Lucene search
K
GithubRecent

33187 matches found

Github Security Blog
Github Security Blog
added 2026/03/26 6:26 p.m.13 views

BuildKit's Malicious frontend can cause file escape outside of storage root

Impact When using a custom BuildKit frontend, the frontend can craft an API message that causes files to be written outside of the BuildKit state directory for the execution context. Patches The issue has been fixed in v0.28.1+ Workarounds Issue requires using an untrusted BuildKit frontend set...

9.8CVSS5.9AI score0.00498EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:23 p.m.5 views

elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition

Impact This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may...

7.1CVSS6AI score0.00315EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:16 p.m.10 views

AVideo has Plaintext Video Password Storage

Summary AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database via SQL injection, a database backup, or misconfigured access...

9.1CVSS5.9AI score0.00152EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:15 p.m.7 views

AVideo has SQL Injection in category.php fixCleanTitle() via Unparameterized clean_title and id Variables

Summary The fixCleanTitle static method in objects/category.php constructs a SQL SELECT query by directly interpolating both $cleantitle and $id into the query string without using prepared statements or parameterized queries. An attacker who can trigger category creation or renaming with a craft...

9.8CVSS6AI score0.00492EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:12 p.m.7 views

AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

Summary In objects/like.php, the getLike method constructs a SQL query using a prepared statement placeholder ? for usersid but directly concatenates $this-videosid into the query string without parameterization. An attacker who can control the videosid value via a crafted request can inject...

8.8CVSS6AI score0.00509EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:10 p.m.6 views

AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints

Summary isSSRFSafeURL validates URLs against private/reserved IP ranges before fetching, but urlgetcontents follows HTTP redirects without re-validating the redirect target. An attacker can bypass SSRF protection by redirecting from a public URL to an internal target. Root Cause Check-time:...

6.5CVSS5.8AI score0.00233EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:8 p.m.6 views

AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

Summary The AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $REQUEST'id' parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generat...

4.3CVSS5.8AI score0.00214EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:7 p.m.6 views

AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle

Summary The getapivideopasswordiscorrect API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling...

5.3CVSS5.8AI score0.0032EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:6 p.m.4 views

AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

Summary Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories add.json.php, delete.json.php, index.php requires User::isAdmin. An unauthenticated attacker can retrieve all scheduled tasks including internal...

5.3CVSS6AI score0.00382EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:5 p.m.7 views

AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

Summary The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists including watchlater and favorite types are correctly hidden from listing endpoints via playlistsFromUser.json.php, but...

5.3CVSS5.9AI score0.00295EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:4 p.m.8 views

LibreNMS is Vulnerable to Remote Code Execution by Arbitrary File Write

Summary A vulnerability has been identified that allows an authenticated administrator to execute arbitrary code on the host server. By modifying the binary path settings for built-in network tools and bypassing an input filter, an attacker with administrative privileges can download and execute...

8.5CVSS6.3AI score0.07533EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:0 p.m.6 views

libcrux has an Incorrect Check of Signer Response Norm During Verification

The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma1 - \beta$ line 13 of Algorithm 8. The same check is required to be performed during signature generation...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 6:0 p.m.8 views

libcrux Panics During Standalone MAC Operations

An incorrect constant for the key length in libcrux-poly1305 caused the standalone MAC function libcruxpoly1305::mac to always panic with an out-of-bounds memory access. Impact Applications wishing to use libcrux-poly1305 as a standalone MAC would experience panics. The use of libcrux-poly1305 in...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:59 p.m.7 views

libcrux-sha3: Incorrect output from SHAKE squeeze functions

The incremental squeeze functions in the portable SHAKE XOF API, when attempting to squeeze more than RATE 168 for SHAKE128, 136 for SHAKE256 bytes, performed an additional permutation of the state before producing the first output block, thus discarding the first block of RATE bytes of valid XOF...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:58 p.m.5 views

libcrux has All-Zero Key Generation Upon Catastrophic RNG Failure

The libcrux-ed25519 key generation samples Ed25519 secret keys from a provided CSPRNG in a loop for up to 100 attempts until a non-zero key is found. If a non-zero key could not be sampled within 100 attempts the key generation function would silently continue with an all-zero buffer as the secre...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:58 p.m.6 views

libcrux: Panic in Signature Hint Decoding During Verification

During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choi...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:22 p.m.6 views

splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

6.6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:21 p.m.6 views

OpenFGA has an Authorization Bypass through cached keys

Description In OpenFGA, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Am I Affected? Users are affected if the...

9.8CVSS5.8AI score0.00241EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 5:17 p.m.6 views

ImageMagick has an Out-of-Bounds write of a zero byte in its X11 display interaction

An out-of-bounds write of a zero byte exists in the X11 display interaction path that could lead to a crash...

5.5CVSS5.8AI score0.00141EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/03/26 5:12 p.m.7 views

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:56 p.m.6 views

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Summary Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes including admin-level shares t...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:52 p.m.7 views

srvx is vulnerable to middleware bypass via absolute URI in request line

Summary A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Details When Node.js receives an absolute URI in the request line e.g. GET file://hehe?/internal/run...

6.5CVSS5.8AI score0.00246EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:48 p.m.6 views

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Impact Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments...

5.4CVSS5.7AI score0.00244EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:45 p.m.6 views

dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this ...

9.8CVSS6.5AI score0.00622EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:41 p.m.7 views

n8n has SQL Injection in Data Table Node via orderByColumn Expression

Impact An authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement...

8.8CVSS6AI score0.00423EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:41 p.m.8 views

n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE

Impact An authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the GSuiteAdmin node. By supplying a crafted parameter as part of node configuration, an attacker could write attacker-controlled values onto Object.prototype. An attack...

9.4CVSS6.5AI score0.00765EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 4:0 p.m.15 views

A year of open source vulnerability trends: CVEs, advisories, and malware

GitHub published 4,101 reviewed advisories in 2025. This is the fewest number of reviewed advisories since 2021. Does this mean open source is shipping more secure code? Let's dig into the data to find out. GitHub reviewed advisories Fewer advisories reviewed doesn't mean fewer vulnerabilities we...

5.6AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/26 12:30 p.m.6 views

Mattermost has an Incorrect Authorization issue

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared...

5.4CVSS5.9AI score0.00141EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 9:30 a.m.5 views

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.9AI score0.00295EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/26 7:32 a.m.11 views

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

Summary The docker.systempackages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since systempackages is semantically a list of OS package names data, users do not expect values to be interpreted as shell command...

7.8CVSS6.6AI score0.00257EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 10:6 p.m.16 views

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

Impact When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key,...

7.4CVSS5.8AI score0.00288EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 10:5 p.m.6 views

n8n Has External Secrets Authorization Bypass in Credential Saving

Impact An authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the externalSecret:list permission check and allowed access to secrets stored in...

7.3CVSS5.8AI score0.0026EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 10:0 p.m.7 views

Saloon has a Fixture Name Path Traversal Vulnerability

Impact Users with MockResponse fixtures that use path traversal. Patches Upgrade to Saloon v4+ Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 Description Fixture names were used to build file paths under the configured fixture directory without validation. A name containin...

9.3CVSS5.8AI score0.00566EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 10:0 p.m.9 views

Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL

Impact Users providing user generated input into the resolveEndpoint method on requests. Patches Upgrade to Saloon v4+ Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 Description When building the request URL, Saloon combined the connector's base URL with the request...

8.7CVSS5.9AI score0.0042EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:57 p.m.5 views

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

Impact When the N8NSKIPAUTHONOAUTHCALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing...

6.3CVSS5.8AI score0.0018EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:56 p.m.9 views

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

Summary The Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $POST'userid' in both subscribe.json.php and subscribeNotify.json.php. An authenticate...

7.1CVSS6.1AI score0.00224EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:55 p.m.7 views

AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment

Summary The CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured the default state, the key validation check is completely bypassed, allowin...

8.6CVSS6AI score0.00356EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:54 p.m.8 views

OpenHands is Vulnerable to Command Injection through its Git Diff Handler

Summary A Command Injection vulnerability exists in the getgitdiff method at openhands/runtime/utils/githandler.py:134. The path parameter from the /api/conversations/conversationid/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitra...

9.9CVSS6.2AI score0.01892EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:30 p.m.9 views

Go Images vulnerable to an out-of-memory error via a crafted TIFF file

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error...

5.3CVSS5.8AI score0.00328EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:30 p.m.9 views

Signify allows a remote attacker to escalate privileges via the signed_data.py and the context.py components

An issue in ralphje Signify before v.0.9.2 allows a remote attacker to escalate privileges via the signeddata.py and the context.py components...

8.8CVSS5.9AI score0.00343EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:30 p.m.9 views

pf4j is vulnerable to Path Traversal or Zip Slip attack through improper handling of zip entry names

pf4j before 20c2f80 has a path traversal vulnerability in the extract function of Unzip.java, where improper handling of zip entry names can allow directory traversal or Zip Slip attacks, due to a lack of proper path normalization and validation...

7.5CVSS5.9AI score0.00856EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:28 p.m.8 views

AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

Summary The downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing an invalid resolution parameter, an attacker triggers an early die via...

8.8CVSS6.7AI score0.00395EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:28 p.m.14 views

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

Summary The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always...

9.4CVSS6AI score0.00437EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:27 p.m.9 views

OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

9.8CVSS6.6AI score0.00933EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:21 p.m.6 views

Vikunja has a Link Share Delete IDOR — Missing Project Ownership Check Allows Cross-Project Link Share Deletion

Summary The DELETE /api/v1/projects/:project/shares/:share endpoint does not verify that the link share belongs to the project specified in the URL. An attacker with admin access to any project can delete link shares from other projects by providing their own project ID combined with the target...

6.9CVSS5.8AI score0.00205EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:20 p.m.5 views

Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)

Streamlit Open Source Security Advisory 1. Impacted Products Streamlit Open Source versions prior to 1.54.0 running on Windows hosts. 2. Introduction Snowflake Streamlit Open Source addressed a security vulnerability affecting Windows deployments related to improper handling and validation of...

4.8CVSS5.8AI score0.00282EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:18 p.m.7 views

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

Summary The LinkSharing.ReadAll method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by...

7.5CVSS5.9AI score0.00398EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:17 p.m.5 views

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download

Summary The DownloadImage function in pkg/utils/avatar.go uses a bare http.Client with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests t...

7.4CVSS5.9AI score0.00395EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:17 p.m.4 views

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

Summary TaskAttachment.ReadOne queries attachments by ID only WHERE id = ?, ignoring the task ID from the URL path. The permission check in CanRead validates access to the task specified in the URL, but ReadOne loads a different attachment that may belong to a task in another project. This allows...

8.1CVSS5.9AI score0.00265EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/25 9:17 p.m.7 views

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Summary The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later...

6.5CVSS5.9AI score0.00297EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33187