33367 matches found
Grafana Incorrect Privilege Assignment vulnerability
SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user...
Vault’s Terraform Provider incorrectly set default deny_null_bind parameter for LDAP auth method to false by default
Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. Thi...
OpenFGA Improper Policy Enforcement
Overview OpenFGA v1.4.0 to v1.11.0 openfga-0.1.34 = Helm chart = openfga-0.2.48, v.1.4.0 = docker = v.1.11.0 are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. Am I Affected? You are affected by this vulnerability if you meet the following...
Minder does not sandbox http.send in Rego programs
Impact Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to for example, if the Minder server is behind a firewall or other network partition. Patches...
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage...
authkit-nextjs may let session cookies be cached in CDNs
In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications...
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the...
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
Summary The /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chattemplatekwargs parameters, it is possible to block processing of the API server for long...
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
Summary Users can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape e.g. hidden dimension is wrong, regardless of whether the model is intended to support such inputs as defined in the Supported Models page. The issue has...
vLLM deserialization vulnerability leading to DoS and potential RCE
Summary A memory corruption vulnerability that leading to a crash denial-of-service and potentially remote code execution RCE exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using...
Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow
Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...
zx Uses Incorrectly-Resolved Name or Reference
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
OSV-SCALIBR has NULL Pointer Dereference
A bug in the filesystem traversal fallback path causes fs/diriterate/diriterate.go:Next to overindex an empty slice when ReadDir returns nil for an empty directory, resulting in a panic index out of range and an application crash denial of service in OSV-SCALIBR...
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
Summary A Markdown front-matter block that contains JavaScript delimiter causes the JS engine in gray-matter library to execute arbitrary code in the Markdown to PDF converter process of md-to-pdf library, resulting in remote code execution. Details md-to-pdf uses the gray-matter library to parse...
LangChain Vulnerable to Template Injection via Attribute Access in Prompt Templates
Context A template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template syntax. This vulnerability affects applications that accept untrusted template strings not just template variables in ChatPromptTemplate...
@hpke/core reuses AEAD nonces
Summary The public SenderContext Seal API has a race condition which allows for the same AEAD nonce to be re-used for multiple Seal calls. This can lead to complete loss of Confidentiality and Integrity of the produced messages. Details The SenderContext Seal implementation allows for concurrent...
phppgadmin contains a SQL injection vulnerability
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in display.php at line 396. The application passes user-controlled input from $REQUEST'query' directly to the browseQuery function without proper sanitization. An authenticated attacker can exploit this vulnerability to execute...
phppgadmin contains an incorrect access control vulnerability
phpPgAdmin 7.13.0 and earlier contains an incorrect access control vulnerability in sql.php at lines 68-76. The application allows unauthorized manipulation of session variables by accepting user-controlled parameters 'subject', 'server', 'database', 'queryid' without proper validation or access...
@perfood/couch-auth may expose session tokens, passwords
Session tokens and passwords in couch-auth 0.21.2 are stored in JavaScript objects and remain in memory without explicit clearing in src/user.ts lines 700-707. This creates a window of opportunity for sensitive data extraction through memory dumps, debugging tools, or other memory access...
phppgadmin vulnerable to Cross-site Scripting
phpPgAdmin versions 7.13.0 and earlier contain multiple cross-site scripting XSS vulnerabilities across various components. User-supplied inputs from $REQUEST parameters are reflected in HTML output without proper encoding or sanitization in multiple locations including sequences.php, indexes.php...
phppgadmin contains a SQL injection vulnerability
phpPgAdmin 7.13.0 and earlier contains a SQL injection vulnerability in dataexport.php at line 118. The application directly executes user-supplied SQL queries from the $REQUEST'query' parameter without any sanitization or parameterization via $data-conn-Execute$REQUEST'query'. An authenticated...
Resty has a Path Traversal vulnerability
A security vulnerability has been detected in Dreampie Resty versions up to the 1.3.1.SNAPSHOT. This affects the function Request of the file /resty-httpclient/src/main/java/cn/dreampie/client/HttpClient.java of the component HttpClient Module. Such manipulation of the argument filename leads to...
golang.org/x/crypto/ssh/agent vulnerable to panic if message is malformed due to out of bounds read
SSH Agent servers do not validate the size of messages when processing new identity requests, which may cause the program to panic if the message is malformed due to an out of bounds read...
golang.org/x/crypto/ssh allows an attacker to cause unbounded memory consumption
SSH servers parsing GSSAPI authentication requests do not validate the number of mechanisms specified in the request, allowing an attacker to cause unbounded memory consumption...
OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter
Summary An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full...
Claude Code vulnerable to command execution prior to startup trust dialog
When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untruste...
esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...
esm.sh CDN service has arbitrary file write via tarslip
Summary The esm.sh CDN service is vulnerable to a Path Traversal CWE-22 vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths e.g., package/../../tmp/evil.js. When esm.sh downloads and extracts this package, file...
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
Summary A Cross-Site Scripting XSS vulnerability exists in Astro when using the @astrojs/cloudflare adapter with output: 'server'. The built-in image optimization endpoint /image uses isRemoteAllowed from Astro’s internal helpers, which unconditionally allows data: URLs. When the endpoint receive...
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI to determine which route to render, while the middleware uses context.url.pathname without applying the...
Astro vulnerable to reflected XSS via the server islands feature
Summary After some research it appears that it is possible to obtain a reflected XSS when the server islands feature is used in the targeted application, regardless of what was intended by the component templates. Details Server islands run in their own isolated context outside of the page reques...
Astro Development Server has Arbitrary Local File Read
Summary A vulnerability has been identified in the Astro framework's development server that allows arbitrary local file read access through the image optimization endpoint. The vulnerability affects Astro development environments and allows remote attackers to read any image file accessible to t...
authentik's invitation expiry is delayed by at least 5 minutes
Summary In previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes...
authentik allows a deactivated Service account to authenticate to OAuth
Summary When authenticating with clientid and clientsecret to an OAuth provider, authentik creates a service account for the provider. In previous authentik versions, authentication for this account was possible even when the account was deactivated. Other permissions are correctly applied and...
Apache Causeway vulnerable to deserialization in Java
Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution RCE through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary cod...
MongoDB driver extension affected by mongoc_bulk_operation_t's read of invalid memory
A mongocbulkoperationt may read invalid memory if large options are passed...
Modular Max Serve has Unsafe Deserialization vulnerability
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code...
XWiki view file macro: User can view content of office file without view rights on the attachment
Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. Details If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no...
LibreNMS is vulnerable to SQL Injection (Boolean-Based Blind) in hostname parameter in ajax_output.php endpoint
Summary A Boolean-Based Blind SQL Injection vulnerability was identified in the LibreNMS application at the /ajaxoutput.php endpoint. The hostname parameter is interpolated directly into an SQL query without proper sanitization or parameter binding, allowing an attacker to manipulate the query...
Backdrop CMS Host Header Injection vulnerability
Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host header in password reset requests, leading to redirects to malicious domains and potential session hijacking via cookie injection...
Drupal core allows Object Injection
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...
Drupal core allows Content Spoofing
User Interface UI Misrepresentation of Critical Information vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...
Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels
Use of Web Browser Cache Containing Sensitive Information vulnerability in Drupal Drupal core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before...
Drupal core allows Forceful Browsing
Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Drupal core allows Forceful Browsing. This issue affects Drupal core: from 8.0.0 before 10.4.9, from 10.5.0 before 10.5.6, from 11.0.0 before 11.1.9, from 11.2.0 before 11.2.8...
Mattermost allows other users to determine when users had read channels via channel member objects
Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...
Drupal Simple multi step form allows Cross-Site Scripting
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Simple multi step form allows Cross-Site Scripting XSS.This issue affects Simple multi step form: from 0.0.0 before 2.0.0...
Drupal Email TFA allows Functionality Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Email TFA allows Functionality Bypass. This issue affects Email TFA: from 0.0.0 before 2.0.6...
Eclipse Jersey has a Race Condition
In Eclipse Jersey versions 2.45, 3.0.16, 3.1.9 a race condition can cause ignoring of critical SSL configurations - such as mutual authentication, custom key/trust stores, and other security settings. This issue may result in SSLHandshakeException under normal circumstances, but under certain...
joserfc has Possible Uncontrolled Resource Consumption Vulnerability Triggered by Logging Arbitrarily Large JWT Token Payloads
Summary The ExceededSizeError exception messages are embedded with non-decoded JWT token parts and may cause Python logging to record an arbitrarily large, forged JWT payload. Details In situations where a misconfigured — or entirely absent — production-grade web server sits in front of a Python...
LibreNMS has Weak Password Policy
Summary A Weak Password Policy vulnerability was identified in the user management functionality of the LibreNMS application. This vulnerability allows administrators to create accounts with extremely weak and predictable passwords, such as 12345678. This exposes the platform to brute-force and...