33273 matches found
Moonraker affected by LDAP search filter injection
Impact Instances of Moonraker configured with the ldap component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover...
SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions
Unprivileged users for example, those with the database editor role can create or modify fields in records that contain functions or futures. Futures are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who...
Umbraco.Forms CDN may cache sensitive form uploads when processed by ImageSharp
Impact Protected files uploaded through Umbraco Forms may be served to unauthenticated users when a CDN or caching layer is present and ImageSharp processes the request. ImageSharp sets aggressive cache headers by default, which can cause intermediary caches to store and serve files that should...
Dragonfly Manager Job API Unauthenticated Access
Summary Dragonfly Manager's Job REST API endpoints lack authentication, allowing unauthenticated attackers to create, query, modify, and delete jobs, potentially leading to resource exhaustion, information disclosure, and service disruption. Affected Products - Product: Dragonfly - Component:...
Wheel Affected by Arbitrary File Permission Modification via Path Traversal in wheel unpack
Summary - Vulnerability Type: Path Traversal CWE-22 leading to Arbitrary File Permission Modification. - Root Cause Component: wheel.cli.unpack.unpack function. - Affected Packages: 1. wheel Upstream source 2. setuptools Downstream, vendors wheel - Severity: High Allows modifying system file...
docling-core vulnerable to Remote Code Execution via unsafe PyYAML usage
Impact A PyYAML-related Remote Code Execution RCE vulnerability, namely CVE-2020-14343, is exposed in docling-core =2.21.0, 2.48.4 and, specifically only if the application uses pyyaml 5.4 and invokes doclingcore.types.doc.DoclingDocument.loadfromyaml passing it untrusted YAML data. Patches The...
Seroval affected by Denial of Service via Deeply Nested Objects
Serialization of objects with extreme depth can exceed the maximum call stack limit. Mitigation: Seroval introduces a depthLimit parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached...
Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass
Summary Client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The...
Logback allows an attacker to instantiate classes already present on the class path
ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially...
pytest has vulnerable tmpdir handling
pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-user name pattern, which allows local users to cause a denial of service or possibly gain privileges...
Soft Serve Affected by an Authentication Bypass
Impact What kind of vulnerability is it? Who is impacted? This issue impacts every Soft Serve instance. A critical authentication bypass allows an attacker to impersonate any user including Admin by "offering" the victim's public key during the SSH handshake before authenticating with their own...
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
Impact Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the .unset and .omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their...
Wrangler affected by OS Command Injection in `wrangler pages deploy`
Summary A command injection vulnerability CWE-78 has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash t...
OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format
Impact Unauthenticated denial of service. Summary When installing module packages from attacker-controlled sources, tofu init may cause high CPU usage when encountering maliciously-crafted .zip archives for either provider or module distribution packages. Those who depend on modules or providers...
Triton VM has a Soundness Vulnerability due to Improper Sampling of Randomness
In affected versions of Triton VM, the verifier failed to correctly sample randomness in the FRI sub-protocol. Malicious provers can exploit this to craft proofs for arbitrary statements that this verifier accepts as valid, undermining soundness. Protocols that rely on proofs and the supplied...
Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`
Impact The FetchUrlReader component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in backend.reading.allow to redirect requests to internal or sensitive URLs that are not on the...
@backstage/cli-common has a possible `resolveSafeChildPath` Symlink Chain Bypass
Impact The resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation by: 1. Symlink chains: Creating link1 → link2 → /outsi...
Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
Impact Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to: 1. Read arbitrary files via the debug:log action by creating a symlink pointin...
FastAPI Api Key has a timing side-channel in verify_key that allows statistical key validity detection
Impact Timing side-channel vulnerability in verifykey. The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a...
Flux Operator Web UI Impersonation Bypass via Empty OIDC Claims
A privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator's service account privileges. After OIDC token claims are processed through CEL expressions, there...
Copier safe template has arbitrary filesystem write access via directory symlinks when _preserve_symlinks: true
Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write to arbitrary directories outside the...
Copier safe template has arbitrary filesystem read access via symlinks when _preserve_symlinks: false
Impact Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently include arbitrary files/directories outsid...
Argo Workflows affected by stored XSS in the artifact directory listing
Summary Stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Details The directory listing response in server/artifacts/artifactserver.go...
phpPgAdmin contains a remote command execution vulnerability
phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operatin...
Seroval affected by Denial of Service via Array serialization
Overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. Mitigation: Seroval no longer encodes array lengths. Instead, it computes length using Array.prototype.length during deserialization...
seroval affected by Denial of Service via RegExp serialization
Overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS Regular Expression Denial of Service. Mitigation: Serova...
Tendenci Affected by Authenticated Remote Code Execution via Pickle Deserialization
A critical deserialization vulnerability exists in Tendenci Helpdesk module NOTE, by default, Helpdesk is NOT enabled, affecting the version 15.3.11 and earlier. This vulnerability allows remote code execution RCE by an authenticated user with staff security level due to using Python's pickle...
@envelop/graphql-modules has a Race Condition vulnerability
Summary Context race condition when using useGraphQLModules plugin Details Related to: https://github.com/graphql-hive/graphql-modules/security/advisories/GHSA-53wg-r69p-v3r7 When 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the...
go-tuf improperly validates the configured threshold for delegations
Security Disclosure: Improper validation of configured threshold for delegations Summary A compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. Impact Unathorized modification to TUF metadata...
go-tuf affected by client DoS via malformed server response
Security Disclosure: Client DoS via malformed server response Summary If the TUF repository or any of its mirrors returns invalid TUF metadata JSON valid JSON but not well formed TUF metadata, the client will panic during parsing, causing a DoS. The panic happens before any signature is validated...
sm-crypto Affected by Signature Forgery in SM2-DSA
Summary A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the messag...
sm-crypto Affected by Signature Malleability in SM2-DSA
Summary A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library. An attacker can derive a new valid signature for a previously signed message from an existing signature. Credit This vulnerability was discovered by: - XlabAI Team of Tencent...
sm-crypto Affected by Private Key Recovery in SM2-PKE
Summary A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Credit This vulnerability was discovered...
CoreShop Vulnerable to SQL Injection via Admin customer-company-modifier
SQL Injection in CustomerTransformerController Summary An error-based SQL Injection vulnerability was identified in the CustomerTransformerController within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error...
vLLM affected by RCE via auto_map dynamic module loading during model initialization
Summary vLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path to execute at server startup. --- Impact An attacker who can influence the model repo/path local directory or remote...
mailqueue TYPO3 extension affected by Insecure Deserialization in QueueableFileTransport
Description The extension extends TYPO3’s FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004. Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization,...
seroval Affected by Remote Code Execution via JSON Deserialization
Improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. The vulnerability can be exploited via overriding constant value and error deserialization, which allows indirect access to unsafe JS evaluation. This requires at least the ability to...
seroval Affected by Prototype Pollution via JSON Deserialization
Due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This affects only JSON deserialization functionality. As there is no known workaround, please upgrade to the latest version...
Laravel Redis Horizontal Scaling Insecure Deserialization
Impact This vulnerability affects Laravel Reverb versions prior to v1.7.0 when horizontal scaling is enabled REVERBSCALINGENABLED=true. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication. With horizontal scaling enabled, Reverb...
Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria ar...
Apache Solr: Insufficient file-access checking in standalone core-creation requests
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting...
Keycloak Admin REST API exposes backend schema and rules
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
Keycloak services allows the issuance of access and refresh tokens for disabled users
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...
Keycloak does not validate and update refresh token usage atomically
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...
ImageMagick has a NULL pointer dereference in MSL parser via <comment> tag before image load
Summary NULL pointer dereference in MSL Magick Scripting Language parser when processing tag before any image is loaded. Version - ImageMagick 7.x tested on current main branch - Commit: HEAD Steps to Reproduce Method 1: Using ImageMagick directly bash magick MSL:poc.msl out.png Method 2: Using...
ImageMagick has a Memory Leak in LoadOpenCLDeviceBenchmark() when parsing malformed XML
Summary A memory leak vulnerability exists in the LoadOpenCLDeviceBenchmark function in MagickCore/opencl.c. When parsing a malformed OpenCL device profile XML file that contains closing tags, the function fails to release allocated memory for string members platformname, vendorname, name, versio...
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
TITLE: Race Condition in node-tar Path Reservations via Unicode Sharp-S ß Collisions on macOS APFS AUTHOR: Tomás Illuminati Details A race condition vulnerability exists in node-tar v7.5.3 this is to an incomplete handling of Unicode path collisions in the path-reservations system. On...
ImageMagick MSL: Stack overflow via infinite recursion in ProcessMSLScript
Summary Stack overflow via infinite recursion in MSL Magick Scripting Language command when writing to MSL format. Version - ImageMagick 7.x tested on current main branch - Commit: HEAD - Requires: libxml2 support for MSL parsing Steps to Reproduce Method 1: Using ImageMagick directly bash magick...
Swift W3C TraceContext vulnerable to a malformed HTTP header causing a crash
Impact A denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. Allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace...
AlchemyCMS: Authenticated Remote Code Execution (RCE) via eval injection in ResourcesHelper
Summary A vulnerability was discovered during a manual security audit of the AlchemyCMS source code. The application uses the Ruby eval function to dynamically execute a string provided by the resourcehandler.enginename attribute in Alchemy::ResourcesHelperresourceurlproxy. Details The...