33187 matches found
Moby has AuthZ plugin bypass when provided oversized request bodies
Summary A security vulnerability has been detected that allows attackers to bypass authorization plugins AuthZ under specific circumstances. The base likelihood of this being exploited is low. This is an incomplete fix for CVE-2024-41110. Impact If you don't use AuthZ plugins, you are not affecte...
Moby has an Off-by-one error in its plugin privilege validation
Summary A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user...
Incus has an abitrary file write through its systemd-creds options
Summary Incus instances have an option to provide credentials to systemd in the guest. For containers, this is handled through a shared directory. An attacker can use the name of a systemd credential to escape that directory and overwrite arbitrary files on the host system. This can in turn be us...
Local Incus UI web server vulnerable to nuthentication bypass
Summary The web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. Details incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token...
Incus vulnerable to arbitrary file read and write through pongo templates
Summary Instance template files can be used to cause arbitrary read or writes as root on the host server. Details Incus allows for pongo2 templates within instances which can be used at various times in the instance lifecycle to template files inside of the instance. This particular implementatio...
Incus vulnerable to denial of source through crafted bucket backup file
Summary A specially crafted storage bucket backup can be used by an user with access to Incus' storage bucket feature to crash the Incus daemon. Repeated use of this attack can be used to keep the server offline causing a denial of service of the control plane API. This does not impact any runnin...
Incus vulnerable to local privilege escalation through VM screenshot path
Summary Incus provides an API to retrieve VM screenshots, that API relies on the use of a temporary file for QEMU to write the screenshot to which is then picked up and sent to the user prior to deletion. As Incus uses predictable paths under /tmp for this, an attacker with local access to the...
Incus does not verify combined fingerprint when downloading images from simplestreams servers
Summary A lack of validation of the image fingerprint when downloading from simplestreams image servers opens the door to image cache poisoning and under very narrow circumstances exposes other tenants to running attacker controlled images rather than the expected one. Details Incus image...
python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
Summary An issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions. 1. ecdsa.der.removeoctetstring accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 40...
Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader
Summary Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection. Vulnerable Code 1. Webhook Send Endpoint Most Critical apps/backend/src/api/routes/webhooks.controller.ts lines 58-70: typescript async sendWebhook@Body...
Postiz App has a High-Severity SSRF Vulnerability via Next.js
Impact A successful SSRF attack allows an attacker to: - Bypass firewalls to scan and interact with internal network services/ports. - Access sensitive cloud metadata services e.g., AWS IMDS 169.254.169.254 to potentially leak instance credentials. - Pivot into the internal network environment...
TSPortal's Uncontrolled User Creation via Validation Side Effects Leads to Potential Denial of Service
Summary A flaw in TSPortal allowed attackers to create arbitrary user records in the database by abusing validation logic. While validation correctly rejected invalid usernames, a side effect within a validation rule caused user records to be created regardless of whether the request succeeded...
TSPortal: Any user can forge self-deletion requests for any account
Summary Conversion of empty strings to null allows disguising DPA reports as genuine self-deletion reports. Details Creating a DPA report about another user and leaving the evidence field empty causes that report to look like the reported user self-requested deletion of their data. Ingenuine repo...
Open WebUI's Insecure Direct Object Reference (IDOR) allows access to other users' memories
Summary Any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection Details Vulnerability 1: Missing authorization in collection querying In backend/openwebui/routers/retrieval.py, the querycollectionhandler function accepts a list of collectionnames but...
Open WebUI has unauthorized deletion of knowledge files
Summary An access control check is missing when deleting a file from a knowledge base. The only check being done is that the user has write access to the knowledge base or is admin, but NOT that the file actually belongs to this knowledge base. It is thus possible to delete arbitrary files from...
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
Summary Any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via GET /api/v1/knowledge/id/files a...
Grafana public dashboards disclose all direct mode datasources
When using public dashboards and direct data-sources, all direct data-sources' passwords are exposed despite not being used in dashboards. No passwords of proxied data-sources are exposed. We encourage all direct data-sources to be converted to proxied data-sources as far as possible to improve...
Open WebUI vulnerable to Path Traversal in `POST /api/v1/audio/transcriptions`
Summary An unsanitised filename field in the speech-to-text transcription endpoint allows any authenticated non-admin user to trigger a FileNotFoundError whose message — including the server's absolute DATADIR path — is returned verbatim in the HTTP 400 response body, confirming information...
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
Summary Two model implementation files hardcode trustremotecode=True when loading sub-components, bypassing the user's explicit --trust-remote-code=False security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code...
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue inserts the value directly into the @field:VALUE RediSearch TAG block without escaping characters. This issue affects Spring AI: from 1.0.0 before...
Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests...
Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey embeds the key into a backtick-delimited...
Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression...
Grafana Tempo has Inadequate Encryption Strength
A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace data stored in S3. Grafana thanks williamgoodfellow for reporting this vulnerability...
C2C CI utils is vulnerable to DoS via pyasn dependency (CVE-2026-30922)
Pin vulnerable version of pyasn, see: See: https://github.com/advisories/GHSA-jr27-m4p2-rc6r...
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
Summary When a custom envelope object is passed to sendMail with a size property containing CRLF characters \r\n, the value is concatenated directly into the SMTP MAIL FROM command without sanitization. This allows injection of arbitrary SMTP commands, including RCPT TO — silently adding...
Harbor: LDAP password and OIDC secret are not redacted in the audit log
Impact Harbor write configuration payload to audit log when configuration change, the ldapsearchpassword and oidcclientsecret will be logged in the audit log without redacted Patches Harbor v2.15.0, v2.14.3, v2.13.5 Workarounds Disable audit log configure event in Harbor Web Console: Go to...
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Summary A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution RCE by injecting arbitrary JavaScript expressions inside export declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content...
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Summary resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted...
Loofah has improper detection of disallowed URIs via `allowed_uri?`
Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...
Ella Core Panics during NAS Authentication Response/Failure with missing IEs
Summary Ella Core panics when processing Authentication Response and Authentication Failure NAS message missing IEs. Impact An attacker able to send crafted NAS messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. Fi...
Ella Core has Privilege Escalation via Database Restore by NetworkManager role
Summary The NetworkManager role was granted backup and restore permission. The restore endpoint accepted any valid SQLite file without verifying its contents. Impact A NetworkManager could replace the production database with a tampered copy to escalate to Admin, gaining access to user management...
Ella Core has a Denial of Service via SCTP connection cleanup deadlock
Summary A deadlock in the AMF's SCTP notification handler causes the entire AMF control plane to hang until the process is restarted. Impact An attacker with access to the N2 interface can cause Ella Core to hang, resulting in a denial of service for all subscribers. Fix Add deferred Radio cleanu...
Ella Core panics when processing a crafted NGAP LocationReport message
Summary Ella Core panics when processing a specially crafted NGAP LocationReport message. Impact An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. Fix Add guards in NGAP Location Report handler...
ImageMagick: META reader memory leak in the APP1JPEG input path
ImageMagick contains a memory leak in the META reader when processing the APP1JPEG input path...
ImageMagick has possible memory leak in ASHLAR coder when action fails
The ASHLAR coder leaks a temporary image when an action fails and that could result to an out of memory...
Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery
Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, th...
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Summary pki.verifyCertificateChain does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the basicConstraints and keyUsage extensions. This allows any leaf certificate without these extensions to act as a CA and sign other certificates, which node-for...
Forge has signature forgery in Ed25519 due to missing S > L check
Summary Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order S = L. A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify OpenSSL-backed rejects the S + L variant, as defined by the...
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Summary RSASSA PKCS1 v1.5 signature verification accepts forged signatures for low public exponent keys e=3. Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This...
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Summary A Denial of Service DoS vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse function inherited from the bundled jsbn library. When modInverse is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachab...
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
Impact In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing CORS protocol, an...
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
Summary The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file agents.create and agents.update still use raw fs.appendFile on the IDENTITY.md file without any symlink...
OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages...
OpenClaw's Conflicting Tool Identity Hints Bypass Dangerous-Tool Prompting
Summary ACP permission resolution trusted conflicting tool identity hints from rawInput and metadata, which could suppress dangerous-tool prompting. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Summary Synology Chat multi-account configuration could collapse onto a shared webhook path, replacing route ownership and bypassing per-account DM policy separation. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
Summary Leaf subagents could still use the send action to message controlled child sessions even when their controlScope was narrower than children. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
Summary When gateway.trustedProxies was configured, spoofed loopback hops in forwarding headers could be accepted as the client origin and weaken downstream auth and rate-limit decisions. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked:...
OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
Summary device.pair.approve allowed an operator.pairing approver to approve a pending device request for broader operator scopes than the approver actually held. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals
Summary Google Chat app-url webhook verification accepted add-on principals outside the intended deployment binding. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2 630f1479c44f78484dfa21bb407cbe6f171dac87 - Latest published...