Lucene search
K
GithubRecent

33190 matches found

Github Security Blog
Github Security Blog
added 2026/03/20 8:50 p.m.5 views

h3: SSE Event Injection via Unsanitized Carriage Return (`\r`) in EventStream Data and Comment Fields (Bypass of CVE Fix)

Summary The EventStream class in h3 fails to sanitize carriage return \r characters in data and comment fields. Per the SSE specification, \r is a valid line terminator, so browsers interpret injected \r as line breaks. This allows an attacker to inject arbitrary SSE events, spoof event types, an...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:50 p.m.6 views

h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes

Summary The mount method in h3 uses a simple startsWith check to determine whether incoming requests fall under a mounted sub-application's path prefix. Because this check does not verify a path segment boundary i.e., that the next character after the base is / or end-of-string, middleware...

5.3CVSS6AI score0.00239EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:50 p.m.7 views

h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`

Summary The serveStatic utility in h3 applies a redundant decodeURI call to the request pathname after H3Event has already performed percent-decoding with %25 preservation. This double decoding converts %252e%252e into %2e%2e, which bypasses resolveDotSegments since it checks for literal...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:49 p.m.9 views

AVideo has a Path Traversal in import.json.php Allows Private Video Theft and Arbitrary File Read/Deletion via fileURI Parameter

Summary The objects/import.json.php endpoint accepts a user-controlled fileURI POST parameter with only a regex check that the value ends in .mp4. Unlike objects/listFiles.json.php, which was hardened with a realpath + directory prefix check to restrict paths to the videos/ directory,...

8.1CVSS6AI score0.00335EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:49 p.m.7 views

AVideo has Session Fixation via GET PHPSESSID Parameter With Disabled Login Session Regeneration

Summary AVideo's sessionstart function accepts arbitrary session IDs via the PHPSESSID GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly...

7.3CVSS6AI score0.00296EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:49 p.m.8 views

AVideo has a PGP 2FA Bypass via Cryptographically Broken 512-bit RSA Key Generation in LoginControl Plugin

Summary The createKeys function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been publicly factorable since 1999. An attacker who obtains a target user's public key can factor the 512-bit RSA modulus on commodity hardware in hours, derive the complete private...

8.1CVSS5.9AI score0.00251EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:48 p.m.6 views

Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings

Summary Kysely's DefaultQueryCompiler.sanitizeStringLiteral only escapes single quotes by doubling them ' → '' but does not escape backslashes. When used with the MySQL dialect where NOBACKSLASHESCAPES is OFF by default, an attacker can use a backslash to escape the trailing quote of a string...

8.1CVSS6.1AI score0.00419EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:48 p.m.7 views

Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.

Summary The sanitizeStringLiteral method in Kysely's query compiler escapes single quotes ' → '' but does not escape backslashes. On MySQL with the default BACKSLASHESCAPES SQL mode, an attacker can inject a backslash before a single quote to neutralize the escaping, breaking out of the JSON path...

8.1CVSS6.1AI score0.00442EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:48 p.m.12 views

etcd: Authorization bypasses in multiple APIs

Impact What kind of vulnerability is it? Who is impacted? Multiple vulnerabilities allow unauthorized users to bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted clients. In unpatched etcd clusters...

8.8CVSS5.8AI score0.00249EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:47 p.m.12 views

MinIO LDAP login brute-force via user enumeration and missing rate limit

Impact What kind of vulnerability is it? Who is impacted? MinIO AIStor's STS Security Token Service AssumeRoleWithLDAPIdentity endpoint is vulnerable to LDAP credential brute-forcing due to two combined weaknesses: 1 distinguishable error responses that enable username enumeration, and 2 absence ...

9.1CVSS5.8AI score0.00394EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:47 p.m.5 views

AVideo has an Unauthenticated Blind SQL Injection in RTMP on_publish Callback via Stream Name Parameter

Summary The RTMP onpublish callback at plugin/Live/onpublish.php is accessible without authentication. The $POST'name' parameter stream key is interpolated directly into SQL queries in two locations — LiveTransmitionHistory::getLatest and LiveTransmition::keyExists — without parameterized binding...

7.5CVSS6AI score0.00468EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:47 p.m.12 views

langflow has Unauthenticated IDOR on Image Downloads

Summary The /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns the image with HTTP 200. Details src/backend/base/langflow/api/v1/files.py:138-164 — downloadimage takes...

7.5CVSS5.8AI score0.05838EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:46 p.m.8 views

AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

Summary The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rat...

7.5CVSS6.1AI score0.00605EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:46 p.m.7 views

AVideo has an OS Command Injection via $() Shell Substitution Bypass in sanitizeFFmpegCommand()

Summary The sanitizeFFmpegCommand function in plugin/API/standAlone/functions.php is designed to prevent OS command injection in ffmpeg commands by stripping dangerous shell metacharacters &&, ;, |, , . However, it fails to strip $ bash command substitution syntax. Since the sanitized command is...

8.1CVSS6.1AI score0.02061EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:46 p.m.11 views

Syft improper temporary file cleanup

Impact Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the unpacked contents. Under normal operation Syft will remove the...

5.3CVSS5.8AI score0.00408EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.7 views

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Impact An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolea...

6.3CVSS5.8AI score0.00316EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.10 views

PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled

Summary The getB64BasePdf function in @pdfme/common fetches arbitrary URLs via fetch without any validation when basePdf is a non-data-URI string and window is defined. An attacker who can control the basePdf field of a template e.g., through a web application that accepts user-supplied templates...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.9 views

PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

Summary The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.8 views

PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS

Summary The DecodeStream.ensureBuffer method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio decompression bomb causes unbounded memory allocation during stream decoding,...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.10 views

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Impact Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions,...

7.1CVSS5.8AI score0.00397EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.8 views

AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

Summary The isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an...

8.6CVSS5.8AI score0.0032EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.7 views

AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

8.8CVSS6.7AI score0.00531EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.7 views

AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection

Summary Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via...

10CVSS6.6AI score0.13266EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.13 views

Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal

Summary The Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint,...

7.5CVSS6AI score0.03256EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.11 views

Vikunja Affected by DoS via Image Preview Generation

Summary - Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. - Affected code: - Decoding without bounds: taskattachment.go:GetPreview - Resizing path: resizeImage -...

6.5CVSS5.9AI score0.00318EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.9 views

Vikunja has TOTP Reuse During Validity Window

Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...

5.7CVSS5.9AI score0.00258EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:35 p.m.15 views

SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()

Summary The ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of s...

7.5CVSS5.8AI score0.00376EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:35 p.m.10 views

CRL Distribution Point Scope Check Logic Error in AWS-LC

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs wi...

5.9AI score
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.10 views

AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid D...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.7 views

etcd: Nested etcd transactions bypass RBAC authorization checks

Impact What kind of vulnerability is it? Who is impacted? An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range...

6.5CVSS5.8AI score0.0021EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.4 views

Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Versions - effect: 3.19.15 - @effect/rpc: 0.72.1 - @effect/platform: 0.94.2 - Node.js: v22.20.0 - Vercel runtime with Fluid compute - Next.js: 16 App Router - @clerk/nextjs: 6.x Root cause Effect's MixedScheduler batches fiber continuations and drains them inside a single microtask or timer...

7.4CVSS6.1AI score0.0027EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.5 views

oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

A Stored Cross-Site Scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification such as info.description, they can break out of the JSON context and execute arbitrary JavaScript when a user views the...

8.2CVSS6.1AI score0.00288EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...

8.1CVSS5.8AI score0.00363EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Details The GET /api/v1/tasks/taskID/comments/commentID endpoint performs an authorizati...

5.3CVSS5.8AI score0.00254EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja read-only users can delete project background images via broken object-level authorization

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.10 views

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks

Summary When unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes...

6.5CVSS5.9AI score0.00379EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.14 views

tar-rs incorrectly ignores PAX size headers if header size is nonzero

Summary As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. However, it was missed at the time that this project the original Rust tar crate had a conditional logic that skipped the PAX siz...

8.1CVSS7.4AI score0.00397EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:58 p.m.5 views

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

9.1CVSS6AI score0.00632EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:57 p.m.11 views

pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root

Summary A crafted DICOMDIR can set ReferencedFileID to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy, write, and...

7.8CVSS5.9AI score0.00279EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:56 p.m.11 views

Qwik City has array method pollution in FormData processing allows type confusion and DoS

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

7.5CVSS5.9AI score0.00427EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:43 p.m.6 views

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

Summary There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking 166ms. When the username does not exist, the response returns immediatel...

6.3CVSS5.9AI score0.00385EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/20 3:43 p.m.10 views

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the...

8.3CVSS5.8AI score0.00405EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/20 3:31 p.m.13 views

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that...

9.9CVSS5.7AI score0.00505EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 2:41 p.m.7 views

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

5.3CVSS5.9AI score0.00328EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.7 views

Spring MVC and WebFlux has Server Sent Event stream corruption

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

2.6CVSS5.8AI score0.00112EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.101 views

Spring Boot has an Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

8.2CVSS5.8AI score0.00334EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.11 views

ingress-nginx comment-based nginx configuration injection

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that i...

8.8CVSS6.4AI score0.01494EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.5 views

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

8.2CVSS5.8AI score0.0036EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.9 views

Spring Framework Improper Path Limitation with Script View Templates

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

5.9CVSS5.8AI score0.00385EPSS
Exploits1References3Affected Software2
Total number of security vulnerabilities33190