33187 matches found
py7zr: Arbitrary File Write Vulnerability
Summary There exists an arbitrary file write vulnerability in py7zr 1.1.0, latest, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links,...
TypeORM: SQL Injection in UpdateQueryBuilder/SoftDeleteQueryBuilder orderBy (MySQL/MariaDB)
Impact Blind SQL injection vulnerability in UpdateQueryBuilder and SoftDeleteQueryBuilder affecting MySQL and MariaDB users. UpdateQueryBuilder and SoftDeleteQueryBuilder including their addOrderBy variants do not validate the order parameter against an allowlist of permitted values ASC/DESC. The...
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)
Impact The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals e.g. http://127.0.0.1/, http://169.254.169.254/. The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, whi...
AlchemyCMS: Unauthenticated nested page API leaks restricted & unpublished content
Unauthenticated nested page API leaks restricted & unpublished content - Location: app/controllers/alchemy/api/pagescontroller.rb:28 Api::PagesControllernested - Affected version: Alchemy CMS 8.3.0.dev Rails 8.1.3 Description The unauthenticated GET /api/pages/nested endpoint returns the full pag...
Hugo: Symlink confinement bypass in os.ReadFile
Affected versions: v0.123.0 through v0.163.0. Earlier versions are not affected. Fixed in: v0.163.1. Severity: Medium. Requires the attacker to be able to place or convince a site author to place a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/...
Hugo: XSS via unescaped code-fence language in default code block renderer
Hugo's default code-block renderer wrote the Markdown code-fence language / info-string into the wrapper without HTML escaping. A fence info-string containing a quote and a payload breaks out of the attribute and injects a live script element. This is not an issue if you fully trust every file...
OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source
Summary The Contracts Wizard generators printed info.securityContact and info.license verbatim into a single-line comment of the generated Solidity, Cairo, Stellar/Soroban, and Stylus source without rejecting line terminators. A newline \n or \r\n in either field ends the comment, so the text aft...
Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`
Summary Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attrvalue= could free the underlying native child node while the wrapper remained...
Nokogiri: Possible Use-After-Free in XInclude Processing
Summary XInclude substitution performed by Nokogiri::XML::Nodedoxinclude replaced each in place, freeing the include node along with its children such as and its descendants and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the...
Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime
Summary Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application co...
Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type
Summary Nokogiri::XML::Documentroot= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. Nokogiri...
Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`
Summary Nokogiri::XML::NodeSet and its alias slice checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an...
Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes
Summary Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. Nokogiri 1.19.4 checks for missing native data pointers and raises a...
Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247
Summary The NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potential...
Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception
Summary Calling Documentencoding= with an invalid encoding e.g., a non-string, or a string containing a null byte raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to...
OpenTofu: Possible arbitrary file read during certain git operations via a maliciously crafted URL
Impact Possible data exposure. Summary While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read. This might allow disclosure of confidential information. Details OpenTofu relies on go-getter for downloading packages like...
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...
ouroboros-ai: Incomplete fix of CVE-2026-47211: untrusted project .env can still reach RCE via omitted execution-routing keys
Impact The CVE-2026-47211 fix 0.39.0 added UNTRUSTEDENVDENYLIST to stop an untrusted project-directory .env from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command...
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...
DotVVM: Unrestricted file upload
Impact All users of DotVVM with configured file upload storage are affected. DotVVM allows anyone to upload files to the application, potentially causing denial of service by filling the disk. Patches Since version 4.3.15, 4.2.11 and 5.0.0-preview09, DotVVM requires all file upload request to hav...
DotVVM: Missing authorization in AuthorizeActionFilter
Impact All users of the AuthorizeActionFilter class are affected. The AuthorizeActionFilter simply does nothing, no “hacking” is needed to bypass the filter. Patches DotVVM 4.3.15, 4.2.11 and 5.0.0-preview09 fix this. Workarounds As a workaround, you can use the AuthorizeAttribute instead. It...
ReDoS in DotVVM routing
Impact This impacts users which use multiple unconstrained route parameters not separated by a /. For instance, the following code is vulnerable: var route = new DotvvmRoute"edit/a-b-c/done", null, "testpage", null, null, configuration; var adversarialInput = "edit/" + new string'-', 32000;...
agent-coderag: Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution
Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution Summary agent-coderag unconditionally executes a repository-controlled gradlew script during its default sync dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository...
Entire CLI: Path traversal in checkpoint session metadata allows arbitrary file write during resume/rewind
Impact A path traversal vulnerability in Entire CLI allows an attacker with push access to the checkpoints repository to craft malicious checkpoint metadata that causes entire session resume or entire checkpoint rewind to write attacker-controlled transcript data outside of the expected session...
parse-server: Denial of service via exponential-time processing of deeply nested query operators
Impact Parse Server is vulnerable to denial of service. A remote attacker can send a single, small query 1 KB containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the server...
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
Summary The AWS Bedrock AgentCore Python SDK bedrock-agentcore is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the installpackages method of the Code Interpreter client where crafted package name arguments can bypass...
tract: Arbitrary file read via unsanitized ONNX external_data `location` (path traversal) on model load in tract-onnx
Summary tract the tract-onnx crate resolves an ONNX tensor's external-data location by joining it onto the model directory without any sanitization. Because location comes from the untrusted .onnx file, a malicious model can make tract open and read an arbitrary local file at load time, with the...
CedarJava has policy injection vulnerability
Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow policy injection. Impact Cedar-expression injection via unescaped toCedarExpr The toCedarExpr metho...
CedarJava has type confusion vulnerability
Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow type confusion across the Java-Rust FFI boundary. Impact Record-to-Entity type confusion across the...
guzzlehttp/guzzle: Dot-Only Cookie Domains Match All Hosts
Impact CookieJar incorrectly accepts cookies with a dot-only Domain attribute, such as Domain=., Domain=.., Domain=..., and whitespace-padded variants such as Domain= . . In affected versions, SetCookie::matchesDomain removes leading dots from the cookie domain, normalizing dot-only values to the...
guzzlehttp/psr7: CRLF Injection in HTTP Start-Line Serialization
Impact guzzlehttp/psr7 did not reject CR/LF characters in certain first-party HTTP start-line fields: the request method, protocol version, and response reason phrase. If an application placed attacker-controlled data into one of those fields and later serialized the PSR-7 message as raw HTTP/1.x...
OpenFGA: OIDC audience validation skipped when --authn-oidc-audience is unset
Description OpenFGA's OIDC authenticator skipped JWT audience aud validation when no audience was configured. In deployments where one identity provider issues tokens for multiple services, a token minted for an unrelated service could authenticate to OpenFGA. Preconditions This applies if the...
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Impact When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens: -...
undici WebSocket client vulnerable to denial of service via fragment count bypass
Impact The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size...
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Impact undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either. Applications that parse a...
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Impact When using Socks5ProxyAgent, undici reuses a single connection pool across different origins without verifying that the pool's origin matches the requested origin. All requests are dispatched through the pool connected to the first origin, regardless of the intended destination. This cause...
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Impact Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it...
guzzlehttp/guzzle: Silent HTTPS-Proxy Downgrade to Cleartext
Impact The built-in cURL handlers GuzzleHttp\Handler\CurlHandler and GuzzleHttp\Handler\CurlMultiHandler, used by default whenever the PHP cURL extension is available accept an https:// proxy — a proxy reached over a TLS-encrypted connection — through the proxy request option, client-level proxy...
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Summary The public GraphQL resolvers getFormDefinitionByObjectenApiUrlurl and the deprecated getFormDefinitionByIdid fetch a caller-supplied URL using the privileged Objecten-API token. Because the /graphql endpoint is permitAll and these resolvers do not declare a CommonGroundAuthentication...
canto-saas-api: OAuth credentials exposed in URL query string and exception messages
Summary In affected versions, the OAuth2 token request sends appid, appsecret, refreshtoken and code as URL query parameters of the POST request to https://oauth./oauth/api/oauth2/token. Request URLs are commonly recorded in access logs, proxy logs and APM traces, so the application secret and...
canto-saas-api: Authenticated API requests can be redirected via unencoded path variables
Summary In affected versions, Request::buildRequestUrl inserts path variables into the request URL without URL encoding implode'/', $pathVariables. All request classes implementing getPathVariables are affected, e.g. GetContentDetailsRequest scheme, contentId. If a consuming application passes...
Tilt: Missing authentication on the network-exposed Tilt HUD server
Summary The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state...
Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream
Summary The Tilt HUD WebSocket /ws/view is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state...
Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...
Network-AI: Improper Neutralization of Special Elements used in an OS Command
Summary The agent sandbox gates shell commands behind an allowlist SandboxPolicy.isCommandAllowed, which THREATMODEL.md calls the main control against a compromised agent Adversary 3.2. The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So...
Network-AI: CVE-2026-46701 fix incomplete — empty default secret still authorizes all requests
Advisory / Disclosure Network-AI — CVE-2026-46701 fix is incomplete: the "Empty Default Secret" unauth path survives Target: Jovancoding/Network-AI npm network-ai, latest v5.7.1 Status: the advisory "Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret" named three flaws. The...
ts-deepmerge: Prototype Method Override leads to DoS
Versions of the package ts-deepmerge before 8.0.0 are vulnerable to Uncaught Exception due to the improper handling of built-in Object.prototype methods such as toString, valueOf. When user-controlled input contains these keys with non-function values, the resulting merged object becomes broken —...
Canonical MicroCeph: path traversal issue in the remote-import AP
Canonical MicroCeph versions from the squid and tentacle track are vulnerable to a path traversal issue in the remote-import API. Holders of a trusted cluster mTLS certificate such as enrolled cluster members or join token can manipulate files in an imported remote cluster within the...
Duplicate Advisory: PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-766v-q9x3-g744. This link is maintained to preserve external references. Original Description PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent ID...
Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-ffp3-3562-8cv3. This link is maintained to preserve external references. Original Description PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing...