33312 matches found
AIOHTTP vulnerable to DoS when bypassing asserts
Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. Impact If optimisations are enabled -O or PYTHONOPTIMIZE=1, and the application includes a handler that uses the Request.post method, then an attacker may be able to...
AIOHTTP vulnerable to brute-force leak of internal static file path components
Summary Path normalization for static files prevents path traversal, but opens up the ability for an attacker to ascertain the existence of absolute path components. Impact If an application uses web.static not recommended for production deployments, it may be possible for an attacker to ascertai...
AIOHTTP has unicode match groups in regexes for ASCII protocol elements
Summary The parser allows non-ASCII decimals to be present in the Range header. Impact There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. ---- Patch:...
AIOHTTP's unicode processing of header values could cause parsing discrepancies
Summary The Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. Impact If a pure Python version of aiohttp is installed i.e. without the usual C extensions or AIOHTTPNOEXTENSIONS is enabled, then an attacker may be able to execute a request smuggling...
AIOHTTP's HTTP Parser auto_decompress feature is vulnerable to zip bomb
Summary A zip bomb can be used to execute a DoS against the aiohttp server. Impact An attacker may be able to send a compressed request that when decompressed by aiohttp could exhaust the host's memory. ------ Patch: https://github.com/aio-libs/aiohttp/commit/2b920c39002cee0ec5b402581779bbaaf7c91...
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
Impact For sites that allow users to supply untrusted user input, malicious use of an internal function not part of the public API could be used to run unintentional javascript XSS. Patches Fixed in vega-functions 6.1.1 Workarounds There is no workaround besides upgrading. Using...
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. 1. Use vega in an application that attaches both vega library and a vega.View instance similar to the Vega Editor to the global window, or has an...
Spinnaker vulnerable to SSRF due to improper restrictions on http from user input
Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints...
Anthropic's MCP TypeScript SDK has a ReDoS vulnerability
Impact A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp function generates a regex pattern with nested quantifiers ^/+?:,^/+ for exploded template variables e.g., /id, ?tags, causing catastrophic backtracking on malicious input. Who is...
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
A Blind Server-Side Request Forgery SSRF vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits...
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
A Denial of Service DoS vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the...
Harvest May Expose OS Default SSH Login Password Via SUSE Virtualization Interactive Installer
Impact Projects using the SUSE Virtualization Harvester environment are vulnerable to this exploit if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster or add new hosts to an existing cluster. The environment is not affected if the PXE boot mechanism is utiliz...
Redaxo has Path Traversal in Backup Addon Leading to Arbitrary File Read
Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. Details The Backup addon does not validate the EXPDIR POST parameter against the UI-generated allowlist of permitted directories. An...
ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.
Impact The ERC7984 contract tracks total supply using a confidential euint64 value. If a call to the internal mint function would result in the total supply overflowing, the call fails silently. The wrap and onTransferReceived functions in ERC7984ERC20Wrapper assume that mint won't fail silently...
gix-date can create non-utf8 string with `TimeBuf::as_str`
The function gixdate::parse::TimeBuf::asstr can create an illegal string containing non-utf8 characters. This violates the safety invariant of TimeBuf and can lead to undefined behavior when consuming the string. The bug can be prevented by adding str::fromutf8 to the function TimeBuf::write...
Sliver Vulnerable to Pre-Auth Memory Exhaustion via NoEncoder Bypass
Summary A specially crafted nonce routes unauthenticated requests through the NoEncoder path, where startSessionHandler reads the entire request body without limits, allowing attacker-driven memory exhaustion and process crash. Details - server/encoders/encoders.go: EncoderFromNonce returns...
badkeys vulnerable to ASCII control character injection on console via malformed input
Impact An attacker may inject content with ASCII control characters like vertical tabs, ANSI escape sequences, etc., that can create misleading output of the badkeys command-line tool. This impacts scanning DKIM keys both --dkim and --dkim-dns, SSH keys --ssh-lines mode, and filenames in various...
Craft CMS vulnerable to potential authenticated Remote Code Execution via malicious attached Behavior
Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef...
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations the updater/backup action, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Craft 3 users should update to the latest Craft 4 and...
Duplicate Advisory: ComfyUI-Manager has an Unprotected Alternate Channel (CWE-420)
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-95pq-hr8p-f5g7. This link is maintained to preserve external references. Original Description An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuratio...
Craft CMS vulnerable to potential authenticated Remote Code Execution via Twig SSTI
For this to work, users must have administrator access to the Craft Control Panel, and allowAdminChanges must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment...
Craft CMS vulnerable to Server-Side Request Forgery (SSRF) via GraphQL Asset Upload Mutation
The Craft CMS GraphQL saveAsset mutation is vulnerable to Server-Side Request Forgery SSRF. This vulnerability arises because the file input, specifically its url parameter, allows the server to fetch content from arbitrary remote locations without proper validation. Attackers can exploit this by...
Craft CMS vulnerable to potential information disclosure via unchecked asset relocation
Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Resources:...
jsPDF has Local File Inclusion/Path Traversal vulnerability
Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node proce...
Apache SIS has Improper Restriction of XML External Entity Reference vulnerability
Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the...
flagd: Multiple Go Runtime CVEs Impact Security and Availability
Summary In 2025, several vulnerabilities in the Go Standard Library were disclosed, impacting Go-based applications like flagd the evaluation engine for OpenFeature. These CVEs primarily focus on Denial of Service DoS through resource exhaustion and Race Conditions in database handling. | CVE ID ...
MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation
Summary Affected Components: org.msgpack.core.MessageUnpacker.readPayload org.msgpack.core.MessageUnpacker.unpackValue org.msgpack.value.ExtensionValue.getData A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with...
Vaadin vulnerable to Cross-site Scripting
Action captions in Vaadin accept HTML by default but were not sanitized, potentially allowing Cross-site Scripting XSS if caption content is derived from user input. In Vaadin Framework 7 and 8, the Action class is a general-purpose class that may be used by multiple components. The fixed version...
Apache Kyuubi Server vulnerable to Path Traversal
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade t...
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Security Advisory: Stored XSS Leading to Admin Account Takeover Affected Versions: ≤ 5.1.0 Vulnerability Type: CWE-79: Stored Cross-Site Scripting --- Summary A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a...
Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users
Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. Details 1. Go to http://127.0.0.1:8000/ and login or signup 2. Go to http://127.0.0.1:8000/customer/account/profile 3. Now edit the first name and last name to 77 4. Notice it appears as 49 POC -...
Bagisto has IDOR in Customer Order Reorder Functionality
Summary An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables...
Bagisto has Normal & Blind SSTI from low-privilege user when ordering product
Summary SSTI when normal customer orders any product in add address step can inject value run in admin view. Details As normal user 1. Go to http://127.0.0.1:8000/ 2. Add order to cart and continue to checkout 3. In step of add address inject this value 77 in any input As admin 1. Go to...
Bagisto SSTI vulnerability in type parameter can lead to RCE
Summary SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations. Details 1. Go to http://127.0.0.1:8000/admin/reporting/products/view?type=77 Impact Can lead to RCE, command injection...
Bagisto has HTML Filter Bypass that Enables Stored XSS
Summary A stored Cross-Site Scripting XSS vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be...
Bagisto Missing Authentication on Installer API Endpoints
Vulnerable Code File: packages/Ibkul/Installer/src/Routes/Ib.php groupfunction Route::controllerInstallerController::class-\groupfunction Route::get'install', 'index'-\name'installer.index'; Route::middlewareStartSession::class-\prefix'install/api'-\groupfunction Route::post'env-file-setup',...
Langflow Missing Authentication on Critical API Endpoints
Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal dat...
AdonisJS Path Traversal in Multipart File Handling
Summary Description A Path Traversal CWE-22 vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to...
Duplicate Advisory: Reflected XSS in go-httpbin due to unrestricted client control over Content-Type
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-528q-4pgm-wvg2. This link is maintained to preserve external references. Original Description A cross-site scripting XSS vulnerability in mccutchen httpbin v2.17.1 allows attackers to execute arbitrary web scrip...
Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
SignalK Server exposes two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. Unauthenticated WebSocket Request Enumeration: When ...
Signal K Server Vulnerable to Access Request Spoofing
The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId,...
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
The SignalK appstore interface allows administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm version specifiers including URLs. npm...
Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints
Note This is a separate issue from the RCE vulnerability State Pollution currently being patched. While related to tokensecurity.js, it involves different endpoints and risks. Summary An unauthenticated information disclosure vulnerability allows any user to retrieve sensitive system information,...
Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Summary A Denial of Service DoS vulnerability allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint /signalk/v1/access/requests. This causes a "JavaScript heap out of memory" error due to unbounded in-memory storage of request objects. Details The...
Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...
Apache StreamPipes has Improper Privilege Management issue
A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over...
Feast vulnerable to Deserialization of Untrusted Data
A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at feast/sdk/python/feast/infra/computeengines/kubernetes/main.py. The vulnerability arises from the use of yaml.load..., Loader=yaml.Loader to...
Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists
In Gitea before 1.25.2, /api/v1/user has different responses for failed authentication depending on whether a username exists...
Trix has a stored XSS vulnerability through its attachment attribute
Impact The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads. An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of th...
serverless MCP Server vulnerable to Command Injection in list-projects tool
Summary A command injection vulnerability exists in the Serverless Framework's built-in MCP server package @serverless/mcp. This vulnerability only affects users of the experimental MCP server feature serverless mcp, which represents less than 0.1% of Serverless Framework users. The core Serverle...