Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/03/11 12:13 a.m.5 views

Sylius Vulnerable to Authenticated Stored XSS

Impact An authenticated stored cross-site scripting XSS vulnerability exists in multiple places across the shop frontend and admin panel due to unsanitized entity names being rendered as raw HTML. Shop breadcrumbs shared/breadcrumbs.html.twig: The breadcrumbs macro uses the Twig |raw filter on...

4.8CVSS5.9AI score0.00142EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:13 a.m.6 views

Sylius has a XSS vulnerability in checkout login form

Impact A cross-site scripting XSS vulnerability exists in the shop checkout login form handled by the ApiLoginController Stimulus controller. When a login attempt fails, AuthenticationFailureHandler returns a JSON response whose message field is rendered into the DOM using innerHTML, allowing any...

6.1CVSS5.9AI score0.00179EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:12 a.m.6 views

Sylius is Missing Authorization in API v2 Add Item Endpoint

Impact The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. POST /api/v2/shop/orders/tokenValue/items Other mutation endpoints PUT, PATCH, DELETE are no...

6.9CVSS6AI score0.00182EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:12 a.m.8 views

Sylius affected by IDOR in Cart and Checkout LiveComponents

Impact An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that...

7.1CVSS5.9AI score0.0029EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:12 a.m.36 views

Sylius has an Open Redirect via Referer Header

Impact CurrencySwitchController::switchAction, ImpersonateUserController::impersonateAction and StorageBasedLocaleSwitcher::handle use the HTTP Referer header directly when redirecting. The attack requires the victim to click a legitimate application link placed on an attacker-controlled page. Th...

6.9CVSS5.6AI score0.00172EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:11 a.m.7 views

Wisp Vulnerable to Path Traversal

Summary wisp.servestatic is vulnerable to arbitrary file read via percent-encoded path traversal %2e%2e. The directory traversal sanitization runs before percent-decoding, allowing encoded .. sequences to bypass the filter. An unauthenticated attacker can read any file readable by the application...

8.7CVSS5.9AI score0.01056EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:11 a.m.15 views

django-unicorn affected by component state manipulation via unvalidated attribute access

Summary Component state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended ispublic protection to modify internal attributes such as templatename or trigger protected methods. Vulnerability...

5.3CVSS5.8AI score0.0021EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:9 a.m.7 views

OliveTin's unsafe parsing of UniqueTrackingId can be used to write files

When the saveLogs feature is enabled, OliveTin persists execution log entries to disk. The filename used for these log files is constructed in part from the user-supplied UniqueTrackingId field in the StartAction API request. This value is not validated or sanitized before being used in a file...

8.5CVSS6.3AI score0.00712EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/11 12:9 a.m.6 views

Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing

Summary A remote, unauthenticated attacker can trigger a denial of service in applications using vulnerable quinn versions by sending a crafted QUIC Initial packet containing malformed quictransportparameters. In quinn-proto parsing logic, attacker-controlled varints are decoded with unwrap, so...

8.7CVSS5.8AI score0.005EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:57 p.m.7 views

SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string...

6.4CVSS5.8AI score0.00505EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:57 p.m.11 views

@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes

Shell Command Injection in User Git Config Endpoint | Field | Value | |-------|-------| | Severity | High | | CVSS 3.1 | 8.8 High — when chained with VULN-01 | | CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' | | Attack Vector | Network | |...

8.8CVSS6.1AI score0.06034EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:57 p.m.25 views

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

Impact A denial of service vulnerability exists in the ASF WMV/WMA file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative -24, causing tokenizer.ignorepayload to move the rea...

5.3CVSS5.8AI score0.00325EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:49 p.m.5 views

SiYuan has a SVG Sanitizer Bypass via `<animate>` Element — Unauthenticated XSS

SVG Sanitizer Bypass via Element — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG blocks dangerous elements , , and removes on event handlers and javascript: in href attributes. However, it does NOT block SVG animation elements , which can dynamically set attributes to dangerous...

6.4CVSS5.8AI score0.00445EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:44 p.m.5 views

node-tar Symlink Path Traversal via Drive-Relative Linkpath

Summary tar npm can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Details The extraction logic in...

8.2CVSS5.9AI score0.00253EPSS
Exploits4References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 11:44 p.m.11 views

zot’s create-only policy allows overwrite attempts of existing latest tag (update permission not required)

zot’s dist-spec authorization middleware infers the required action for PUT /v2/name/manifests/reference as create by default, and only switches to update when the tag already exists and reference != "latest". as a result, when latest already exists, a user who is allowed to create but not allowe...

7.7CVSS5.8AI score0.00212EPSS
Exploits1References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/10 9:32 p.m.5 views

pdfmake is vulnerable to server-side request forgery (SSRF)

Server-Side Request Forgery SSRF vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy method allowing server operato...

7.5CVSS5.8AI score0.00481EPSS
Exploits2References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:5 p.m.5 views

ImageMagick is vulnerable to heap buffer over-write on 32-bit systems in SFW decoder

An overflow on 32-bit systems can cause a crash in the SFW decoder when processing extremely large images...

5.7CVSS5.8AI score0.00093EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/10 9:5 p.m.4 views

ImageMagick is vulnerable to Heap Overflow when writing extremely large image profile in the PNG encoder

An extremely large image profile could result in a heap overflow when encoding a PNG image...

7.8CVSS5.8AI score0.00123EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/10 9:4 p.m.8 views

Elysia has a string URL format ReDoS

Impact t.String format: 'url' is vulnerable to redos Repeating a partial url format protocol and hostname multiple times cause regex to slow down significantly js 'http://a'.repeatn Here's a table demonstrating how long it takes to process repeated partial url format | n repeat | elapsedms | | --...

7.5CVSS5.8AI score0.00494EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:3 p.m.9 views

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

9.8CVSS5.9AI score0.00461EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:3 p.m.8 views

Feathers has an OAuth Callback Account Takeover issue

An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...

9.8CVSS5.8AI score0.00519EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:2 p.m.8 views

ImageMagick has a heap buffer over-read via 32-bit integer overflow in MAT decoder

In MAT decoder uses 32-bit arithmetic due to incorrect parenthesization resulting in a heap over-read. ================================================================= ==969652==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x506000003b40 at pc 0x555557b2a926 bp 0x7fffffff4c80 sp...

4.8CVSS5.8AI score0.00258EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/10 9:2 p.m.5 views

ImageMagick has a Path Policy TOCTOU symlink race bypass

domain="path" authorization is checked before final file open/use. A symlink swap between check-time and use-time bypasses policy-denied read/write...

6.3CVSS5.8AI score0.00108EPSS
Exploits0References4Affected Software19
Github Security Blog
Github Security Blog
added 2026/03/10 6:56 p.m.20 views

MCP Atlassian has an arbitrary file write leading to arbitrary code execution via unconstrained download_path in confluence_download_attachment

Summary The confluencedownloadattachment MCP tool accepts a downloadpath parameter that is written to without any directory boundary enforcement. An attacker who can call this tool and supply or access a Confluence attachment with malicious content can write arbitrary content to any path the serv...

9CVSS6.3AI score0.0226EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:48 p.m.6 views

MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers

Summary An unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an Authorization header. No authentication is required. The...

8.2CVSS6.1AI score0.14958EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:38 p.m.22 views

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE

Summary The blockUnsafeOperationsPlugin in simple-git fails to block git protocol override arguments when the config key is passed in uppercase or mixed case. An attacker who controls arguments passed to git operations can enable the ext:: protocol by passing -c PROTOCOL.ALLOW=always, which...

9.8CVSS7.5AI score0.01296EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.95 views

Envoy's global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly

Summary At the rate limit filter, if we enabled the response phase limit with applyonstreamdone in the rate limit configuration and the response phase limit request fails directly, it may crash Envoy. Details When both the request phase limit and response phase limit are enabled, the safe gRPC...

7.5CVSS5.8AI score0.00315EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.8 views

Envoy: HTTP - filter chain execution on reset streams causing UAF crash

Note: This vulnerability was originally reported to the Google OSS VRP Issue ID: 477542544. The Google Security Team requested that I coordinate directly with the Envoy maintainers for triage and remediation. I am submitting this report here to facilitate that process. Technical Details I have...

5.9CVSS6.2AI score0.00337EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.6 views

Vaadin: Specially crafted ZIP archives can escape the intended extraction directory

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

6.8CVSS5.8AI score0.00342EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.7 views

Duplicate Advisory: .NET Denial of Service Vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4vgm-c2wm-63mw. This link is maintained to preserve external references. Original Description Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service...

7.5CVSS5.7AI score0.02818EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.7 views

Vaadin Vulnerable to Authentication Bypass When Accessing the /VAADIN Endpoint Without a Trailing Slash

An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...

5.3CVSS5.8AI score0.00391EPSS
Exploits0References9Affected Software2
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.4 views

Duplicate Advisory: .NET Denial of Service Vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-73j8-2gch-69rq. This link is maintained to preserve external references. Original Description Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network...

7.5CVSS5.7AI score0.02049EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.10 views

Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network

Server-Side Request Forgery SSRF in Azure MCP Server allows an authorized attacker to elevate privileges over a network...

8.8CVSS5.8AI score0.00959EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.10 views

Duplicate Advisory: Microsoft Security Advisory CVE-2026-26131 – .NET Elevation of Privilege Vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-crjq-wm6x-6qx7. This link is maintained to preserve external references. Original Description Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally...

7.8CVSS5.7AI score0.00359EPSS
Exploits0References3Affected Software6
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.7 views

Apache PDFBox has Path Traversal through PDComplexFileSpecification.getFilename() function

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability CWE-22 because the filename that is obtained from PDComplexFileSpecification.getFilename is appended...

5.3CVSS5.8AI score0.00886EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:31 p.m.7 views

LimeSurvey is vulnerable to SQL injection

SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database...

7.5CVSS5.9AI score0.00468EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:30 p.m.6 views

Envoy affected by off-by-one write in JsonEscaper::escapeString()

Summary An off-by-one write in Envoy::JsonEscaper::escapeString can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string. Details The bug is in the control-character...

5.3CVSS5.6AI score0.00365EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:30 p.m.9 views

Envoy has RBAC Header Validation Bypass via Multi-Value Header Concatenation

Summary The Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating each header value individually, Envoy concatenates all values into a single comma-separated...

8.2CVSS5.8AI score0.00293EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:25 p.m.6 views

Parse Server: SQL injection via dot-notation field name in PostgreSQL

Impact An attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with t...

9.8CVSS5.8AI score0.00408EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:24 p.m.9 views

Craft Commerce: Potential IDOR in Commerce carts

An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. This vulnerability enables the takeover of shopping sessions and potential exposure of PII...

6.3CVSS5.8AI score0.00284EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:24 p.m.7 views

Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.4 views

Craft Commerce has stored XSS in Inventory Location Name

Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The Name field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator or user with product editing permissions creates or...

4.8CVSS6AI score0.00234EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.8 views

Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking

Summary Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user including administrators views the inventory management...

8.6CVSS6AI score0.00204EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.6 views

Craft Commerce is vulnerable to SQL Injection in Commerce Inventory Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or sanitization. An authenticated attacker with access to the Commerce...

8.8CVSS6AI score0.00436EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.8 views

Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.6 views

Craft Commerce is Vulnerable to SQL Injection in Commerce Purchasables Table Sorting

Summary Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist validation. Yii2's query builder does NOT escape array keys, allowing an...

8.8CVSS5.9AI score0.00421EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:22 p.m.8 views

Craft CMS has a potential information disclosure vulnerability in preview tokens

Summary Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview...

4.3CVSS5.8AI score0.00174EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:16 p.m.6 views

StudioCMS has Privilege Escalation via Insecure API Token Generation

Summary The /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user at least Editor to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target us...

8.8CVSS5.9AI score0.00564EPSS
Exploits3References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 6:16 p.m.6 views

Envoy vulnerable to crash for scoped ip address during DNS

Summary Calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the originalsrc filter and the dns filter. Details The crashing function is Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6...

7.5CVSS5.8AI score0.00388EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:31 a.m.15 views

Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation

Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

6.5CVSS5.8AI score0.00732EPSS
Exploits0References7Affected Software1
Total number of security vulnerabilities33225