33227 matches found
Indico has a missing access check in the event series management API
Impact The API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is limited to: - Getting the metadata title, category chain, start/end date for events in an existing series - Deleting an existing eve...
INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints
Impact An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user logged in but without administrator privileges attempts to access a resource under /api/admin/, the system detects the error but does not block the request. As...
Multer vulnerable to Denial of Service via incomplete cleanup
Impact A vulnerability in Multer versions 2.1.0 allows an attacker to trigger a Denial of Service DoS by sending malformed requests, potentially causing resource exhaustion. Patches Users should upgrade to 2.1.0 Workarounds None...
Multer vulnerable to Denial of Service via resource exhaustion
Impact A vulnerability in Multer versions 2.1.0 allows an attacker to trigger a Denial of Service DoS by dropping connection during file upload, potentially causing resource exhaustion. Patches Users should upgrade to 2.1.0 Workarounds None...
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
Impact The serialize-javascript npm package versions tags, the injected code executes. javascript const serialize = require'serialize-javascript'; // Create an object that passes instanceof RegExp with a spoofed .flags const fakeRegex = Object.createRegExp.prototype; Object.definePropertyfakeRege...
malcontent: Nested archive extraction failure can drop content from scan inputs
Previously, malcontent would remove nested archives which failed to extract which could potentially leave malicious content. A better approach is to preserve these archives so that malcontent can attempt a best-effort scan of the archive bytes. Fix:...
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
Summary PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. While the defau...
Hive has Double-free and Use After Free Vulnerabilities
Drop implementation for Hive did perform free, but so did Hive::close, which, at the end of the scope performed Drop, therefore triggering double-free. Additionally, function Hive::fromhandle was not marked as unsafe, making it, in combination with ashandle easy to clone and trigger double-free i...
@fastify/middie has Improper Path Normalization when Using Path-Scoped Middleware
Summary A path normalization inconsistency in @fastify/middie can result in authentication/authorization bypass when using path-scoped middleware for example, app.use'/secret', auth. When Fastify router normalization options are enabled such as ignoreDuplicateSlashes, useSemicolonDelimiter, and...
pypdf: Manipulated RunLengthDecode streams can exhaust RAM
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. Patches This has been fixed in pypdf==6.7.4. Workarounds If you cannot upgrade yet, consider applying the changes from PR 36...
osctrl has Stored Cross-Site Scripting (XSS) in On-Demand Query List
Summary A stored Cross-site Scripting XSS vulnerability exists in the osctrl-admin on-demand query list. A user with query-level permissions can inject arbitrary JavaScript via the query parameter when running an on-demand query. The payload is stored and executes in the browser of any user...
osctrl is Vulnerable to OS Command Injection via Environment Configuration
Summary An OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These commands are embedded into enrollment one-liner scripts...
SvelteKit has deserialization expansion in unvalidated `form` remote function leading to Denial of Service (experimental only)
Some relatively small inputs can cause very large files arrays in form handlers. If the SvelteKit application code doesn't check files.length or individual files' sizes and performs expensive processing with them, it can result in Denial of Service. Only users with experimental.remoteFunctions:...
jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition
Summary The non-blocking async JSON parser in jackson-core bypasses the maxNumberLength constraint default: 1000 characters defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and...
Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse
Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid...
Junrar has an arbitrary file write due to backslash Path Traversal bypass in LocalFolderExtractor on Linux/Unix
Summary A backslash path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content anywhere on the filesystem when a crafted RAR archive is extracted on Linux/Unix. This can often lead to remote code execution e.g., overwriting...
OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata
Vulnerability Summary The OpenClaw ACP client could auto-approve tool calls based on untrusted metadata and permissive name heuristics. A malicious or compromised ACP tool invocation could bypass expected interactive approval prompts for read-class operations. Affected Packages / Versions -...
OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Summary applySkillConfigEnvOverrides previously copied skills.entries..env values into the host process.env without applying the host env safety policy. Impact In affected versions, dangerous process-level variables such as NODEOPTIONS could be injected when unset, which can influence...
Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass
Impact Authenticated Control Panel users may under certain conditions obtain elevated privileges without completing the intended verification step. This can allow access to sensitive operations and, depending on the user’s existing permissions, may lead to privilege escalation. Patches This has...
ZITADEL has potential SSRF via Actions
Summary ZITADEL Action V2 introduced as early preview in 2.59.0, beta in 3.0.0 and GA in 4.0.0 is a webhook based approach to allow developers act on API request to Zitadel and customize flows such the issue of a token. ZITADEL's Action target URLs can point to local hosts, potentially allowing...
ZITADEL Users Can Self-Verify Email/Phone via UpdateHumanUser API
Summary A vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. Impact Zitadel provides an API for managing users. The API also allows users to self-manage their own data including updati...
ZITADEL's truncated opaque tokens are still valid
Summary Opaque OIDC access tokens in v2 format, truncated to 80 characters are still considered valid. ZITADEL uses a symmetric AES encryption for opaque tokens. The cleartext payload is a concatenation of a couple of identifiers, such as a token ID and user ID. Internally Zitadel has 2 different...
phpMyFAQ Allows Unauthenticated Account Creation via WebAuthn Prepare Endpoint
Summary The WebAuthn prepare endpoint /api/webauthn/prepare creates new active user accounts without any authentication, CSRF protection, CAPTCHA, or configuration checks. This allows unauthenticated attackers to create unlimited user accounts even when registration is disabled. Details File:...
Beszel: Docker API has a Path Traversal Vulnerability via Unsanitized Container ID
Summary The hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of...
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID. Affected Code File:...
Umbraco.Engage.Forms Allows Unauthorized Access to Multiple API Endpoints
Description A vulnerability has been identified in Umbraco Engage where certain API endpoints are exposed without enforcing authentication or authorization checks. The affected endpoints can be accessed directly over the network without requiring a valid session or user credentials. By supplying ...
Angular i18n vulnerable to Cross-Site Scripting
A Cross-site Scripting XSS vulnerability has been identified in the Angular internationalization i18n pipeline. In ICU messages International Components for Unicode, HTML from translated content was not properly sanitized and could execute arbitrary JavaScript. Angular i18n typically involves thr...
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r4wm-x892-vjmx. This link is maintained to preserve external references. Original Description A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when...
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting XSS via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js lines 56-60 uses the includes method to verify the originUrl contains...
CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-site Scripting XSS via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes method, which can be bypassed ...
Vitess users with backup storage access can write to arbitrary file paths on restore
Impact Anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is ...
AWS CLI: cli_history database does not restrict file permissions on Unix systems
Summary AWS CLI is a command line tool for interacting with AWS services. When the clihistory feature is enabled, the history database file is created with default permissions, potentially allowing other local users on a multi-user system to read the file. Impact When clihistory is enabled, AWS C...
Langflow has Remote Code Execution in CSV Agent
Summary The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes LangChain’s Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution RCE...
Keycloak Server Private SPI: Improper Access Control Allows Administrators to Bypass Attribute Visibility Restrictions and Modify Unmanaged User Profile Attributes
A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...
rubyipmi is vulnerable to OS Command Injection through malicious usernames
A flaw was found in rubyipmi, a gem used in the Baseboard Management Controller BMC component of Red Hat Satellite. An authenticated attacker with host creation or update permissions could exploit this vulnerability by crafting a malicious username for the BMC interface. This could lead to remote...
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...
uv has ZIP payload obfuscation through parsing differentials
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP Zipped Information Package archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package...
OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise...
OpenClaw is vulnerable to validation bypass through GNU long-option abbreviations in allowlist mode
In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option abbreviations such as --compress-prog in allowlist mode, leading to approval-free execution paths that were intended to require approval. Only an exact string such as --compress-program was...
Snowflake JDBC Driver is Vulnerable to Uncontrolled Resource Consumption through SdkProxyRoutePlanner
A weakness has been identified in Snowflake JDBC Driver up to 4.0.1. Impacted is the function SdkProxyRoutePlanner of the file src/main/java/net/snowflake/client/internal/core/SdkProxyRoutePlanner.java of the component JDBC URL Handler. Executing a manipulation of the argument nonProxyHosts can...
PSI Probe: Broken access control can lead to DoS
A flaw has been found in psi-probe PSI Probe up to 5.3.0. The impacted element is the function handleRequestInternal of the file psi-probe-core/src/main/java/psiprobe/controllers/sessions/ExpireSessionsController.java of the component Session Handler. Executing a manipulation can lead to denial o...
PSI Probe vulnerable to Server-Side Request Forgery
A vulnerability has been found in psi-probe PSI Probe up to 5.3.0. This affects the function lookup of the file psi-probe-core/src/main/java/psiprobe/tools/Whois.java of the component Whois. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit h...
Vitess users with backup storage access can gain unauthorized access to production deployment environments
Impact Any user with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that arbitrary code is later executed when that backup is restored. This can be used to provide that attacker with unintended/unauthorized access to the production...
Sealed Secrets for Kubernetes: Rotate API Allows Scope Widening from Strict/Namespace-Wide to Cluster-Wide via Untrusted Template Annotations
This report shows a scope-widening issue in the rotate re-encrypt flow: the output scope can be derived from untrusted spec.template.metadata.annotations on the input sealed secret. If a victim sealed secret is strict- or namespace-scoped, an attacker who can submit it to the rotate endpoint can...
Curio exposes database credentials to users with network access through verbose HTTP error responses
Summary Multiple HTTP handlers in Curio passed raw database error messages to HTTP clients via http.Error. When the PostgreSQL/YugabyteDB driver pgx returned errors, these could contain the database connection string — including hostname, port, username, and password. Additionally, the internal...
n8n has Webhook Forgery on Zendesk Trigger Node
Impact An attacker who knows the webhook URL of a workflow using the ZendeskTrigger node could send unsigned POST requests and trigger the workflow with arbitrary data. The node does not verify the HMAC-SHA256 signature that Zendesk attaches to every outbound webhook, allowing any party to inject...
n8n has a Guardrail Node Bypass
Impact An end user interacting with a workflow that uses the Guardrail node could craft an input that bypasses the default guardrail instructions. Patches The issue has been fixed in n8n version 2.10.0. Users should upgrade to this version or later to remediate the vulnerability. Workarounds If...
n8n has an Authentication Bypass in its Chat Trigger Node
Impact When the Chat Trigger node is configured with n8n User Auth authentication, the authentication check could be circumvented. - This issue requires the Chat Trigger node to be configured with n8n User Auth authentication non-default. Patches The issue has been fixed in n8n versions 2.10.1,...
n8n has an SSO Enforcement Bypass in its Self-Service Settings API
Impact An authenticated user signed in through Single Sign-On SSO could disable SSO enforcement for their own account through the n8n API. This allowed the user to create a local password and authenticate directly with email and password, completely bypassing the organization's SSO policy,...