Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/18 6:31 p.m.8 views

NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting XSS vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when t...

5.4CVSS5.8AI score0.00247EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 6:31 p.m.10 views

Jenkins LoadNinja Plugin stores LoadNinja API keys unencrypted in job config.xml files

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

4.3CVSS5.8AI score0.00142EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 6:31 p.m.13 views

Jenkins has a link following vulnerability allows arbitrary file creation

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...

8.8CVSS5.9AI score0.01161EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 6:31 p.m.13 views

Jenkins has a DNS rebinding vulnerability in WebSocket CLI origin validation

Jenkins 2.442 through 2.554 both inclusive, LTS 2.426.3 through LTS 2.541.2 both inclusive performs origin validation of requests made through the CLI WebSocket endpoint by computing the expected origin for comparison using the Host or X-Forwarded-Host HTTP request headers, making it vulnerable t...

7.5CVSS5.8AI score0.00297EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 6:31 p.m.8 views

Jenkins LoadNinja Plugin does not mask LoadNinja API keys displayed on the job configuration form

Jenkins LoadNinja Plugin 2.1 and earlier does not mask LoadNinja API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

4.3CVSS5.8AI score0.00217EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:26 p.m.6 views

Avo has a XSS vulnerability on `return_to` param

Description A reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button. Impact This...

6.1CVSS5.9AI score0.00264EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:26 p.m.20 views

Improper detection of disallowed URIs by Loofah `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

5.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:26 p.m.13 views

Out-of-Bounds Slice Access in free5GC CHF Leading to DoS

Impact This is an out-of-bounds slice access vulnerability in the CHF nchf-convergedcharging service. A valid authenticated request to PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=... can trigger a server-side panic in github.com/free5gc/chf/internal/sbi.Server.RechargePut... due t...

7.1CVSS5.8AI score0.00404EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:26 p.m.10 views

socket.io allows an unbounded number of binary attachments

Impact A specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. Patches | Version range | Used by | Fixed version |...

8.7CVSS6AI score0.00514EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:25 p.m.7 views

Zitadel is missing enforcement of organization scopes

Summary A vulnerability in Zitadel's OAuth2/OIDC interface, which allowed users to bypass organization enforcement during authentication. Impact Zitadel allows applications to enforce an organzation context during authentication using scopes urn:zitadel:iam:org:id:id and...

5.3CVSS5.7AI score0.00309EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 5:25 p.m.8 views

OneUptime WhatsApp Webhook Missing Signature Verification

Summary The WhatsApp POST webhook handler /notification/whatsapp/webhook processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery stat...

8.7CVSS6.1AI score0.00182EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:34 p.m.5 views

OneUptime ClickHouse vulnerable to SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters

The fix for GHSA-p5g2-jm85-8g35 ClickHouse SQL injection via aggregate query parameters added column name validation to the aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and...

8.1CVSS5.9AI score0.00301EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:34 p.m.9 views

PinchTab has a Blind SSRF via browser-side redirect bypass in /download URL validation

The /download endpoint validates only the initial URL provided by the user using validateDownloadURL to prevent requests to internal or private network addresses. Exploitation requires \security.allowDownload=true, which is disabled by default. However, pages loaded by the embedded Chromium brows...

5.8CVSS5.7AI score0.00289EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:33 p.m.21 views

Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution

Summary PySpector versions = 0.1.6 are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads i.e. inside a string passed to eval , the flagged code snippet is interpolated into the HTML report...

6.1CVSS6AI score0.00217EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:33 p.m.6 views

PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution

Summary PySpector versions = 0.1.6 are affected by a security validation bypass in the plugin system. The validateplugincode function in pluginsystem.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolvename helper onl...

8.3CVSS6.3AI score0.00169EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:18 p.m.9 views

h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read

Summary serveStatic in h3 is vulnerable to path traversal via percent-encoded dot segments %2e%2e, allowing an unauthenticated attacker to read arbitrary files outside the intended static directory on Node.js deployments. Details The vulnerability exists in src/utils/static.ts at line 86:...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:18 p.m.7 views

h3 has a middleware bypass with one gadget

H3 NodeRequestUrl bugs Vulnerable pieces of code : js import H3, serve, defineHandler, getQuery, getHeaders, readBody, defineNodeHandler from "h3"; let app = new H3 const internalOnly = defineHandlerevent, next = const token = event.headers.get"x-internal-key"; if token !==...

9.1CVSS5.9AI score0.00388EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:17 p.m.6 views

h3 has an observable timing discrepancy in basic auth utils

Summary A Timing Side-Channel vulnerability exists in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity...

5.9CVSS6.1AI score0.00319EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:17 p.m.6 views

h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Summary createEventStream in h3 is vulnerable to Server-Sent Events SSE injection due to missing newline sanitization in formatEventStreamMessage and formatEventStreamComment. An attacker who controls any part of an SSE message field id, event, data, or comment can inject arbitrary SSE events to...

10CVSS6AI score0.00486EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:17 p.m.5 views

pypdf has inefficient decoding of array-based streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries. Patches This has been fixed in pypdf==6.9.1. Workarounds If you cannot upgrade yet, consider applying the...

6.5CVSS5.7AI score0.00349EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:17 p.m.8 views

The mailqueue TYPO3 extension has Insecure Deserialization in `TransportFailure` class

Description The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at...

8.8CVSS5.9AI score0.00215EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:10 p.m.16 views

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

Summary The SVG schema plugin in @pdfme/schemas renders user-supplied SVG content using container.innerHTML = value without any sanitization, enabling arbitrary JavaScript execution in the user's browser. Details In packages/schemas/src/graphics/svg.ts, line 87, the SVG schema's ui renderer assig...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:10 p.m.18 views

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Summary The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution. Details In packages/schemas/src/select/index.ts, lines 159-164, the Select schema's ui...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:9 p.m.29 views

Capgo CLI: symlink-following local secret writes enable arbitrary file overwrite + world-readable credentials (0600 missing)

Summary The Capgo CLI writes sensitive local files .capgo API key file and build credentials JSON using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:9 p.m.6 views

SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

Stored XSS to RCE via Unsanitized Bazaar Package Metadata Summary SiYuan's Bazaar community marketplace renders package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which...

9CVSS6.5AI score0.00549EPSS
Exploits2References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 4:9 p.m.9 views

SiYuan has Stored XSS to RCE via Unsanitized Bazaar README Rendering

Stored XSS to RCE via Unsanitized Bazaar README Rendering Summary SiYuan's Bazaar community marketplace renders package README content without HTML sanitization. The backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through...

9CVSS6.2AI score0.00584EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 2:25 p.m.5 views

Frigte has broken access control viewer user can delete admin and other users account

Summary Users with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. Details Endpoint DELETE /api/users/admin is enable to anonymous user. PoC I deleted admin user on demo.frigate.video: Impact It this leads to denial of servi...

8.1CVSS5.8AI score0.00243EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 1:1 p.m.7 views

UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop

Summary ujson.dumps crashes the Python interpreter segmentation fault when the product of the indent parameter and the nested depth of the input exceeds INT32MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow...

7.5CVSS6AI score0.00469EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 1:1 p.m.10 views

UltraJSON has a Memory Leak parsing large integers allows DoS

Summary ujson 5.4.0 to 5.11.0 inclusive contain an accumulating memory leak in JSON parsing large outside of the range -2^63, 2^64 - 1 integers. Exploitability Any service that calls ujson.load/ujson.loads/ujson.decode on untrusted inputs is affected and vulnerable to denial of service attacks...

7.5CVSS5.8AI score0.00479EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 1:0 p.m.32 views

Heimdall: Path received via Envoy gRPC corrupted when containing query string

Summary When using heimdall in envoy gRPC decision API mode, wrong encoding of the query URL string allows rules with non-wildcard path expressions to be bypassed. The HTTP based decision API is NOT affected, and proxy mode is NOT affected either. Note: The issue can only lead to unintended acces...

8.2CVSS5.7AI score0.003EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 1:0 p.m.9 views

Denial of service in github.com/jackc/pgproto3/v2

The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic...

7.5CVSS5.8AI score0.00494EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 1:0 p.m.6 views

github.com/buger/jsonparser has a denial of service vulnerability

The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack...

7.5CVSS5.9AI score0.0075EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:59 p.m.6 views

Denial of service in github.com/shamaton/msgpack

The msgpack decoder fails to properly validate the input buffer length when processing truncated fixext data format codes 0xd4-0xd8. This can lead to an out-of-bounds read and a runtime panic, allowing a denial of service attack...

7.5CVSS5.9AI score0.00405EPSS
Exploits1References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/18 12:59 p.m.6 views

SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

Summary The @aborruso/ckan-mcp-server MCP server provides tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network...

5.7CVSS5.9AI score0.00289EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:59 p.m.7 views

SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Summary Kysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path string literals '$.key' without escaping single quotes. An...

8.2CVSS6AI score0.00419EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:59 p.m.6 views

File Browser has an Authorization Policy Bypass in Public Share Download Flow

Summary A permission enforcement flaw allows users without download privileges download=false to still expose and retrieve file content via public share links when they retain share privileges share=true. This bypasses intended access control policy and enables unauthorized data exfiltration to...

6.5CVSS5.8AI score0.00424EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:59 p.m.11 views

Terraform Provider for ArgoCD has possible exposure to GO-2026-4337 / CVE-2025-68121

Summary The terraform-provider-argocd might have been vulnerable to GO-2026-4337 / CVE-2025-68121 "Unexpected session resumption in crypto/tls". Details See https://pkg.go.dev/vuln/GO-2026-4337 for the upstream vulnerability. Provider versions starting with v7.15.1 are using go 1.25.8 for buildin...

10CVSS5.8AI score0.00765EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:58 p.m.6 views

Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | src/backend/base/langflow/api/v1/apikey.py:44-53 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description The deleteapikeyroute endpoint accepts an apikeyid path parameter a...

8.8CVSS5.9AI score0.0039EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:58 p.m.8 views

Craft CMS Vulnerable to Stored XSS in Revision Context Menu

The revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw combined with Craft::t string interpolation. A low-privileged control panel user e.g., Author can set their fullName to an XSS payload via the profile editor, then crea...

5.4CVSS5.8AI score0.00243EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 12:31 p.m.7 views

Yoast Duplicate Post has an Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite

The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clonebulkactionhandler and republishrequest functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with...

5.4CVSS5.7AI score0.00171EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 9:30 a.m.8 views

SQL Injection in Spring AI MariaDBFilterExpressionConverter

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization...

8.8CVSS6.1AI score0.00522EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 9:30 a.m.14 views

JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter

A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper...

8.6CVSS5.9AI score0.00521EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/18 6:31 a.m.7 views

Keycloak: Denial of Service due to excessive SAMLRequest decompression

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service DoS by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryErro...

5.3CVSS5.8AI score0.00502EPSS
Exploits0References8Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/18 3:32 a.m.23 views

Duplicate Advisory: Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-794g-x443-36f7. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language SAML broker endpoint does not properly...

7.7CVSS5.9AI score0.00241EPSS
Exploits0References10Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/18 3:32 a.m.8 views

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider IdP to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity...

8.1CVSS5.8AI score0.00413EPSS
Exploits0References13Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/17 9:31 p.m.7 views

Ray Dashboard is vulnerable to path traversal through its static file handling mechanism

A path traversal vulnerability was identified in Ray Dashboard default port 8265 in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences e.g., ../ to access files outside the...

8.7CVSS7.7AI score0.00929EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 8:34 p.m.7 views

Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit

Summary An issue has been identified in the Bedrock AgentCore Starter Toolkit versions prior to v0.1.13 that may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impact A remote actor could inject code during the build process,...

7.5CVSS6.2AI score0.00242EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 8:33 p.m.6 views

AWS API MCP File Access Restriction Bypass

Description The AWS API MCP Server is an open source Model Context Protocol MCP server that enables AI assistants to interact with AWS services and resources through AWS CLI commands. It provides programmatic access to manage your AWS infrastructure while maintaining proper security controls. Thi...

6.8CVSS5.9AI score0.00131EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/17 8:33 p.m.9 views

AVideo vulnerable to unauthenticated SSRF via HTTP redirect bypass in LiveLinks proxy

Summary The plugin/LiveLinks/proxy.php endpoint validates user-supplied URLs against internal/private networks using isSSRFSafeURL, but only checks the initial URL. When the initial URL responds with an HTTP redirect Location header, the redirect target is fetched via fakeBrowser without...

8.6CVSS5.9AI score0.00453EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 8:5 p.m.10 views

Unauthenticated Reflected XSS via innerHTML in AVideo

Summary AVideo contains a reflected XSS vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser. User input from a URL parameter flows through PHP's jsonencode into a JavaScript function that renders it via innerHTML, bypassing encoding and...

6.1CVSS6.1AI score0.00317EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33225