Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/03/10 6:16 p.m.6 views

Envoy vulnerable to crash for scoped ip address during DNS

Summary Calling Utility::getAddressWithPort with a scoped IPv6 addresses causes a crash. This utility is called in the data plane from the originalsrc filter and the dns filter. Details The crashing function is Utility::getAddressWithPort. The crash occurs if a string containing a scoped IPv6...

7.5CVSS5.8AI score0.00388EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 9:31 a.m.15 views

Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation

Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

6.5CVSS5.8AI score0.00732EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:20 a.m.6 views

copyparty: volflag `nohtml` did not block javascript in svg files

Summary The nohtml config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images. Details A user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it. This in...

5.4CVSS5.9AI score0.00323EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:19 a.m.8 views

Webauthn Framework: allowed_origins collapses URL-like origins to host-only values, bypassing exact origin validation

Summary When allowedorigins is configured, CheckAllowedOrigins reduces URL-like values to their host component and accepts on host match alone. This makes exact origin policies impossible to express: scheme and port differences are silently ignored. Details CheckAllowedOrigins stores each...

5.4CVSS5.8AI score0.00197EPSS
Exploits1References5Affected Software3
Github Security Blog
Github Security Blog
added 2026/03/10 1:19 a.m.9 views

RSSN has Arbitrary Code Execution via Unvalidated JIT Instruction Generation in C-FFI Interface

Impact Vulnerability Type: Improper Control of Generation of Code 'Code Injection' CWE-94 / Improper Check for Unusual or Exceptional Conditions CWE-754 / Improper Input Validation CWE-20 / Use of Low-Level Functionality CWE-695 / Improper Privilege Management CWE-269 / External Control of System...

9.4CVSS5.9AI score0.0021EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:18 a.m.7 views

Linkdave Missing Authentication on REST and WebSocket endpoints

The linkdave server does not enforce authentication on its REST and WebSocket routes in versions prior to 0.1.5. Impact An attacker with network access to the server port can: - Connect to the WebSocket endpoint /ws and receive a valid sessionid in the OpReady response. - Use that session to invo...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:15 a.m.8 views

OneUptime has WhatsApp Resend Verification Authorization Bypass

Description The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated unlike the verify endpoint. Affected Source - Endpoint: UserWhatsAppAPI.ts - Service: UserWhatsAppService.ts - Verify...

5.3CVSS5.9AI score0.00371EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:12 a.m.11 views

OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page...

9.9CVSS6.6AI score0.01153EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:9 a.m.7 views

OneUptime has authorization bypass via client‑controlled is-multi-tenant-query header that leads to cross‑tenant data exposure and account takeover

Summary A low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are...

9.9CVSS5.8AI score0.00494EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:4 a.m.7 views

liquidjs has a path traversal fallback vulnerability

Impact The layout, render, and include tags allow arbitrary file access via absolute paths either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default. This poses a security risk when malicious users are allowed to control the template...

8.7CVSS5.9AI score0.00557EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 1:2 a.m.9 views

Actual Sync Server has an Authenticated Path Traversal

Description Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments ../ can escape the intended directory and write files outsid...

6.5CVSS5.8AI score0.00377EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 12:57 a.m.8 views

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Impact An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud...

8.8CVSS5.8AI score0.0049EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 12:57 a.m.8 views

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Impact The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist...

6.9CVSS5.9AI score0.00393EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 12:57 a.m.7 views

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Impact A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The...

8.2CVSS5.8AI score0.00446EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/10 12:56 a.m.8 views

flarum/nicknames extension has display name injection in notification emails (autolink & markdown)

Summary When the flarum/nicknames extension is enabled, a registered user can set their nickname to a string that email clients interpret as a hyperlink. The nickname is inserted verbatim into plain-text notification emails, and recipients may be misled into visiting attacker-controlled domains...

4.6CVSS5.8AI score0.00165EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 9:31 p.m.8 views

NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()

A vulnerability in the filestring function of the nltk.util module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by...

8.6CVSS7.5AI score0.00428EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:55 p.m.12 views

vLLM has SSRF Protection Bypass

Summary The SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. Affected Component - File:...

9.8CVSS5.9AI score0.00485EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:55 p.m.7 views

AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

Summary AzuraCast's ConfigWriter::cleanUpString method fails to sanitize Liquidsoap string interpolation sequences ..., allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.12 views

OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions

Summary Sandboxed requester sessions could reach host-side ACP session initialization through /acp spawn. OpenClaw already blocked sessionsspawn runtime: "acp" from sandboxed sessions, but the slash-command path initialized ACP directly without applying the same host-runtime guard first. Affected...

7.1CVSS5.5AI score0.00104EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.12 views

OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.14 views

OpenClaw: `operator.write` chat.send could reach admin-only config writes

Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.11 views

OpenClaw: system.run wrapper-depth boundary could skip shell approval gating

OpenClaw's system.run dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning. With exactly four transparent dispatch wrappers such as repeated env invocations before /bin/sh -c, the approval classifier could stop treating the...

5.3CVSS5.9AI score0.00108EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.13 views

OpenClaw: fetch-guard forwards custom authorization headers across cross-origin redirects

OpenClaw's fetchWithSsrFGuard... followed cross-origin redirects while preserving arbitrary caller-supplied headers except for a narrow denylist Authorization, Proxy-Authorization, Cookie, Cookie2. This allowed custom authorization headers such as X-Api-Key, Private-Token, and similar sensitive...

9.3CVSS5.9AI score0.00316EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:54 p.m.5 views

OpenClaw: Cross-account sender authorization expansion in `/allowlist ... --store` account scoping

Summary /allowlist ... --store resolved the selected channel accountId for reads, but store writes still dropped that accountId and wrote into the legacy unscoped pairing allowlist store. Because default-account reads still merge legacy unscoped entries, a store entry intended for one account cou...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:53 p.m.10 views

OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers

OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:52 p.m.11 views

OpenClaw's `system.run` env override filtering allowed dangerous helper-command pivots

Summary system.run env override sanitization allowed dangerous override-only helper-command pivots to reach subprocesses. A caller who could invoke system.run with env overrides could bypass allowlist/approval intent by steering an allowlisted tool through helper-command or config-loading...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:52 p.m.35 views

OpenClaw's hooks count non-POST requests toward auth lockout

OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests for example GET with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:52 p.m.13 views

OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage

OpenClaw's macOS Dashboard flow exposed Gateway authentication material to browser-controlled surfaces. Before the fix, the macOS app appended the shared Gateway token and password to the Dashboard URL query string when opening the Control UI in the browser. The Control UI then imported the token...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:51 p.m.7 views

Glances has SQL Injection via Process Names in TimescaleDB Export

Summary The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as...

9.8CVSS5.9AI score0.00364EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:50 p.m.9 views

Glances Exposes Unauthenticated Configuration Secrets

Summary The /api/4/config REST API endpoint returns the entire parsed Glances configuration file glances.conf via self.config.asdict with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT...

8.7CVSS5.8AI score0.01657EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:48 p.m.9 views

FileBrowser Quantum: Stored XSS in public share page via unsanitized share metadata (text/template misuse)

Summary Stored XSS is possible via share metadata fields e.g., title, description that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. Details T...

8.9CVSS6AI score0.00347EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:48 p.m.15 views

FileBrowser Quantum: Password-Protected Share Bypass via /public/api/share/info

Summary The remediation for CVE-2026-27611 appears incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info in docker image gtstef/filebrowser:1.3.1-webdav-2. Details The issue stems from two flaws: 1. Tokenized download URLs are written into the...

7.5CVSS5.7AI score0.00544EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 7:45 p.m.9 views

Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter

Vulnerability In modules/events/eventsfunction.php, the event participation logic allows any user who can participate in an event to register OTHER users by manipulating the useruuid GET parameter. Line 47: $getUserUuid = admFuncVariableIsValid$GET, 'useruuid', 'uuid', ... Line 424: if...

5.4CVSS5.9AI score0.00253EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 6:18 p.m.10 views

SiYuan: Authorization Bypass Allows Low-Privilege Publish User to Modify Notebook Content via /api/block/appendHeadingChildren

Summary A privilege escalation vulnerability exists in the publish service of SiYuan Note that allows a low-privilege publish account RoleReader to modify notebook content via the /api/block/appendHeadingChildren API endpoint. The endpoint only requires model.CheckAuth, which accepts RoleReader...

7.1CVSS5.8AI score0.00311EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:42 p.m.13 views

Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters

Impact The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set clientId for Google/Apple, appIds for Facebook, JWT verification silently skips audience claim validation. This allows an...

9.8CVSS5.8AI score0.00525EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:42 p.m.11 views

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Impact When graphQLPublicIntrospection is disabled, type queries nested inside inline fragments e.g. ... on Query typename:"User" name bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. schema introspection is not affected. Patches The check was chang...

6.9CVSS5.8AI score0.00278EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:42 p.m.10 views

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Impact The file metadata endpoint GET /files/:appId/metadata/:filename does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any...

6.3CVSS5.8AI score0.00295EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:41 p.m.10 views

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Impact The PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can u...

6.3CVSS5.8AI score0.00312EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:29 p.m.8 views

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

8.6CVSS5.9AI score0.00196EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:28 p.m.8 views

Kubewarden: Cross-namespace data exfiltration via deprecated host callback binding

Impact Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manne...

4.3CVSS5.8AI score0.00185EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:27 p.m.11 views

Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys

A user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API endpoints return full records, including private keys, without...

8.7CVSS5.8AI score0.00252EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:27 p.m.8 views

Netmaker has Privilege Escalation from Admin to Super-Admin via User Update

The user update handler PUT /api/users/username lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the...

6.9CVSS5.8AI score0.0023EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:27 p.m.8 views

Netmaker has Insufficient Authorization in Host Token Verification

The Authorise middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication hostAllowed=true, a valid host token bypasses all subsequent authorisation checks without verifying that the host is authorised to access the specific requested resource. Any entit...

8.6CVSS5.9AI score0.00366EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:24 p.m.9 views

Pocket ID: OIDC authorization code validation uses AND instead of OR, allowing cross-client token exchange

Summary The OIDC token endpoint rejects an authorization code only when both the client ID is wrong and the code is expired. This allows cross-client code exchange and expired code reuse. Details backend/internal/service/oidcservice.go:407 go if authorizationCodeMetaData.ClientID != input.ClientI...

8.5CVSS5.8AI score0.00257EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 5:24 p.m.10 views

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Impact A flaw in callback URL validation allowed crafted redirecturi values containing URL userinfo @ to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host...

7.1CVSS5.8AI score0.00204EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 4:56 p.m.10 views

@budibase/server: Command Injection in PostgreSQL Dump Command

Location: packages/server/src/integrations/postgres.ts:529-531 Description The PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other connection parameters are directly...

8.6CVSS5.9AI score0.0048EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 12:31 p.m.6 views

Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

8.8CVSS5.9AI score0.00695EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 12:31 p.m.8 views

Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass

In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances. You...

5.4CVSS5.7AI score0.00359EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 9:30 a.m.7 views

Apache IoTDB has an Insecure Default Configuration Vulnerability

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue...

9.8CVSS5.8AI score0.00584EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/09 9:30 a.m.7 views

Apache IoTDB has an Improper Input Validation vulnerability

Improper Input Validation vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.0.0 before 1.3.7, from 2.0.0 before 2.0.7. Users are recommended to upgrade to version 1.3.7 or 2.0.7, which fixes the issue...

9.8CVSS5.8AI score0.00662EPSS
Exploits0References9Affected Software1
Total number of security vulnerabilities33227