33190 matches found
fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
Summary fido2-lib v3.x depends on cbor-x 1.6.0, which optionally pulls in cbor-extract C++ native addon. cbor-extract = 2.2.0 has a heap buffer over-read in extractStrings — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead. The crash triggers during...
Trivy ecosystem supply chain was briefly compromised
Summary On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. On March 22...
Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
Summary An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:sectionUid permission for either source or destination section. Details Root-cause analysis 1. actionMoveToSection...
Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
Summary A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: 1...
Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
Summary An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. Details Root cause: - Anonymous...
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
Summary Guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions regenerate-yaml, apply-yaml-changes without authentication. Details ConfigSyncController extends BaseUpdaterController, and the base updater is anonymously accessible for...
Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Summary A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes or a preview redirect without enforcing a per-asset view authorization check, leading to potenti...
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
Summary A Remote Code Execution RCE vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access. The existing patches add cleanseConfig to...
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...
GoDoxy has a Path Traversal Vulnerability in its File API
Summary The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath = "config" a relative path. No sanitization or validation is applied beyond checking that...
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Impact An authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. Patches The fix blocks...
Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting
Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...
sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows
Summary On Windows, sbt uses Process"cmd", "/c", ... to run VCS commands git, hg, svn. The URI fragment branch, tag, revision is user-controlled via the build definition and passed to these commands without validation. Because cmd /c interprets &, |, and ; as command separators, a malicious...
ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads
ConcreteCMS v9.4.7 contains a Denial of Service DoS vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'filegetcontents', which loads...
Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol
Incorrect Authorization CWE-863 vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue"...
Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests
A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap, the server prematurely parses and stores this content to...
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from...
H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
Summary The redirectBack utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths starting with //. An attacker can craft a same-origin URL with a...
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service
Summary The setChunkedCookie and deleteChunkedCookie functions in h3 trust the chunk count parsed from a user-controlled cookie value chunkedN without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header e.g., Cookie: h3=chunked999999 to a...
Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents
This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. | Field | Details | | :--- | :--- | |...
Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions
Impact If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users i.e., per-machine scope, the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by...
Rails Active Storage has possible glob injection in its DiskService
Impact Active Storage's DiskServicedeleteprefixed passes blob keys directly to Dir.glob without escaping glob metacharacters. If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters, it may be possible to delete unintended files from the storage director...
Rails Active Storage has possible Path Traversal in DiskService
Impact Active Storage's DiskServicepathfor does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences e.g. ../ is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are...
Rails Active Support has a possible DoS vulnerability in its number helpers
Impact Active Support number helpers accept strings containing scientific notation e.g. 1e10000, which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,...
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Impact When serving files through Active Storage's Blobs::ProxyController, the controller loads the entire requested byte range into memory before sending it. A request with a large or unbounded Range header e.g. bytes=0- could cause the server to allocate memory proportional to the file size,...
Rails Active Storage has possible content type bypass via metadata in direct uploads
Impact Active Storage's DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a malicious direct-upload client could set these flags. Releases The fixed releases are...
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Impact SafeBuffer% does not propagate the @htmlunsafe flag to the newly created buffer. If a SafeBuffer is mutated in place e.g. via gsub! and then formatted with % using untrusted arguments, the result incorrectly reports htmlsafe? == true, bypassing ERB auto-escaping and possibly leading to XSS...
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Impact NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings. Releases The fixed releases are available at the normal locations. Credit This issue was responsibly reported by Hackerone...
Rails has a possible XSS vulnerability in its Action View tag helpers
Impact When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Application...
Rails has a possible XSS vulnerability in its Action Pack debug exceptions
Impact The debug exceptions page does not properly escape exception messages. A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS. This affects applications with detailed exception pages enabled config.considerallrequestslocal = true, whi...
Indico discloses local files resulting in Remote Code Execution through LaTeX injection
!NOTE If server-side LaTeX rendering is not in use ie XELATEXPATH was not set in indico.conf, this vulnerability does not apply. Impact Due to vulnerabilities in TeXLive and obscure LaTeX syntax that allowed circumventing Indico's LaTeX sanitizer, it is possible to use specially-crafted LaTeX...
Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
Security Advisory — My Page Profile Update Improper Authorization Summary An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...
Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature
Security Advisory — Page Content Retrieval Improper Authorization Summary An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...
Connect CMS has SSRF in the External Page Migration Feature of its Page Management Plugin
Security Advisory — Page Management Plugin SSRF Summary A Server-Side Request Forgery SSRF issue exists in the external page migration feature of the Page Management Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the...
Connect CMS has Stored Cross-site Scripting (XSS) in the File Field of its Form Plugin
Security Advisory — Form Plugin Stored XSS Summary A Stored Cross-site Scripting XSS issue exists in the file field of the Form Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the file field of the Form Plugin, Stored...
Connect-CMS has DOM-based Cross-Site Scripting (XSS) in the Cabinet Plugin List View
Security Advisory — Cabinet Plugin DOM-based XSS Summary A DOM-based Cross-Site Scripting XSS issue exists in the Cabinet Plugin list view. Affected Versions - 1.x series: = 1.35.0, = 2.35.0, = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the Cabinet Plugin list view, DOM-based...
Connect-CMS has Arbitrary Code Execution by an Authenticated User in its Code Study Plugin
Security Advisory — Code Study Plugin Summary An authenticated user may be able to execute arbitrary code in the Code Study Plugin. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1 Description In the Code Study Plugin, an authenticated user could...
New API: IDOR in VideoProxy allows cross-user video content access via missing ownership check
Summary The video proxy endpoint GET /v1/videos/:taskid/content is vulnerable to an Insecure Direct Object Reference IDOR. Any authenticated user who knows another user's taskid can retrieve that user's generated video content because the handler queries tasks by taskid alone and does not verify...
MantisBT is vulnerable to authentication bypass through the SOAP API on MySQL
Mantis Bug Tracker instances running on MySQL and compatible databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of improper type checking on the password parameter. Other database backends are not affected, as they do not perform implicit type conversion...
Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground
Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData signing function. This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling...
cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads
Summary - The cbor2 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. - This vulnerability affects both the pure Python implementation and the C extension cbor2. The C extension correctly uses Python's C-API for...
New API has passkey-based secure step-up verification bypass for root-only channel secret disclosure
Summary A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion. Affected versions = v0.10.0 Description The POST /api/verify endpoint supports multiple secure verification...
DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint
A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component internal/troubleshooting/actioner/actioner.go processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting...
GitHub expands application security coverage with AI‑powered detections
AI is accelerating software development and expanding the range of languages and frameworks used in modern repositories. Security teams are increasingly responsible for protecting code written across many ecosystems, not just the core enterprise languages traditionally covered by static analysis...
Harbor allows the use of the default password for web UI login
Use of hard coded credentials in GoHarbor Harbor version 2.15.0 and below, allows attackers to use the default password and gain access to the web UI...
HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This...
Keycloak's identity-first login flow exposes user information
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration...
esaml XXE vulnerability allows local file disclosure and SSRF via crafted SAML messages
XML External Entity XXE vulnerability in esaml and its forks allows an attacker to cause the system to read local files and incorporate their contents into processed SAML documents, and potentially perform SSRF via crafted SAML messages. esaml parses attacker-controlled SAML messages using...
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access UMA resourceset endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control chec...
jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect...