Lucene search
K
GithubRecent

33312 matches found

Github Security Blog
Github Security Blog
added 2025/12/31 10:1 p.m.22 views

CBORDecoder reuse can leak shareable values across decode calls

Summary When a CBORDecoder instance is reused across multiple decode operations, values marked with the shareable tag 28 persist in memory and can be accessed by subsequent CBOR messages using the sharedref tag 29. This allows an attacker-controlled message to read data from previously decoded...

7.5CVSS6.8AI score0.00423EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/31 6:30 a.m.7 views

libsodium has Incomplete List of Disallowed Inputs

libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to cryptocoreed25519isvalidpoint, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory...

4.5CVSS6.5AI score0.00166EPSS
Exploits0References14Affected Software3
Github Security Blog
Github Security Blog
added 2025/12/30 11:45 p.m.9 views

theshit vulnerable to unsafe loading of user-owned Python rules when running as root

Impact Vulnerability Type: Local Privilege Escalation LPE / Arbitrary Code Execution. The application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when executed with elevated privileges. If the...

6.7CVSS7.4AI score0.0012EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 11:8 p.m.3 views

ImageMagick's failure to limit MVG mutual causes Stack Overflow

Summary Magick fails to check for circular references between two MVGs, leading to a stack overflow. Details After reading mvg1 using Magick, the following is displayed: ./magick -limit memory 2GiB -limit map 2GiB -limit disk 0 mvg:L1.mvg out.png AddressSanitizer:DEADLYSIGNAL...

6.2CVSS6.9AI score0.00164EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2025/12/30 11:6 p.m.12 views

RustFS has a gRPC Hardcoded Token Authentication Bypass

Vulnerability Overview Description RustFS implements gRPC authentication using a hardcoded static token "rustfs rpc" that is: 1. Publicly exposed in the source code repository 2. Hardcoded on both client and server sides 3. Non-configurable with no mechanism for token rotation 4. Universally vali...

9.8CVSS7.5AI score0.2903EPSS
Exploits3References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 10:54 p.m.6 views

ImageMagick's failure to limit the depth of SVG file reads caused a DoS attack

Summary Using Magick to read a malicious SVG file resulted in a DoS attack. Details bt obtained using gdb: 4 0x0000555555794c9c in ResizeMagickMemory memory=0x7fffee203800, size=391344 at MagickCore/memory.c:1443 5 0x0000555555794e5a in ResizeQuantumMemory memory=0x7fffee203800, count=48918,...

7.5CVSS7.3AI score0.00552EPSS
Exploits1References4Affected Software17
Github Security Blog
Github Security Blog
added 2025/12/30 9:30 p.m.13 views

Temporal has an Incorrect Authorization vulnerability

When system.enableCrossNamespaceCommands is enabled on by default, the Temporal server permits certain workflow task commands e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution to target a different namespace than the namespace authorized at...

5.3CVSS7.3AI score0.00358EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 9:30 p.m.11 views

Temporal has a namespace policy bypass allowing requests to be authorized for incorrect contexts

When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authoriz...

5.3CVSS6.9AI score0.00415EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 9:7 p.m.10 views

URI Credential Leakage Bypass over CVE-2025-27221

Impact In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential...

7.5CVSS6.6AI score0.0051EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 9:2 p.m.22 views

qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion

Summary The arrayLimit option in qs did not enforce limits for bracket notation a=1&a=2, only for indexed notation a0=1. This is a consistency bug; arrayLimit should apply uniformly across all array notations. Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario...

6.3CVSS7.2AI score0.0041EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 8:52 p.m.10 views

FacturaScripts is Vulnerable to Stored Cross-Site Scripting (XSS) via XML File Upload

A stored cross-site scripting XSS vulnerability exists in the product file upload functionality. Authenticated users can upload crafted XML files containing executable JavaScript. These files are later rendered by the application without sufficient sanitization or content-type enforcement, allowi...

5.4CVSS6.2AI score0.00981EPSS
Exploits2References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 7:34 p.m.15 views

YOURLS is vulnerable to XSS through JSONP and Callback request parameters

Summary The callback and jsonp request parameters are directly concatenated into the response without any sanitization that allowing attackers to inject arbitrary JS code. When YOURLSPRIVATE is set to false public API mode, this vulnerability can be exploited by any unauthenticated attacker. In...

6.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 7:25 p.m.13 views

PsiTransfer has Zip Slip Path Traversal via TAR Archive Download

Summary A Zip Slip vulnerability in PsiTransfer allows an unauthenticated attacker to upload files with path traversal sequences in the filename e.g. ../../../.ssh/authorizedkeys. When a victim downloads the bucket as a .tar.gz archive and extracts it, malicious files are written outside the...

7.4AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 5:44 p.m.10 views

Composer is vulnerable to ANSI sequence injection

Impact Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit...

5.3CVSS6.8AI score0.00405EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:37 p.m.18 views

axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header

Summary When a server calls an upstream service using different auth tokens, axios-cache-interceptor returns incorrect cached responses, leading to authorization bypass. Details The cache key is generated only from the URL, ignoring request headers like Authorization. When the server responds wit...

6.5CVSS7AI score0.00272EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:32 p.m.9 views

Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

A NestJS application is vulnerable if it meets all of the following criteria: 1. Platform: Uses @nestjs/platform-fastify. 2. Security Mechanism: Relies on NestMiddleware via MiddlewareConsumer for security checks authentication, authorization, etc., or through app.use 3. Routing: Applies middlewa...

9.1CVSS6.9AI score0.00355EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:31 p.m.7 views

phpMyFAQ has unauthenticated config backup download via /api/setup/backup

Summary An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files e.g., database.php with database credentials, leading to...

7.5CVSS6.8AI score0.02005EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:24 p.m.129 views

Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter

Summary Picklescan uses operator.attrgetter, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the operator.attrgetter function in the reduce method. - Then,...

7.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:22 p.m.545 views

Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller

Summary Picklescan uses operator.methodcaller, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling to operator.methodcaller function in reduce method - Then when...

7.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:20 p.m.10 views

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length

Summary Picklescan uses the numpy.f2py.crackfortran.evallength function a NumPy F2PY helper to execute arbitrary Python code during unpickling. Details Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.evallength in reduce, allowing arbitrary command...

8.1CVSS8AI score0.00301EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:18 p.m.9 views

Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary Picklescan uses the numpy.f2py.crackfortran.getlincoef function a NumPy F2PY helper to execute arbitrary Python code during unpickling. Details Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.getlincoef in reduce, allowing arbitrary command...

8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 3:13 p.m.8 views

Pterodactyl has a Reflected XSS vulnerability in “Create New Database Host”

!NOTE Message from the Pterodactyl team: The Pterodactyl team has evaluated this as a minor security issue but does not consider it something that should be assigned a CVE, nor does it require active patching by vulnerable systems. This issue is entirely self-inflicted and requires an...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/30 12:32 a.m.8 views

Visual Studio Code Go extension has unexpected untrusted code execution

To prevent unexpected untrusted code execution, the Visual Studio Code Go extension is now disabled in Restricted Mode...

5.4CVSS7.4AI score0.00418EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 10:44 p.m.9 views

Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.param_eval

Summary Picklescan uses numpy.f2py.crackfortran.parameval, which is a function in numpy to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.parameval function via reduce method....

7.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 10:12 p.m.10 views

phpMyFAQ has Stored XSS in user list via admin-managed display_name

Summary A stored cross-site scripting XSS vulnerability allows an attacker to execute arbitrary JavaScript in an administrator’s browser by registering a user whose display name contains HTML entities e.g., img .... When an administrator views the admin user list, the payload is decoded server-si...

6.1CVSS5.7AI score0.0023EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 10:1 p.m.11 views

Bugs that survive the heat of continuous fuzzing

Even when a project has been intensively fuzzed for years, bugs can still survive. ​​OSS-Fuzz is one of the most impactful security initiatives in open source. In collaboration with the OpenSSF Foundation, it has helped to find thousands of bugs in open-source software. Today, OSS-Fuzz fuzzes mor...

7.1AI score0.22791EPSS
Exploits3
Github Security Blog
Github Security Blog
added 2025/12/29 9:31 p.m.9 views

hemmelig allows SSRF Filter bypass via Secret Request functionality

Summary A Server-Side Request Forgery SSRF filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding e.g., localtest.me which resolves to 127.0.0.1 or ope...

4.3CVSS6.6AI score0.0019EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 8:4 p.m.8 views

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval

Summary Picklescan uses numpy.f2py.crackfortran.myeval, which is a function in numpy to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the numpy.f2py.crackfortran.myeval function in its reduce method -...

7.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 8:3 p.m.10 views

Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller

Summary Picklescan uses operator.methodcaller, which is a built-in python library function to execute remote pickle files. Details The attack payload executes in the following steps: - First, the attacker crafts the payload by calling the operator.methodcaller function in method reduce. - Then,...

7.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:27 p.m.7 views

Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef

Summary An unsafe deserialization vulnerability allows an attacker to execute arbitrary code on the host when loading a malicious pickle payload from an untrusted source. Details The numpy.f2py.crackfortran module exposes many functions that call eval on arbitrary strings of values. This is the...

7.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:26 p.m.6 views

Picklescan Bypasses Unsafe Globals Check using pty.spawn

Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from the absence of the pty library more specifically, of the pty.spawn function from PickleScan's list of unsafe globals. This vulnerabili...

8.8CVSS8.3AI score0.00384EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:24 p.m.6 views

Picklescan missing detection when calling pty.spawn

Summary Using pty.spawn, which is a built-in python library function to execute arbitrary commands on the host system. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to pty.spawn function in the reduce method. Then the victim attempts ...

7.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:24 p.m.5 views

Picklescan has Incomplete List of Disallowed Inputs

Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...

9.8CVSS7.2AI score0.00623EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:23 p.m.9 views

Picklescan does not block ctypes

Summary Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to Load DLLs Call C functions directly Manipulate memory raw pointers. This can allow attackers to achieve RCE by invoking direct...

9.8CVSS6.9AI score0.00757EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/29 3:22 p.m.9 views

Picklescan vulnerable to Arbitrary File Writing

Summary Picklescan has got open and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files. Details This is another vulnerability which impacts the downstream user. ...

9.8CVSS7.4AI score0.00624EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/27 3:30 p.m.7 views

SQLE's JWT Secret Handler can be manipulated to use hard-coded cryptographic key

A security vulnerability has been detected in actiontech sqle up to 4.2511.0. The impacted element is an unknown function of the file sqle/utils/jwt.go of the component JWT Secret Handler. The manipulation of the argument JWTSecretKey leads to use of hard-coded cryptographic key. The attack is...

8.1CVSS4.3AI score0.00564EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 11:20 p.m.11 views

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions 1.23 that were vulnerable to CVE-2025-66416. Users should upgrad...

8.1CVSS7.5AI score0.00463EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:55 p.m.8 views

ruint affected by unsoundness of safe `reciprocal_mg10`

The function reciprocalmg10 is marked as safe but can trigger undefined behavior out-of-bounds access because it relies on debugassert! for safety checks instead of assert!. When compiled in release mode, the debugassert! is optimized out, potentially allowing invalid inputs to cause memory...

7.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 p.m.9 views

Croogo CMS has a path traversal vulnerability

A path traversal vulnerability in Croogo CMS 4.0.7 allows remote attackers to read arbitrary files via a specially crafted path in the 'edit-file' parameter...

6.5CVSS6.9AI score0.00597EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 p.m.9 views

apidoc-core has a prototype pollution vulnerability

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or...

9.3CVSS7AI score0.00443EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:26 p.m.21 views

Self-hosted n8n has Legacy Code node that enables arbitrary file read/write

Impact In self-hosted n8n instances where the Code node runs in legacy non-task-runner JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with...

7.1CVSS6.9AI score0.00242EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:18 p.m.22 views

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Impact A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process...

9.9CVSS7.7AI score0.12685EPSS
Exploits4References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 5:34 p.m.13 views

lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()

Summary An insecure deserialization vulnerability exists in lmdeploy where torch.load is called without the weightsonly=True parameter when loading model checkpoint files. This allows an attacker to execute arbitrary code on the victim's machine when they load a malicious .bin or .pt model file...

8.8CVSS8.1AI score0.00487EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 5:30 p.m.12 views

n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

Summary A stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced ...

7.3CVSS6.2AI score0.00217EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 3:30 p.m.8 views

libxmljs has segmentation fault, potentially leading to a denial-of-service (DoS)

A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal ref property on entityref and entitydecl nodes causes a segmentation fault, potentially leading to a denial-of-service DoS...

7.5CVSS6.9AI score0.00388EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 a.m.10 views

Gitea vulnerable to Cross-site Scripting

In Gitea before 1.20.1, a forbidden URL scheme such as javascript: can be used for a link, aka XSS...

5.4CVSS6.9AI score0.00222EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 a.m.8 views

Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries

Gitea before 1.22.2 sometimes mishandles the propagation of token scope for access control within one of its own package registries...

5.3CVSS7AI score0.00253EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 a.m.7 views

Gitea: anonymous user can visit private user's project

In Gitea before 1.21.2, an anonymous user can visit a private user's project...

5.8CVSS6.9AI score0.00328EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 6:30 a.m.10 views

Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order

Gitea before 1.21.8 inadvertently discloses users' login times by allowing for example the lastlogintime explore/users sort order...

5.3CVSS7AI score0.00328EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/12/26 3:30 a.m.7 views

Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text

Gitea before 1.22.2 allows XSS because the search input box for creating tags and branches is v-html instead of v-text...

5.4CVSS6.4AI score0.00222EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities33312