Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.7 views

Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5f9p-f3w2-fwch. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist parsing mismatch vulnerability in the macOS companion app...

6.4CVSS6AI score0.00291EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.4 views

Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mqr9-vqhq-3jxw. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script...

7.8CVSS6AI score0.00571EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.8 views

Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q399-23r3-hfx4. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv0 tokens in system.run...

6.7CVSS5.9AI score0.00091EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.8 views

Duplicate Advisory: Exec allowlist wrapper analysis did not unwrap env/shell dispatch chains

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jj82-76v6-933r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run exec analysis that fails...

8.8CVSS5.9AI score0.00419EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.9 views

Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7fcc-cw49-xm78. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension tool executio...

7.8CVSS6.1AI score0.00618EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.8 views

Duplicate Advisory: safeBins stdin-only bypass via sort output and recursive grep flags

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4685-c5cp-vp95. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 tools.exec.safeBins contains an input validation bypass vulnerability that allow...

7.1CVSS6.1AI score0.0014EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.9 views

Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h3rm-6x7g-882f. This link is maintained to preserve external references. Original Description OpenClaw 2026.3.1 contains an approval integrity vulnerability in system.run node-host execution where argv rewriting...

6.7CVSS6AI score0.0013EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.8 views

Duplicate Advisory: OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r9q5-c7qc-p26w. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 lack durable replay state for Nextcloud Talk webhook events, allowing valid sign...

6.5CVSS5.7AI score0.00267EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.7 views

Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fg3m-vhrr-8gj6. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.1.21 prior to 2026.2.19 contain a command injection vulnerability in the Lobster extension's...

7CVSS6AI score0.00525EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.8 views

Duplicate Advisory: Signal group allowlist authorization bypass via DM pairing-store leakage

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wm8r-w8pf-2v6w. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an authorization bypass vulnerability where Signal group allowlist polic...

4.6CVSS5.7AI score0.00152EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.10 views

Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6f6j-wx9w-ff4j. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.2.26 prior to 2026.3.1 on Windows contain a current working directory injection vulnerability ...

7.8CVSS5.9AI score0.00241EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.12 views

Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pj5x-38rw-6fph. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.19 contain a command injection vulnerability in Windows Scheduled Task script...

7.8CVSS6AI score0.00637EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.9 views

Duplicate Advisory: web_search citation redirect SSRF via private-network-allowing policy

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g99v-8hwm-g76g. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 contain a server-side request forgery vulnerability in websearch citation redirec...

7.4CVSS5.7AI score0.00184EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 3:30 a.m.7 views

Duplicate Advisory: OpenClaw's system.run allowlist bypass via shell line-continuation command substitution

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9868-vxmx-w862. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 contain an allowlist bypass vulnerability in system.run that allows attackers to...

8.8CVSS5.9AI score0.00439EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/19 12:30 a.m.7 views

Arbitrary file write via tar traversal in mlflow

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...

9.1CVSS6.3AI score0.00852EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:23 p.m.6 views

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in nltk

Summary nltk.app.wordnetapp contains a reflected cross-site scripting issue in the lookup... route. A crafted lookup URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled word data is reflected into HTML without escaping. This impacts users running the local...

6.1CVSS5.9AI score0.00331EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:22 p.m.5 views

Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview

Summary The REST datasource query preview endpoint POST /api/queries/preview makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata...

8.7CVSS5.8AI score0.00367EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:21 p.m.8 views

Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload

Summary The storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets...

5.3CVSS5.9AI score0.00173EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:20 p.m.7 views

Path traversal in Tekton Pipelines git resolver allows reading arbitrary files from the resolver pod

Summary The Tekton Pipelines git resolver is vulnerable to path traversal via the pathInRepo parameter. A tenant with permission to create ResolutionRequests e.g. by creating TaskRuns or PipelineRuns that use the git resolver can read arbitrary files from the resolver pod's filesystem, including...

9.6CVSS5.9AI score0.00573EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:19 p.m.4 views

JustHTML has a Sanitizer Bypass (in Markdown)

Summary tomarkdown does not sufficiently escape text content that looks like HTML. As a result, untrusted input that is safe in tohtml can become raw HTML in Markdown output. This is not specific to tokenizer raw-text states like , , or , although those states can trigger the behavior. The root...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:19 p.m.7 views

JustHTML Affected by Mutation XSS via Literal Text Serialization in Raw Text Elements (style/script)

Summary Sanitized DOM trees can be unsafe to serialize when a custom policy allows raw-text elements such as or . The issue affects DOM trees that are constructed or modified programmatically and then passed through sanitizedom with a policy that keeps these elements. Text nodes inside and are...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:19 p.m.16 views

Unsigned SAML LogoutRequest Acceptance in gosaml2

Summary The ValidateEncodedLogoutRequestPOST function in gosaml2 accepts completely unsigned SAML LogoutRequest messages even when SkipSignatureValidation is set to false. When validateElementSignature returns dsig.ErrMissingSignature, the code in decodelogoutrequest.go:60-62 silently falls throu...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:19 p.m.14 views

gosaml2 CBC Padding Panic — Unauthenticated Process Crash

Summary The AES-CBC decryption path in DecryptBytes panics on crafted ciphertext whose plaintext is all zero bytes. After decryption, bytes.TrimRightdata, "\x00" empties the slice, then datalendata-1 panics with index out of range -1. There is no recover in the library. The panic propagates throu...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:18 p.m.4 views

validateSignature Loop Variable Capture Signature Bypass in goxmldsig

Details The validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the...

7.5CVSS5.8AI score0.00299EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:17 p.m.8 views

Natural Language Toolkit (NLTK) has unbounded recursion in JSONTaggedDecoder.decode_obj() may cause DoS

Summary JSONTaggedDecoder.decodeobj in nltk/jsontags.py calls itself recursively without any depth limit. A deeply nested JSON structure exceeding sys.getrecursionlimit default: 1000 will raise an unhandled RecursionError, crashing the Python process. Affected code File: nltk/jsontags.py, lines...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:17 p.m.11 views

mo has a XSS via inline SVG script tags in Markdown rendering

Summary When rendering Markdown files containing inline SVG elements with tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML including SVG through to the DOM without sanitization. PoC html alert1 Embedding the above in a Markdown file opened with ...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:16 p.m.8 views

SimpleJWT has an Unauthenticated Denial of Service via JWE header tampering

Summary An unauthenticated attacker can perform a Denial of Service via JWE header tampering when PBES2 algorithms are used. Applications that call JWE::decrypt on attacker-controlled JWEs using PBES2 algorithms are affected. Details PHP version: PHP 8.4.11 SimpleJWT version: v1.1.0 The relevant...

7.5CVSS5.9AI score0.00481EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:11 p.m.14 views

free5GC UDM incorrectly returns 500 for empty supi path parameter in PATCH sdm-subscriptions reques

Impact This is an Improper Error Handling vulnerability with Information Exposure implications, combined with an HTTP Method Translation issue. - Security Impact: The UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling PATCH requests with ...

8.7CVSS5.7AI score0.00321EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:11 p.m.6 views

free5GC UDM vulnerable to null byte injection in URL path parameters causing 500 Internal Server Error

Impact This is an Improper Input Validation vulnerability with Denial of Service and Injection implications. - Security Impact: A remote attacker can inject null bytes URL-encoded as %00 into the supi path parameter of the UDM's NudmSubscriberDataManagement API. This causes URL parsing failure in...

8.7CVSS5.8AI score0.00354EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:11 p.m.8 views

SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass

Summary The SiYuan kernel WebSocket server accepts unauthenticated connections when a specific “auth keepalive” query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on attacker-controlled JSON. A remote attacker can send malformed messages tha...

7.5CVSS5.9AI score0.00497EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:10 p.m.9 views

SiYuan has an Incomplete Fix for IsSensitivePath Denylist Allows File Read from /opt, /usr, /home (GHSA-h5vh-m7fg-w5h6 Bypass)

Summary The IsSensitivePath function in kernel/util/path.go uses a denylist approach that was recently expanded GHSA-h5vh-m7fg-w5h6, commit 9914fd1 but remains incomplete. Multiple security-relevant Linux directories are not blocked, including /opt application data, /usr local configs/binaries,...

6.8CVSS5.9AI score0.00489EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:10 p.m.28 views

gRPC-Go has an authorization bypass via missing leading slash in :path

Impact What kind of vulnerability is it? Who is impacted? It is an Authorization Bypass resulting from Improper Input Validation of the HTTP/2 :path pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the :path omitted the mandatory leading slash e.g.,...

9.1CVSS5.8AI score0.01557EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:10 p.m.6 views

DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT

Summary The pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have constructors that allocate memory proportional to their input builtins.bytes, builtins.list, builtins.range. A 40-byte...

8.7CVSS8AI score0.00452EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:8 p.m.9 views

dynaconf Affected by Remote Code Execution (RCE) via Insecure Template Evaluation in @jinja Resolver

Summary Dynaconf is vulnerable to Server-Side Template Injection SSTI due to unsafe template evaluation in the @jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in configuration values without a sandboxed environment. If an attacker can...

8.1CVSS6.1AI score0.00526EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:7 p.m.10 views

HAPI FHIR HTTP authentication leak in redirects

Impact When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of...

8.2CVSS5.8AI score0.00264EPSS
Exploits0References3Affected Software12
Github Security Blog
Github Security Blog
added 2026/03/18 8:7 p.m.4 views

Filament Unvalidated Range and Values summarizer values can be used for XSS

Two Table summarizers Range, Values render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with...

7.3CVSS5.5AI score0.00296EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:7 p.m.9 views

free5GC UDM incorrectly returns 500 for empty supi path parameter in DELETE sdm-subscriptions request

Impact This is an Improper Error Handling vulnerability with Information Exposure implications. - Security Impact: The UDM incorrectly converts a downstream 400 Bad Request from UDR into a 500 Internal Server Error when handling DELETE requests with an empty supi path parameter. This leaks intern...

6.9CVSS5.7AI score0.00282EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:6 p.m.5 views

free5GC UDM DataChangeNotification Procedure Panic Due to Nil Pointer Dereference

Impact This is a NULL Pointer Dereference vulnerability leading to Denial of Service. - Security Impact: A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the /sdm-subscriptions endpoint with a malformed URL path containing path traversal sequence...

8.7CVSS5.8AI score0.00486EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:6 p.m.10 views

free5GC AUSF UE Authentication Panic on Nil SuciSupiMap Interface Conversion

Impact This is an Improper Null Check vulnerability leading to Denial of Service. - Security Impact: A remote attacker can cause the AUSF service to panic and crash by sending a crafted UE authentication request that triggers a nil interface conversion in the GetSupiFromSuciSupiMap function. This...

8.7CVSS5.9AI score0.00652EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:5 p.m.6 views

free5GC NRF Discovery EncodeGroupId Function Panics on Malformed group-id-list Parameter

Impact This is an Improper Input Validation vulnerability leading to Denial of Service. - Security Impact: A remote attacker can cause the NRF service to panic and crash by sending a crafted HTTP GET request with a malformed group-id-list parameter. This results in complete denial of service for...

8.7CVSS5.9AI score0.00674EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:5 p.m.7 views

Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py

Summary An explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block wil...

9.8CVSS6.1AI score0.05289EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:1 p.m.6 views

Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion

Summary A Path Traversal vulnerability allows any user or attacker supplying an untrusted statetoken through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service via crash loops when reading...

10CVSS5.9AI score0.00713EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:0 p.m.7 views

Statamic is missing authorization check on taxonomy term creation via fieldtype

Impact Low-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint. Patches This has been...

4.3CVSS5.7AI score0.00224EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 8:0 p.m.8 views

Statamic has a path traversal in file dictionary fieldtype

Impact Authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's endpoint. Patches This has been fixed in 5.73.14 and 6.7.0...

4.3CVSS5.8AI score0.00348EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:54 p.m.20 views

Statamic has Stored XSS via SVG Sanitization Bypass

Impact Stored XSS vulnerability in SVG asset reuploads allows authenticated users with asset upload permissions to bypass SVG sanitization and inject malicious JavaScript that executes when the asset is viewed. Patches This has been fixed in 5.73.14 and 6.7.0...

8.7CVSS5.7AI score0.00325EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:54 p.m.8 views

Gossipsub PRUNE.backoff Duration Overflow

Summary The Rust libp2p Gossipsub implementation accepts attacker-controlled PRUNE backoff values and may perform unchecked time arithmetic when storing backoff state. A specially crafted PRUNE control message with an extremely large backoff e.g. u64::MAX can lead to Duration/Instant overflow...

8.7CVSS5.8AI score0.00473EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:53 p.m.8 views

Allure Report has an Arbitrary File Read via Path Traversal in Attachment Processing (Allure 1, Allure 2, and XCTest Readers)

Summary The Allure report generator is vulnerable to an arbitrary file read via path traversal when processing test results. An attacker can craft a malicious result file -result.json, -container.json, or .plist that points an attachment source to a sensitive file on the host system. During repor...

8.6CVSS6AI score0.00539EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:49 p.m.8 views

Parse Server leaks protected fields via LiveQuery afterEvent trigger

Impact When a Parse.Cloud.afterLiveQueryEvent trigger is registered for a class, the LiveQuery server leaks protected fields and authData to all subscribers of that class. Fields configured as protected via Class-Level Permissions protectedFields are included in LiveQuery event payloads for all...

8.2CVSS5.8AI score0.00421EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:49 p.m.10 views

ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction

Reported: 2026-03-08 Status: patched and released in version 3.5.3 of @apostrophecms/import-export --- Product | Field | Value | |---|---| | Repository | apostrophecms/apostrophe monorepo | | Affected Package | @apostrophecms/import-export | | Affected File |...

9.9CVSS5.8AI score0.00432EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 7:48 p.m.8 views

ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware

MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware Summary The bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

8.1CVSS5.9AI score0.00362EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities33225