Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.7 views

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Impact An attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolea...

6.3CVSS5.8AI score0.00316EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.10 views

PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled

Summary The getB64BasePdf function in @pdfme/common fetches arbitrary URLs via fetch without any validation when basePdf is a non-data-URI string and window is defined. An attacker who can control the basePdf field of a template e.g., through a web application that accepts user-supplied templates...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:45 p.m.9 views

PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel

Summary The multiVariableText property panel in @pdfme/schemas constructs HTML via string concatenation and assigns it to innerHTML using unsanitized i18n label values. An attacker who can control label overrides passed through options.labels can inject arbitrary JavaScript that executes in the...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.9 views

PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS

Summary The DecodeStream.ensureBuffer method in @pdfme/pdf-lib doubles its internal buffer without any upper bound on the decompressed size. A crafted PDF containing a FlateDecode stream with a high compression ratio decompression bomb causes unbounded memory allocation during stream decoding,...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.10 views

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Impact Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission CLP pointer permissions readUserFields and pointerFields. Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions,...

7.1CVSS5.8AI score0.00397EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.8 views

AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

Summary The isSSRFSafeURL function in AVideo can be bypassed using IPv4-mapped IPv6 addresses ::ffff:x.x.x.x. The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an...

8.6CVSS5.8AI score0.0032EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:44 p.m.7 views

AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

Summary The Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSRF token validation. Combined with AVideo's explicit SameSite=None session...

8.8CVSS6.7AI score0.00531EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.7 views

AVideo Multi-Chain Attack: Unauthenticated Remote Code Execution via Clone Key Disclosure, Database Dump, and Command Injection

Summary Multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without authentication, which can be used to trigger a full database dump via...

10CVSS6.6AI score0.13266EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.13 views

Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal

Summary The Siyuan kernel exposes an unauthenticated file-serving endpoint under /appearance/filepath. Due to improper path sanitization, attackers can perform directory traversal and read arbitrary files accessible to the server process. Authentication checks explicitly exclude this endpoint,...

7.5CVSS6AI score0.03256EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.11 views

Vikunja Affected by DoS via Image Preview Generation

Summary - Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. - Affected code: - Decoding without bounds: taskattachment.go:GetPreview - Resizing path: resizeImage -...

6.5CVSS5.9AI score0.00318EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:43 p.m.9 views

Vikunja has TOTP Reuse During Validity Window

Summary Any user that has enabled 2FA can have their TOTP reused during the standard 30 second validity window. Details The below code is called when a user that has 2FA is authenticating to the application. Once they submit a valid username-password-totp combination, the user gets authenticated...

5.7CVSS5.9AI score0.00258EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:35 p.m.15 views

SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()

Summary The ensureSize function in @dicebear/converter used a regex-based approach to rewrite SVG width/height attributes, capping them at 2048px to prevent denial of service. This size capping could be bypassed by crafting SVG input that causes the regex to match a non-functional occurrence of s...

7.5CVSS5.8AI score0.00376EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:35 p.m.10 views

CRL Distribution Point Scope Check Logic Error in AWS-LC

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CRL distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs wi...

5.9AI score
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.10 views

AWS-LC X.509 Name Constraints Bypass via Wildcard/Unicode CN

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact A logic error in CN Common Name validation allows certificates with wildcard or raw UTF-8 Unicode CN values to bypass name constraints enforcement. The cn2dnsid function does not recognize these CN patterns as valid D...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.7 views

etcd: Nested etcd transactions bypass RBAC authorization checks

Impact What kind of vulnerability is it? Who is impacted? An authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with direct access to etcd to effectively ignore all key range...

6.5CVSS5.8AI score0.0021EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 8:34 p.m.4 views

Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC

Versions - effect: 3.19.15 - @effect/rpc: 0.72.1 - @effect/platform: 0.94.2 - Node.js: v22.20.0 - Vercel runtime with Fluid compute - Next.js: 16 App Router - @clerk/nextjs: 6.x Root cause Effect's MixedScheduler batches fiber continuations and drains them inside a single microtask or timer...

7.4CVSS6.1AI score0.0027EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.5 views

oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

A Stored Cross-Site Scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification such as info.description, they can break out of the JSON context and execute arbitrary JavaScript when a user views the...

8.2CVSS6.1AI score0.00288EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

Summary A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token...

8.1CVSS5.8AI score0.00363EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja has a 2FA Bypass via Caldav Basic Auth

Summary The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc. Details...

6.9CVSS5.8AI score0.00302EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to. Details The GET /api/v1/tasks/taskID/comments/commentID endpoint performs an authorizati...

5.3CVSS5.8AI score0.00254EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.6 views

Vikunja read-only users can delete project background images via broken object-level authorization

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.10 views

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks

Summary When unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes...

6.5CVSS5.9AI score0.00379EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 5:25 p.m.14 views

tar-rs incorrectly ignores PAX size headers if header size is nonzero

Summary As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. However, it was missed at the time that this project the original Rust tar crate had a conditional logic that skipped the PAX siz...

8.1CVSS7.4AI score0.00397EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:58 p.m.5 views

Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship Names

Summary An arbitrary method execution vulnerability has been found which affects Graphiti's JSONAPI write functionality. An attacker can craft a malicious JSONAPI payload with arbitrary relationship names to invoke any public method on the underlying model instance, class or its associations...

9.1CVSS6AI score0.00632EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:57 p.m.11 views

pydicom has a path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root

Summary A crafted DICOMDIR can set ReferencedFileID to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy, write, and...

7.8CVSS5.9AI score0.00279EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:56 p.m.11 views

Qwik City has array method pollution in FormData processing allows type confusion and DoS

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

7.5CVSS5.9AI score0.00427EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 3:43 p.m.6 views

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

Summary There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking 166ms. When the username does not exist, the response returns immediatel...

6.3CVSS5.9AI score0.00385EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/20 3:43 p.m.10 views

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the...

8.3CVSS5.8AI score0.00405EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/20 3:31 p.m.13 views

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rqpp-rjj8-7wv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.12 contain an authorization bypass vulnerability in the WebSocket connect path that...

9.9CVSS5.7AI score0.00505EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 2:41 p.m.7 views

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

5.3CVSS5.9AI score0.00328EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.5 views

Spring Boot has an Authentication Bypass under Actuator CloudFoundry endpoints

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

8.2CVSS5.8AI score0.0036EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.101 views

Spring Boot has an Authentication Bypass under Actuator Health groups paths

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path. This issue affects Spring Boot: from 4.0 before...

8.2CVSS5.8AI score0.00334EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.7 views

Spring MVC and WebFlux has Server Sent Event stream corruption

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...

2.6CVSS5.8AI score0.00112EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.9 views

Spring Framework Improper Path Limitation with Script View Templates

Use of Java scripting engine enabled e.g. JRuby, Jython template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0...

5.9CVSS5.8AI score0.00385EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.11 views

ingress-nginx comment-based nginx configuration injection

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that i...

8.8CVSS6.4AI score0.01494EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/20 12:31 a.m.12 views

Spring Security HTTP Headers Are not Written Under Some Conditions

When applications specify HTTP response headers for servlet applications using Spring Security, there is the possibility that the HTTP Headers will not be written. This issue affects Spring Security: from 5.7.0 through 5.7.21, from 5.8.0 through 5.8.23, from 6.3.0 through 6.3.14, from 6.4.0...

9.1CVSS5.8AI score0.0048EPSS
Exploits2References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 9:32 p.m.9 views

Parse Server has an auth provider validation bypass on login via partial authData

Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid sessi...

9.1CVSS5.7AI score0.00455EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 9:31 p.m.7 views

Scriban Affected by Memory Exhaustion (OOM) via Unbounded String Generation (Denial of Service)

TemplateContext.LimitToString defaults to 0 unlimited. While Scriban implements a default LoopLimit of 1000, an attacker can still cause massive memory allocation via exponential string growth. Doubling a string for just 30 iterations generates over 1GB of text, instantly exhausting heap memory a...

5.8AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/19 9:31 p.m.6 views

Scriban has an Infinite Recursion during Object Rendering Leads to Stack Overflow and Process Crash (Denial of Service)

When Scriban renders an object that contains a circular reference, it traverses the object's members infinitely. Because the ObjectRecursionLimit property defaults to unlimited, this behavior exhausts the thread's stack space, triggering an uncatchable StackOverflowException that immediately...

5.9AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/19 9:30 p.m.5 views

Scriban has Uncontrolled Recursion in Parser Leads to Stack Overflow and Process Crash (Denial of Service)

Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOverflowException. I...

6AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/19 9:22 p.m.16 views

Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR

An Open Redirect vulnerability exists in @angular/ssr due to an incomplete fix for CVE-2026-27738. While the original fix successfully blocked multiple leading slashes e.g., ///, the internal validation logic fails to account for a single backslash \ bypass. When an Angular SSR application is...

6.9CVSS5.7AI score0.00255EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:37 p.m.7 views

The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI

Impact The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'REQUESTURI' parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

7.2CVSS5.9AI score0.00302EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:34 p.m.8 views

AVideo has an authenticated arbitrary local file read via `chunkFile` path injection in `aVideoEncoder.json.php`

Summary POST /objects/aVideoEncoder.json.php accepts a requester-controlled chunkFile parameter intended for staged upload chunks. Instead of restricting that path to trusted server-generated chunk locations, the endpoint accepts arbitrary local filesystem paths that pass isValidURLOrPath. That...

7.6CVSS5.9AI score0.00254EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:27 p.m.5 views

In Soft Serve, an authenticated repo import can clone server-local private repositories

Summary An authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This breaks the private-repository confidentiality boundary and should be treated as High severity...

7.1CVSS5.9AI score0.00364EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:25 p.m.9 views

AVideo has an Unauthenticated SQL Injection via `doNotShowCats` Parameter (Backslash Escape Bypass)

Summary An unauthenticated SQL injection vulnerability exists in objects/category.php in the getAllCategories method. The doNotShowCats request parameter is sanitized only by stripping single-quote characters strreplace"'", '', ..., but this is trivially bypassed using a backslash escape techniqu...

9.8CVSS5.9AI score0.00431EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:25 p.m.6 views

Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG

The fix for CVE-2026-27598 commit e2ed589, PR 1691 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the fileName URL path parameter to locateDAG without...

8.1CVSS6AI score0.00571EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:13 p.m.8 views

AVideo has Unauthenticated SSRF via `webSiteRootURL` Parameter in saveDVR.json.php, Chaining to Verification Bypass

Summary A Server-Side Request Forgery SSRF vulnerability exists in plugin/Live/standAloneFiles/saveDVR.json.php. When the AVideo Live plugin is deployed in standalone mode the intended configuration for this file, the $REQUEST'webSiteRootURL' parameter is used directly to construct a URL that is...

9.1CVSS5.8AI score0.00431EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:13 p.m.7 views

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Summary The DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in...

5.9CVSS6.1AI score0.00449EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 7:4 p.m.10 views

league/commonmark has an embed extension allowed_domains bypass

Impact The DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This enabl...

6.3CVSS5.8AI score0.00241EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 6:48 p.m.6 views

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

Summary NiceGUI's app.addmediafile and app.addmediafiles media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and...

7.5CVSS5.8AI score0.00599EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities33225