Lucene search
K
GithubRecent

33187 matches found

Github Security Blog
Github Security Blog
added 2026/03/27 10:23 p.m.12 views

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

Impact When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path. Unsafe examples: /foo-bar-:baz /a-:b-c-:d...

5.9CVSS5.9AI score0.00353EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 10:23 p.m.38 views

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Impact A bad regular expression is generated any time you have multiple sequential optional groups curly brace syntax, such as abc:z. The generated regex grows exponentially with the number of groups, causing denial of service. Patches Fixed in version 8.4.0. Workarounds Limit the number of...

7.5CVSS5.9AI score0.00791EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 10:22 p.m.20 views

AWS SDK for .NET: Improper escaping of special characters in CloudFront policy document construction

Summary This notification is related to the CloudFront signing utilities in the AWS SDK for .NET, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/27 10:21 p.m.12 views

Withdrawn Advisory: Kirby CMS has Persistent DoS via Malformed Image Upload

Duplicate Advisory This advisory has been withdrawn because it is been determined to not be a vulnerability. This link is maintained to preserve external references. Original Description Summary Kirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a...

6.5CVSS5.2AI score0.00445EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 10:19 p.m.7 views

Zebra node crash — V5 transaction hash panic (P2P reachable)

--- Remote Denial of Service via Crafted V5 Transactions Summary A vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic crash. This is triggered by sending a specially crafted V5 transaction that passes initial...

9.2CVSS6AI score0.00725EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/27 10:17 p.m.7 views

Giskard Agents have Server-side template injection via ChatWorkflow.chat() using non-sandboxed Jinja2 Environment

Summary ChatWorkflow.chatmessage passes its string argument directly as a Jinja2 template source to a non-sandboxed Environment. A developer who passes user input to this method enables full remote code execution via Jinja2 class traversal. The method name chat and parameter name message naturall...

8.8CVSS6.5AI score0.00611EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:43 p.m.123 views

AWS SDK for Java 2.0: Improper Handling of Special Characters in CloudFront Signing Utilities

Summary This notification is related to the CloudFront signing utilities in the AWS SDK for Java v2, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes an...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:41 p.m.21 views

DOMPurify is vulnerable to mutation-XSS via Re-Contextualization

Description A mutation-XSS mXSS condition was confirmed when sanitized HTML is reinserted into a new parsing context using innerHTML and special wrappers. The vulnerable wrappers confirmed in browser behavior are script, xmp, iframe, noembed, noframes, and noscript. The payload remains seemingly...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:35 p.m.18 views

Traefik Vulnerable to BasicAuth/DigestAuth Identity Spoofing via Non-Canonical headerField

Summary There is a potential vulnerability in Traefik's Basic and Digest authentication middlewares when headerField is configured with a non-canonical HTTP header name. An authenticated attacker with valid credentials can inject the canonical version of the configured header to impersonate any...

8.8CVSS5.9AI score0.00469EPSS
Exploits1References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/27 8:35 p.m.10 views

Home Assistant has stored XSS in history-graphs

Summary The "remaining charge time"-sensor for mobile phones imported/included from Android Auto it appears is vulnerable to the same issue as CVE-2025-62172. This also indicates that any sensor showing their name in the history-graph, is likely to be vulnerable to this issue. Details Another...

8.8CVSS6AI score0.00202EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:33 p.m.22 views

Home Assistant has stored XSS in Map-card through malicious device name

Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...

8.8CVSS5.9AI score0.00241EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:28 p.m.12 views

Flannel has cross-node remote code execution via extension backend BackendData injection

Background The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. This backend uses shell commands stored in Kubernetes annotations to configure network connectivity on the node. Note: consumers are only affected by this vulnerabili...

8.8CVSS6.2AI score0.02709EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:24 p.m.12 views

A Fleet team maintainer can transfer hosts from any team via missing source team authorization

Summary A broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control over the stolen hosts, including the ability to execute...

8.8CVSS6AI score0.00315EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 8:4 p.m.22 views

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters

Impact A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period .. For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in [email protected] only prevents ambiguity for two parameter...

7.5CVSS5.9AI score0.00496EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:58 p.m.14 views

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

7.4CVSS6AI score0.00309EPSS
Exploits0References3Affected Software4
Github Security Blog
Github Security Blog
added 2026/03/27 7:56 p.m.24 views

cryptography has incomplete DNS name constraint enforcement on peer names

Summary In versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf...

6.3CVSS5.9AI score0.00154EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:54 p.m.111 views

AWS SDK for PHP has CloudFront Policy Document Injection via Special Characters

Summary This notification is related to the CloudFront signing utilities in the AWS SDK for PHP, which are used to generate Amazon CloudFront signed URLs and signed cookies. A defense-in-depth enhancement has been implemented to improve handling of special characters, such as double quotes and...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:45 p.m.10 views

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Summary Multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to loadprompt or loadpromptfromconfig...

7.5CVSS6AI score0.01176EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:43 p.m.9 views

Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

9.8CVSS6.3AI score0.00479EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:36 p.m.9 views

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Vulnerability IDOR in GET/PATCH/DELETE /api/v1/flow/flowid The readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enabled, neither branch enforced an ownership chec...

8.8CVSS5.9AI score0.00406EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/27 7:35 p.m.11 views

act: actions/cache server allows malicious cache injection

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local...

8.2CVSS6.5AI score0.00459EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:17 p.m.36 views

act: Unrestricted set-env and add-path command processing enables environment injection

Summary act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 CVE-2020-15228, GHSA-mfwh-5m23-j46w due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject...

9.8CVSS6.5AI score0.00619EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:13 p.m.9 views

@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools

Summary The @mobilenext/mobile-mcp server contains a Path Traversal vulnerability in the mobilesavescreenshot and mobilestartscreenrecording tools. The saveTo and output parameters were passed directly to filesystem operations without validation, allowing an attacker to write files outside the...

8.1CVSS5.9AI score0.00489EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:11 p.m.14 views

Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters

Summary The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user or unauthenticated user when no password is set, the default can leak sensitive environment variables...

8.3CVSS5.9AI score0.00475EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 7:8 p.m.14 views

Azure Data Explorer MCP Server: KQL Injection in multiple tools allows MCP client to execute arbitrary Kusto queries

Summary adx-mcp-server ListDictstr, Any: client = getkustoclient query = f"tablename | getschema" ListDictstr, Any: client = getkustoclient query = f"tablename | sample samplesize" ListDictstr, Any: client = getkustoclient query = f".show table tablename details" -- KQL injection resultset =...

8.3CVSS6.1AI score0.00396EPSS
Exploits3References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:36 p.m.13 views

MCP Ruby SDK: Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay

Summary The Ruby SDK's streamablehttptransport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events SSE stream and intercept all real-time data. Details Root Cause The StreamableHTTPTransport...

8.2CVSS5.9AI score0.00465EPSS
Exploits1References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:33 p.m.9 views

Saloon has insecure deserialization in AccessTokenAuthenticator

Impact Users of the OAuth2 utilities in Saloon, specifically the AccessTokenAuthenticator class. Patches Upgrade to Saloon v4+ Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 Description The Saloon PHP library used PHP's unserialize in AccessTokenAuthenticator::unserialize ...

9.8CVSS6.5AI score0.00622EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:31 p.m.8 views

Hugging Face Smolagents has an Injection issue

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...

10CVSS6.3AI score0.00575EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:31 p.m.7 views

Undertow is Vulnerable to HTTP Request/Response Smuggling

A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform...

9.1CVSS5.9AI score0.00677EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:31 p.m.9 views

MLFlow allows Tracing + Assessments Access

In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...

8.1CVSS7.1AI score0.00331EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:31 p.m.6 views

Undertow is Vulnerable to HTTP Request/Response Smuggling

A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending \r\r\r as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic Application Load Balancer,...

9.1CVSS5.8AI score0.00706EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:31 p.m.7 views

Undertow is Vulnerable to HTTP Request/Response Smuggling

A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks,...

9.1CVSS5.9AI score0.00704EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:22 p.m.13 views

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Summary The Handlebars CLI precompiler bin/handlebars / lib/precompiler.js concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI...

8.2CVSS6AI score0.00291EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:21 p.m.13 views

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

Summary A crafted object placed in the template context can bypass all conditional guards in resolvePartial and cause invokePartial to return undefined. The Handlebars runtime then treats the unresolved partial as a source that needs to be compiled, passing the crafted object to env.compile...

8.1CVSS6AI score0.00703EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:21 p.m.16 views

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not ...

7.5CVSS6AI score0.00616EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:20 p.m.17 views

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Summary The @partial-block special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites @partial-block with a crafted Handlebars AST, a subsequent invocation of @partial-block compil...

8.1CVSS6.2AI score0.00709EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:19 p.m.36 views

Handlebars.js has JavaScript Injection via AST Type Confusion

Summary Handlebars.compile accepts a pre-parsed AST object in addition to a template string. The value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to compile can therefore inject and...

9.8CVSS6.2AI score0.0178EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:18 p.m.37 views

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Impact What kind of vulnerability is it? It is a Denial of Service DoS vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object an object that inherits from Array.prototype but has a very large length property, the process enters an intensive loop that...

7.5CVSS5.8AI score0.00472EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:17 p.m.18 views

Fleet's unbounded request body read allows remote Denial of Service

Summary Fleet contained multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. An unauthenticated attacker could exploit this behavior by sending large or repeated HTTP payloads, causing excessive memory allocation and resulting in a denial-of-service DoS...

8.7CVSS5.9AI score0.00434EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:17 p.m.13 views

Fleet: Password reset tokens remain valid after password change for 24 hours

Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...

8.8CVSS5.9AI score0.00335EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:8 p.m.11 views

n8n has XSS in its Credential Management Flow

Impact An authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execut...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:6 p.m.14 views

n8n has XSS in Chat Trigger Node through Custom CSS

Impact An authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the sanitize-html library, the sanitization could be bypassed, resulting in stored XSS on the public chat...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:6 p.m.30 views

n8n: Authenticated XSS and Open Redirect via Form Node

Impact An authenticated user with permission to create or modify workflows could configure a Form Node with an unsanitized HTML description field or exploit an overly permissive iframe sandbox policy to perform stored cross-site scripting or redirect end users visiting the form to an arbitrary...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:5 p.m.15 views

n8n has a Stored XSS Vulnerability in its Form Trigger

Impact An authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting XSS payload. The injected script executes persistently for every visitor of the published form, enabling form submission...

5.4CVSS5.9AI score0.00144EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:4 p.m.11 views

Dolibarr Core Discloses Sensitive Data via Authenticated Local File Inclusion in selectobject.php

Authenticated Local File Inclusion LFI via selectobject.php leading to sensitive data disclosure Target Dolibarr Core Tested on version 22.0.4 Summary A Local File Inclusion LFI vulnerability has been discovered in the core AJAX endpoint /core/ajax/selectobject.php. By manipulating the objectdesc...

6.5CVSS5.9AI score0.00419EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 6:0 p.m.30 views

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

9.3CVSS6.1AI score0.00397EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 5:58 p.m.7 views

Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521

Summary A prototype pollution vulnerability exists in the parsestr function of the npm package locutus. An attacker can pollute Object.prototype by overriding RegExp.prototype.test and then passing a crafted query string to parsestr, bypassing the prototype pollution guard. This vulnerability ste...

9.8CVSS6.2AI score0.00559EPSS
Exploits2References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 5:57 p.m.10 views

Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()

Summary The unserialize function in locutus/php/var/unserialize assigns deserialized keys to plain objects via bracket notation without filtering the proto key. When a PHP serialized payload contains proto as an array or object key, JavaScript's proto setter is invoked, replacing the deserialized...

9.8CVSS6AI score0.00583EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 5:56 p.m.10 views

Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Description A vulnerability has been identified in express-xss-sanitizer , , , etc. and attributes e.g., href on . This behavior violates the expected API contract and may lead to security issues such as content injection or XSS, depending on how the sanitized output is used. Impact Developers...

8.2CVSS5.8AI score0.00382EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/27 5:49 p.m.10 views

Traefik has Knative Ingress Rule Injection that Allows Host Restriction Bypass

Summary There is a potential vulnerability in Traefik's Kubernetes Knative, Ingress, and Ingress-NGINX providers related to rule injection. User-controlled values are interpolated into backtick-delimited Traefik router rule expressions without escaping or validation. A malicious value containing ...

7.7CVSS5.9AI score0.00463EPSS
Exploits1References6Affected Software2
Total number of security vulnerabilities33187