HTML and RSS output handlers in dosagelib/events.py write user-controlled content comic text and page URLs directly into generated files without proper HTML escaping. When a user scrapes a malicious webcomic and opens the generated HTML/RSS file, attacker-controlled JavaScript can...
Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p)
Summary The ExpressionDepthLimit parser guard in Scriban does not actually stop parsing — it only logs a non-fatal error and lets recursive descent continue. As a result, a template containing a deeply nested expression parentheses, array initializers, object initializers, or unary operators driv...
Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx
Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...
nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction
internal/api/pop/nonce.go:25,40,86 + internal/api/server.go:38 — the signed-poll nonce cache is an in-process LRU sized at 65,536 entries. internal/api/updates.go:31 sets pollClockSkew = 5 time.Minute as the replay window. Affected All released versions through v0.3.0 that have shipped the ADR 00...
WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs
Impact Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess and onAuthenticationFailure at INFO level: php $this-logger-info'User has been authenticated successfully...
CakePHP: View::element() is missing a path containment check
Impact View::getElementFileName does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patches Patched...
joserfc: b64=false RFC7797 JWS payloads bypass JWSRegistry payload-size limits during deserialization
RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization Summary Testing revealed that joserfc accepts oversized RFC7797 b64=false JWS payloads without applying JWSRegistry.maxpayloadlength. The normal JWS compact and flattened JSON paths reject payloads above...
better-helperjs Vulnerable to Directory Traversal via String Prefix Bypass in Static Server
Summary A directory traversal vulnerability exists in the production static file server of better-helperjs = 3.0.5. Attackers can read arbitrary files located in adjacent directory structures that share the same string prefix as the intended static root directory. Details The framework utilizes a...
PHP Standard Library: HTTP/2 server-side missing content-length validation enables request smuggling
Impact Psl\H2\ServerConnection does not validate that the total bytes received in DATA frames match the content-length header declared in the HEADERS frame, in violation of RFC 9113 §8.1.1. A malicious client can: - Send more DATA bytes than declared, smuggling additional content past...
Muhammara has a NULL pointer dereference in LZWDecode filter when DecodeParms omits EarlyChange key
Summary A NULL pointer dereference vulnerability exists in PDFParser::CreateFilterForStream when processing a PDF stream with /Filter /LZWDecode and a /DecodeParms dictionary that does not contain the EarlyChange key. This causes an access violation 0xC0000005 and crashes the process. Affected...
Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system
Summary An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection. Details The account settings page...
Pterodactyl Wings: Chmod operation can be used to change permissions of files outside of the server container
In wings/internal/ufs/fsunix.go line 92-94, this function is defined and is used to change permissions of files in the server: go func fs UnixFS fchmodatop string, dirfd int, name string, mode FileMode error return ensurePathErrorunix.Fchmodatdirfd, name, uint32mode, 0, op, name This call to the...
Flawfinder output manipulation via untrusted filenames and source text
Impact This vulnerability is an improper input neutralization issue leading to output manipulation, specifically, Terminal/ANSI Escape Sequence Injection and XML Injection: Terminal Output Spoofing: A malicious file whose name contains ANSI escape sequences can end up being included in flawfinder...
python-socketio: Binary attachment accumulation can cause denial of service
Impact The python-socketio server stores binary EVENT and ACK messages in memory while it waits to receive their binary attachments. Once all the attachments are received, these messages are then processed. An attacker can submit a binary message and intentionally omit sending one or more of its...
python-engineio has unbound thread allocation that can cause denial of service
Impact An attacker can cause the creation of unnecessary background threads in the python-engineio server by exploiting the heartbeat mechanism, which launches a thread when a new connection is received, and when the client sends a PONG packet. Note: this issue primarily affects synchronous...
semantic-router exposed to compromised litellm wheel (CVE-2026-42208) via unbounded transitive pin
Impact semantic-router versions 0.1.8 through 0.1.14 declare litellm=1.61.3 with no upper bound. During the window in which litellm==1.82.8 was the latest release on PyPI, a fresh install of any affected semantic-router version could resolve to that compromised wheel. The malicious litellm==1.82....
python-engineio has possible denial of service due to maximum payload size sometimes not being enforced
Impact There are two specific configurations of the python-engineio server in which the size of incoming messages is not checked before the messages are loaded into memory. An attacker can take advantage of these to cause unnecessary memory allocations in the python-engineio server. The two cases...
LinkifyIt#match scan loop has quadratic algorithmic complexity
Summary LinkifyIt.prototype.match — the package's primary public API — has ON² algorithmic complexity for inputs containing many fuzzy links or emails. This is not a regex backtrack bug; it's a structural issue in the JS-level scan loop that re-slices the input and re-runs unanchored regex search...
turso-cli persists Turso platform JWT with world-readable (0o644) file permissions
Summary turso-cli persists the user's Turso platform JWT to settings.json using Viper's default configPermissions of 0o644, leaving the credential file world-readable on standard Linux and macOS systems. Any other local UID on the host can read the file and recover the platform JWT, which grants...
nono-py's policy JSON accepts unknown security fields
Summary nono-py policy handling could fail open in two ways. First, resolving a policy-derived ProxyConfig did not automatically enforce CapabilitySet.proxyonly, allowing sandboxed children to bypass a resolved domain allowlist by using direct network access. Second, policy JSON accepted unknown...
nono-py vulnerable to authorization bypass / policy confusion
The python API made a restrictive-looking configuration unsafe by default. A caller could configure only reverse- proxy credential routes, put the child in CapabilitySet.proxyonly, and reasonably expect network access to be limited to those routes. Instead, because empty allowedhosts meant...
Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Summary In backpropagate = 1.1.0, the optional Reflex web UI pip install backpropagateui, launched via backprop ui exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing...
nono-py has proxy-only network fallback bypass on older Linux kernels
Summary On Linux kernels that do not support Landlock network rules, nonopy.sandboxedexec could run CapabilitySet.proxyonlyproxy without supervising the seccomp-notify proxy-only fallback returned by the Rust core. In that configuration, a sandboxed child process could remove HTTPPROXY / HTTPSPRO...
Fleet DM Vulnerable to Cross-Team Policy Data Exposure via Global Policy Read Endpoint
Summary The global policy read endpoint GET /api/latest/fleet/policies/policyid performs authorization against an empty fleet.Policy struct with nil TeamID, then fetches any policy by ID from the database without verifying the fetched policy actually belongs to the global scope. This allows a use...
Hysteria: http large header with sniff cause server DoS
Summary Sending an excessively large header by an attacker could lead to a server-side DoS attack. Details The current sniff implementation does not explicitly specify the upper limit for HTTP headers. Attackers can continuously send excessively large headers without including \r\n\r\n, leading t...
Hysteria vulnerable to server crash when max_datagram_frame_size very small
Summary An authenticated client can crash the Hysteria server by advertising a very small QUIC maxdatagramframesize and then triggering a UDP response from the server. When the server tries to send the UDP response back via QUIC DATAGRAM, quic-go returns DatagramTooLargeError. The server then...
Hysteria has an authenticated UDP ACL bypass that enables localhost and private-network UDP SSRF
Summary Hysteria's UDP relay treats the destination address as packet-scoped, but ACL and outbound policy are applied only once when a new UDP session is created. After an authenticated client opens a UDP session using an allowed first destination, later packets in the same Session ID can be sent...
@cyclonedx/cdxgen: Maven project scanning may allow shell command injection through repository-controlled module paths
Summary A command injection vulnerability existed in the Maven scanning flow of cdxgen before version 12.4.3. When cdxgen scanned an attacker-controlled Maven project, repository-controlled paths could be used in the Maven command construction. In affected versions, some Maven invocations were...
Remark42: Cross-Site Scripting (XSS) on /api/v1/img via content-type spoofing
Summary The remark42 image proxy fetches an arbitrary remote URL and re-serves the response from remark42's own origin. The download path decides whether the fetched resource is an image by looking only at the Content-Type header the remote server claims — it never inspects the actual bytes. The...
Apptainer has incorrect path matching for 'limit container paths' directive
Impact The limit container paths directive in apptainer.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed. For example,...
pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses (incomplete fix of CVE-2026-46678)
Summary When an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs and runs on a network that routes the affected IPv6 transition forms NAT64- or ISATAP-configured networks, the cloud-metadata blocklist could be...
Incus has an arbitrary file write on its client due to trusted image hash
Summary An arbitrary file write exists in the Incus client when a malicious image server returns a crafted Incus-Image-Hash header. This can lead to arbitrary command execution as root on the server. Details - cmd/incusd/images.go:611-684 handles source.type=url by HEADing the user-supplied URL,...
@sigstore/core has DSSE payloadType type-binding failure
Impact The preAuthEncoding function in @sigstore/core uses Node.js 'ascii' encoding when converting the PAE Pre-Authentication Encoding string to bytes. This allows payloadType to be mutated after signing without invalidating the signature, breaking the type-binding guarantee that DSSE is designe...
Incus: CreateCustomVolumeFromBackup nil-pointer dereference on volume_snapshots[*].expires_at (sibling-field variant of GHSA-r7w7)
Summary backend.CreateCustomVolumeFromBackup in internal/server/storage/backend.go contains an unguarded time.Time dereference on the ExpiresAt field of every volume-snapshot entry in an imported custom-volume backup. An authenticated user with cancreatestoragevolumes permission on any project ca...
Incus has an argument injection in backup compression algorithm leading to AFW and ACE
Summary Improper validation of user-provided backup compression algorithm leads to argument injection in the constructed command line. This leads to an arbitrary file write on the host, possibly leading to arbitrary command execution. Details Incus validates compressionalgorithm by parsing it int...
Incus: Nil-pointer dereference in createDependentVolumesFromBackup on disk.{Volume,VolumeSnapshots,Pool}
Summary backend.createDependentVolumesFromBackup in internal/server/storage/backend.go contains a cluster of unguarded pointer derefs on every dependent-volume entry's VolumeSnapshotsi, Volume, and Pool sub-fields. An authenticated user with cancreateinstances permission on any project can crash...
Incus has an arbitrary file write via path traversal in S3 multipart upload
Summary The S3 protocol upload endpoint is vulnerable to path traversal and allows creation of arbitrary files on the host. This behavior could lead to arbitrary command execution. In internal/server/storage/s3/local/multipart.go, user-controlled upload ID is appended to the uploads directory...
Incus has arbitrary file read+write on host via templates/ symlink in malicious image
Summary A specially crafted image or instance backup can be used to read or create/write arbitrary files on the host; possibly leading to arbitrary command execution. Details For container images, internal/server/storage/utils.go calls archive.UnpackimageFile, destPath, .... The tar extraction pa...
Incus has a restricted project bypass leading to arbitrary command execution
Summary Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for arbitrary command execution on the Incus server by abusing lowlevel hooks such as raw.lxc and raw.qemu. Details Instance snapshots ignore the restricted.containers.lowlevel=block setting; allowing for...
Incus has an arbitrary file write on host via `exec-output` symlink in crafted image
Summary The record-output parameter of the /instances/$name/exec endpoint stores the output of the command in the exec-output directory of the instance. If exec-output is a symlink, file named execUUID.stdout and execUUID.stderr can be written to an arbitrary location where the .stdout file will...