Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/17 8:5 p.m.12 views

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

Summary The POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...

9.8CVSS6.5AI score0.98191EPSS
Exploits20References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 8:4 p.m.7 views

music-metadata has an infinite loop vulnerability in ASF parser

Summary music-metadata's ASF parser parseExtensionObject in lib/asf/AsfParser.ts:112-158 enters an infinite loop when a sub-object inside the ASF Header Extension Object has objectSize = 0. Root Cause When objectSize is 0: 1. remaining = 0 - 24 = -24 2. tokenizer.ignore-24 moves the read position...

7.5CVSS5.8AI score0.00366EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:52 p.m.7 views

AVideo affected by Session Hijacking via Unauthenticated Session ID Disclosure with Permissive CORS

Summary /objects/phpsessionid.json.php exposes the current PHP session ID to any unauthenticated request. The allowOrigin function reflects any Origin header back in Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true, enabling cross-origin session theft and full account...

8.1CVSS5.9AI score0.00345EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:50 p.m.8 views

Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

6.9CVSS5.8AI score0.00294EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:49 p.m.8 views

astral-tokio-tar insufficiently validates PAX extensions during extraction

Impact In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by having...

6.3CVSS5.8AI score0.00249EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:48 p.m.10 views

AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

Summary /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. Details File:...

5.3CVSS5.9AI score0.00327EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:46 p.m.8 views

AVideo affected by unauthenticated application takeover via exposed web installer on uninitialized deployments

Summary The install/checkConfiguration.php endpoint performs full application initialization — database setup, admin account creation, and configuration file write — from unauthenticated POST input. The only guard is checking whether videos/configuration.php already exists. On uninitialized...

8.1CVSS6.3AI score0.00489EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:46 p.m.5 views

Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun

Summary A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting .spec.taskRef.resolver or .spec.pipelineRef.resolver to a string of 31 characters or more, causing a denial of service for all reconciliation. Details The controller...

6.5CVSS5.9AI score0.00368EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:45 p.m.15 views

fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)

Summary The fix for CVE-2026-26278 added entity expansion limits maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references &NNN; and &xH...

7.5CVSS6AI score0.00811EPSS
Exploits2References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 7:42 p.m.7 views

Tillitis TKey Client has an Error in Protocol Implementation

Impact Some specific 1 out of 256 User Supplied Secrets USS were not used, making the resulting Compound Device Identifier CDI the same as if no USS was provided. Affected client applications: all client apps using the tkeyclient Go module. Patches Upgrade to v1.3.0. NOTE WELL: For the affected e...

4.7CVSS6AI score0.00246EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:39 p.m.10 views

Micronaut Framework vulnerable to a Denial of Service in HTML error response caching

DefaultHtmlErrorResponseBodyProvider in io.micronaut:micronaut-http-server since 4.7.0 and until 4.10.7 used an unbounded ConcurrentHashMap cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query...

7.5CVSS5.8AI score0.00561EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:38 p.m.8 views

Nest Fastify HEAD Request Middleware Bypass

Impact In a NestJS application using @nestjs/platform-fastify, GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers if they exist. As a result: - Middleware will be completely skipped. - The HTTP response won't include a body since...

8.7CVSS5.8AI score0.00346EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:38 p.m.7 views

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Summary A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS over HTTPS DoH. Harden-Runner secures GitHub Actions workflows on runners by applying network policies, including an allowed-endpoints configuration...

4.9CVSS6.2AI score0.00305EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.8 views

Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)

Summary A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS queries over TCP. Harden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When egress-policy:...

4.6CVSS6.2AI score0.00253EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.13 views

Parse Server LiveQuery subscription with invalid regular expression crashes server

Impact A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. Patches...

7.5CVSS5.9AI score0.0055EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.7 views

Parse Server session creation endpoint allows overwriting server-generated session fields

Impact An authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST /classes/Session. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows...

4.3CVSS5.9AI score0.00306EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:37 p.m.11 views

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked...

7.5CVSS5.7AI score0.00345EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:58 p.m.8 views

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Impact Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. Patches The fix restricts property lookups during cloud functi...

8.2CVSS5.8AI score0.00512EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:48 p.m.14 views

Sliver Vulnerable to Authenticated OOM via Memory Exhaustion in mTLS/WireGuard Transports

Summary A Remote OOM Out-of-Memory vulnerability exists in the Sliver C2 server's mTLS and WireGuard C2 transport layer. The socketReadEnvelope and socketWGReadEnvelope functions trust an attacker-controlled 4-byte length prefix to allocate memory, with ServerMaxMessageSize allowing single...

7.1CVSS6AI score0.00298EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:40 p.m.20 views

Parse Server has a password reset token single-use bypass via concurrent requests

Impact The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the...

3.1CVSS5.8AI score0.00207EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:35 p.m.8 views

Parse Server crash via deeply nested query condition operators

Impact An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Patches A depth limit for query condition operator nesting has been added via the...

8.7CVSS5.7AI score0.00483EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:24 p.m.8 views

Devise has a confirmable "change email" race condition permits user to confirm email they have no access to

Impact A race condition in Devise's Confirmable module allows an attacker to confirm an email address they do not own. This affects any Devise application using the reconfirmable option the default when using Confirmable with email changes. By sending two concurrent email change requests, an...

6CVSS5.8AI score0.00275EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:12 p.m.7 views

ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash

The NewXMLTree method contains a bug that could result in a crash due to an out of write bounds of a single zero byte...

7.5CVSS5.8AI score0.00475EPSS
Exploits0References5Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/17 5:12 p.m.9 views

Kube-router Proxy Module Blindly Trusts ExternalIPs/LoadBalancer IPs Enabling Cluster-Wide Traffic Hijacking and DNS DoS

kube-router Proxy Module Does Not Validate ExternalIPs or LoadBalancer IPs Against Configured Ranges Summary This issue primarily affects multi-tenant clusters where untrusted users are granted namespace-scoped permissions to create or modify Services. Single-tenant clusters or clusters where all...

7.1CVSS5.9AI score0.00297EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:7 p.m.16 views

jsPDF has HTML Injection in New Window paths

Impact User control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The affected overloads and options are: "pdfobjectnewwindow": the pdfObjectUrl option and the entire options object,...

9.6CVSS5.8AI score0.00264EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:7 p.m.13 views

jsPDF has a PDF Object Injection via FreeText color

Impact User control of arguments of the createAnnotation method allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might...

8.1CVSS5.8AI score0.00356EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 5:7 p.m.6 views

Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

Impact This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected. Who is impacted: - Any deployment where the /api/content/aggregate/model endpoint is publicly accessible...

7.7CVSS6AI score0.00397EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:59 p.m.6 views

Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service...

8.2CVSS5.8AI score0.00595EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:17 p.m.13 views

Elysia Cookie Value Prototype Pollution

Impact Elysia cookie can be overridden by prototype pollution , eg. proto Sending cookie with the follows name can override cookie value: bash proto=%7B%22injected%22%3A%22polluted%22%7D Patches Patched by 1.4.27 Workarounds 1. Use t.Cookie validation to enforce validation value 2. Prevent iterab...

6.5CVSS5.8AI score0.00232EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:17 p.m.6 views

Denial of Service in pyasn1 via Unbounded Recursion

Summary The pyasn1 library is vulnerable to a Denial of Service DoS attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE 0x30 or SET 0x31 tags with Indefinite Length 0x80 markers. This...

7.5CVSS7.1AI score0.0058EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:17 p.m.8 views

Next.js: HTTP request smuggling in rewrites

Summary When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes. Impact An attacker could...

6.5CVSS5.9AI score0.00427EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:17 p.m.9 views

Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary The default Next.js image optimization disk cache /next/image did not have a configurable upper bound, allowing unbounded cache growth. Impact An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impa...

7.5CVSS5.8AI score0.00683EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:16 p.m.11 views

Next.js: Unbounded postponed resume buffering can lead to DoS

Summary A request containing the next-resume: 1 header corresponding with a PPR resume request would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments...

7.5CVSS5.9AI score0.00483EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 4:0 p.m.8 views

Investing in the people shaping open source and securing the future together

Open source has always been about community. It's about maintainers who review pull requests late at night. Volunteers who respond to security reports from strangers. And communities that quietly power the world's software. The reality behind the commits is that maintainers get stretched thin. Th...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/03/17 3:36 p.m.11 views

Katello: Denial of Service and potential information disclosure via SQL injection

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sortby parameter of the /api/hosts/bootcimages API endpoint. This can lead to a Denial of...

5.4CVSS6AI score0.00262EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 3:30 p.m.8 views

Next.js: null origin can bypass Server Actions CSRF checks

Summary origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts such as sandboxed iframes could bypass origin verification instead of being validated as cross-origin requests. Impact An attacker could induce a victim browser ...

5.3CVSS5.8AI score0.002EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 3:29 p.m.9 views

Next.js: null origin can bypass dev HMR websocket CSRF checks

Summary In next dev, cross-site protections for internal development endpoints could treat Origin: null as a bypass case even when allowedDevOrigins is configured. This could allow privacy-sensitive or opaque browser contexts, such as sandboxed documents, to access privileged internal dev-server...

5.4CVSS5.8AI score0.00171EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 2:8 p.m.10 views

SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183)

SanitizeSVG bypass via data:text/xml in getDynamicIcon incomplete fix for CVE-2026-29183 SanitizeSVG blocks data:text/html and data:image/svg+xml in href attributes but misses data:text/xml and data:application/xml. Both render SVG with onload JavaScript execution confirmed in Chromium 136, other...

9.3CVSS6AI score0.00625EPSS
Exploits2References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 2:7 p.m.53 views

SiYuan Vulnerable to Arbitrary File Read in Desktop Publish Service

Summary In SiYuan, /api/lute/html2BlockDOM on the desktop copies local files pointed to by file:// links in pasted HTML into the workspace assets directory without validating paths against a sensitive-path list. Together with GET /assets/path, which only requires authentication, a publish-service...

9.9CVSS5.8AI score0.00414EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 2:7 p.m.11 views

Uncontrolled recursion DoS in JustHTML() via deeply nested HTML

Summary justhtml through 1.9.1 allows denial of service via deeply nested HTML. During parsing, JustHTML.init always reaches TreeBuilder.finish, which unconditionally calls populateselectedcontent. That function recursively traverses the DOM via findelements / findelement without a depth bound,...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 12:30 p.m.6 views

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop HITL endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to...

8.1CVSS5.8AI score0.00409EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 12:30 p.m.10 views

Apache Airflow: DAG authorization bypass

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...

4.3CVSS5.7AI score0.0044EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 12:30 p.m.11 views

Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

7.5CVSS5.8AI score0.00677EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 12:30 p.m.12 views

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...

6.5CVSS5.7AI score0.00406EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 9:31 a.m.6 views

Broken Access Control in extension "Redirect Tab" (redirect_tab)

The extension fails to verify, if an authenticated user has permissions to access to redirects resulting in exposure of redirect records when editing a page...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 9:31 a.m.7 views

Authentication Bypass in extension "E-Mail MFA Provider" (mfa_email)

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

8.8CVSS5.8AI score0.00256EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/17 6:31 a.m.4 views

sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey

All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey. An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The...

8.7CVSS5.8AI score0.00246EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:34 p.m.13 views

Mattermost fails to verify run_create permission for empty playbookId

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2 fail to verify runcreate permission for empty playbookId, which allows team members to create unauthorized runs via the playbook run API. Mattermost Advisory ID: MMSA-2025-00542...

4.3CVSS5.8AI score0.00159EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:19 p.m.13 views

Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

Summary The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and...

8CVSS6.1AI score0.00279EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 9:18 p.m.9 views

Admidio is Missing Authorization on Forum Topic and Post Deletion

Summary The forum module in Admidio does not verify whether the current user has permission to delete forum topics or posts. Both the topicdelete and postdelete actions in forum.php only validate the CSRF token but perform no authorization check before calling delete. Any authenticated user with...

6.5CVSS5.9AI score0.00226EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33225