Lucene search
K
GithubRecent

33122 matches found

Github Security Blog
Github Security Blog
added 2026/06/26 6:31 p.m.8 views

Incus has an arbitrary file read+write on host via rootfs/ symlink in malicious image

Summary A specially crafted image can be used to read or create/write arbitrary files on the host; possibly leading to arbitrary command execution. Details Incus validates an image as soon as it sees a normal metadata.yaml and a rootfs/ entry, but full extraction can later process a duplicate...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 5:51 p.m.6 views

ImageMagick has Null Pointer Dereference caused by the distort operation when passing incorrect arguments

When passing incorrect arguments in the distort operation a null pointer deference will occur...

4.3CVSS5.8AI score0.00187EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/26 5:33 p.m.11 views

OpenAM Account Takeover via Unverified Password Change in OAuth2 Module

Summary Description An Unverified Password Change CWE-620 and Use of Weak Credentials CWE-1391 issue in OpenAM's OAuth2 authentication module silently rewrites a local user's password to the literal string of their username on OAuth2 re-login of an existing account. The default ldapService chain...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 5:32 p.m.7 views

OpenAM Authentication Bypass via MSISDN LDAP Injection

Summary Description An LDAP Injection CWE-90 vulnerability in the MSISDN authentication module allows an unauthenticated, remote attacker to obtain an arbitrary OpenAM session without a password in the default trusted gateway configuration. This impacts OpenAM Community Edition through version...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 5:22 p.m.8 views

fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`

The fluent-plugin-opentelemetry plugin specifically the inopentelemetry HTTP input lacked strict size limits on incoming requests. It was discovered that the plugin read the entire request body and decompressed payloads into memory without enforcing maximum size thresholds. If the OpenTelemetry...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 5:2 p.m.8 views

fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

The fluent-plugin-s3 plugin specifically the ins3 input plugin supports reading and decompressing heavily compressed files such as gzip, lzma2, and lzop from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limit...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 4:36 p.m.22 views

Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

The outhttp output plugin allows the use of placeholders such as $tag in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by...

7.2CVSS6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 4:35 p.m.5 views

Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd's inhttp and inforward plugins support receiving gzip-compressed data. While Fluentd correctly enforces size limits on the incoming compressed payloads e.g., via bodysizelimit or chunksizelimit, it was discovered that there is no limit enforced on the size of the decompressed data. If a...

7.5CVSS5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 4:32 p.m.6 views

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 4:32 p.m.9 views

Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Fluentd allows dynamically constructing file paths using the $tag placeholder. It was discovered that validation for this placeholder was insufficient. If a Fluentd instance is configured to receive logs from untrusted sources and uses the $tag placeholder in file configurations such as the path...

9.8CVSS6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 4:21 p.m.8 views

ImageMagick has a Use-After-Free when allocation in CheckPrimitiveExtent fails

When an allocation fails in CheckPrimitiveExtent this can result in a heap-use-after-free and result in a crash...

5.9CVSS5.8AI score0.00227EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 10:23 p.m.15 views

golang.org/x/crypto: Invoking VerifiedPublicKeyCallback permissions skip enforcement

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped...

10CVSS6.8AI score0.03153EPSS
Exploits2References20Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:22 p.m.8 views

golang.org/x/crypto vulnerable to auth bypass via unenforced @revoked status

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked...

9.1CVSS6AI score0.00469EPSS
Exploits0References15Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:21 p.m.8 views

golang.org/x/crypto vulnerable to infinite loop on large channel writes

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation...

9.1CVSS6AI score0.00466EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:21 p.m.8 views

golang.org/x/crypto: FIDO/U2F security key physical presence check can be bypassed

The Verify method for FIDO/U2F security key types [email protected], [email protected] did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior,...

9.1CVSS6AI score0.00373EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:18 p.m.8 views

golang.org/x/crypto: Invoking pathological RSA/DSA parameters may cause DoS

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public...

7.5CVSS6.4AI score0.004EPSS
Exploits0References19Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:18 p.m.10 views

golang.org/x/crypto: Invoking client can cause server deadlock on unexpected responses

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close, resulting in a resource leak per connection. Unsolicited global responses are now discarded...

9.1CVSS6AI score0.00513EPSS
Exploits0References17Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:15 p.m.7 views

golang.org/x/crypto: Invoking memory leak when rejecting channels can lead to DoS

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for...

6.5CVSS6AI score0.00196EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:15 p.m.8 views

golang.org/x/crypto is vulnerable to invoking server panic during CheckHostKey/Authenticate flow

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil...

7.5CVSS6AI score0.00369EPSS
Exploits0References16Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:14 p.m.8 views

golang.org/x/crypto vulnerable to invoking bypass of certificate restrictions

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError...

8.8CVSS6AI score0.00303EPSS
Exploits0References17Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:14 p.m.8 views

golang.org/x/crypto: Invoking byte arithmetic causes underflow and panic

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs...

7.5CVSS6AI score0.00359EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:14 p.m.8 views

golang.org/x/crypto doesn't drop invoking agent constraints when forwarding keys

When adding a key to a remote agent constraint extensions such as [email protected] were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all...

9.1CVSS6AI score0.00346EPSS
Exploits0References14Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:13 p.m.7 views

golang.org/x/crypto doesn't enforce invoking key constraints

The in-memory keyring returned by NewKeyring silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring now returns an error when...

9.1CVSS6AI score0.0036EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:12 p.m.8 views

golang.org/x/crypto: Invoking pathological inputs can lead to client panic

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used...

5.3CVSS6AI score0.00313EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:7 p.m.9 views

Lemur: ACME SSRF + creator-equality IDOR lead to AWS IAM/PKI compromise

Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via ACME acmeurl SSRF and creator-equality IDOR Vulnerability Summary Field | Value -- | -- Title | Lemur 1.9.0: any SSO-authenticated user achieves AWS IAM compromise and permanent PKI key access via...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:5 p.m.8 views

Lemur: JWT verifier honors attacker-supplied alg, enabling ATO

Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap; chain-dependent ATO with secret disclosure Vulnerability Summary Field | Value -- | -- Title | Lemur 1.9.0: JWT verifier trusts attacker-supplied alg from token header — defense-in-depth gap;...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:2 p.m.7 views

Lemur user-update path stores plaintext passwords

Summary lemur.users.service.update writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's beforeinsert event but registers no equivalent listener for beforeupdate, and service.update does not call user.hashpassword after assigni...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 10:1 p.m.7 views

Lemur Privilege Escalation: Non-admin role members can rewrite role membership via PUT /api/1/roles/<id>

Summary The PUT /api/1/roles/ handler in lemur/roles/views.py gates only on RoleMemberPermissionroleid.can, which is satisfied for any user who is already a member of the target role. The handler then passes data"users" and data"name" directly to service.update, permitting any role member to...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:58 p.m.9 views

Lemur: Crafted CRL/OCSP URLs in uploaded certificates lead to post-authentication SSRF

Summary When verifying an uploaded certificate, lemur/certificates/verify.py extracts the CRL Distribution Point URL and the OCSP responder URL directly from the certificate's extensions and issues outbound requests to those URLs without scheme restriction or destination allow-listing. An...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:54 p.m.7 views

ImageMagick has out-of-bounds write in ICON decoder due to incorrect loop

An incorrect loop in the ICON decoder can result in an out of bounds heap write resulting in a crash...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References3Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:54 p.m.9 views

ImageMagick: Policy Bypass can Trigger an Out-of-Memory condition

A missing check for maximum memory request in AcquireAlignedMemory could trigger an out-of-Memory condition. Credit Aisle Research Ze Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken...

7.5CVSS5.8AI score0.00346EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:53 p.m.8 views

ImageMagick: Policy Bypass can read disallowed files via symlink

An incorrect parsing of the filename can result in a policy bypass and read files disallowed by a security policy using a symlink...

5.5CVSS5.8AI score0.00128EPSS
Exploits0References3Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:52 p.m.7 views

ImageMagick: Policy Bypass in DCM decoder could result in image with invalid dimensions

A missing check in the DCM decoder could result in an image with invalid dimensions and that could cause crashes in other operations...

7.5CVSS5.8AI score0.00346EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:50 p.m.8 views

ImageMagick has a Heap Buffer Over-Write in MAT decoder on 32-bit systems

A missing check of a return value could lead to a heap buffer over-write in the MAT decoder on 32-bit systems...

5.9CVSS6AI score0.00227EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:49 p.m.7 views

ImageMagick Vulnerable to Stack Overflow in its MVG Decoder

A crafted MVG file could result in a stack overflow due to a missing depth or visited-set check...

5.5CVSS5.9AI score0.00107EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:48 p.m.8 views

ImageMagick has an Infinite Loop in subimage-search with crafted image

An infinite loop in the subimage-search operation can happen when using a crafted image...

4.7CVSS5.8AI score0.00092EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:46 p.m.10 views

ImageMagick has a Heap Buffer Underwrite in the Floyd-Steinberg depth dithering method

When using an image with mask the Floyd-Steinberg dithering method will cause a negative heap buffer over-write...

5.5CVSS6AI score0.00103EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/25 9:45 p.m.8 views

nextflow auth login command has incorrect default permissions

Impact nextflow auth login persists Seqera Platform OIDC tokens to $NXFHOME:-/.nextflow/seqera-auth.config. The file is created via Java NIO without specifying file permissions, so under the default umask 022 it lands at mode 0644 world-readable. On a multi-user POSIX host — typically an HPC logi...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:33 p.m.9 views

Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic

Description The Package.Unmarshal function in pkg/types/alpine/apk.go decompresses the signature and control gzip members of an APK file into in-memory buffers without bounding the total decompressed size. The existing maxapkmetadatasize check default 1MB is only applied to individual tar entry...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:32 p.m.8 views

GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

Summary When running in HTTP mode with --lockdown-mode enabled, the RepoAccessCache is implemented as a process-global singleton initialized with the first authenticated user's GraphQL client. All subsequent requests from different users share this singleton and their lockdown-related GraphQL...

6CVSS5.9AI score0.00205EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:31 p.m.8 views

MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments

Summary MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowedType as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic typ...

7.5CVSS5.9AI score0.00246EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:29 p.m.7 views

MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings

Summary InterfaceLookupFormatter constructs an internal Dictionary with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer. Other hash-based collection formatters use the security-aware comparer when...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:26 p.m.9 views

MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions

Summary MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T,, T,,, or T,,, before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the...

7.5CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:25 p.m.9 views

MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

Summary UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, b...

7.5CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 9:22 p.m.7 views

MessagePack-CSharp: DynamicUnionResolver-generated deserializers miss depth enforcement

Summary Runtime-generated union deserializers emitted by DynamicUnionResolver do not call MessagePackSecurity.DepthStepref reader and do not decrement reader.Depth around recursive deserialization and skip paths. This means union deserialization does not consistently participate in the maximum...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 7:51 p.m.7 views

MessagePack-CSharp: JSON conversion APIs can recurse without consistent depth enforcement

Summary MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. Three related issues are covered by this advisory: 1...

7.5CVSS5.9AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 7:36 p.m.8 views

MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps

Summary ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large...

7.5CVSS5.8AI score0.00231EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 6:53 p.m.8 views

MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths

Summary When MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small paylo...

7.5CVSS5.9AI score0.00236EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 6:52 p.m.7 views

MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies

Summary The parameterless MessagePackInputFormatter constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for ASP.NET Core MVC request bodies, which commonly cross an HTTP trust boundary...

9.1CVSS5.6AI score0.00236EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/25 6:48 p.m.8 views

Lemur has an authorization bypass in StrictRolePermission / AuthorityCreatorPermission

Summary StrictRolePermission and AuthorityCreatorPermission in lemur/auth/permissions.py call flaskprincipal.Permission.init with zero Needs when their config flags are unset. Both flags defaulted to False in code prior to the fix, so this was the state of any Lemur install that hadn't explicitly...

6.1AI score0.00035EPSS
Exploits0References2Affected Software1
Total number of security vulnerabilities33122