Lucene search
+L
GithubRecent

33426 matches found

Github Security Blog
Github Security Blog
added 2025/10/08 6:16 p.m.10 views

Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Summary Deno versions up to 2.5.1 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. Details In Windows, CreateProcess always implicitly spawns cmd.exe if a batch file .bat, .cmd, etc. is being executed even if the application does not specify it via the...

8.1CVSS7.7AI score0.02084EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 5:56 p.m.8 views

Deno's --deny-read check does not prevent permission bypass

Summary Deno.FsFile.prototype.stat and Deno.FsFile.prototype.statSync are not limited by the permission model check --deny-read=./. It's possible to retrieve stats from files that the user do not have explicit read access to the script is executed with --deny-read=./ Similar APIs like Deno.stat a...

3.3CVSS6.7AI score0.00182EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 5:51 p.m.8 views

Synapse's invalid device keys degrade federation functionality

Impact Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. Patches Patched in Synapse 1.138.3, 1.138.4,...

5.3CVSS7AI score0.00434EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 3:32 p.m.7 views

Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

Multiple cross-site scripting XSS vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected in...

5.4CVSS5.9AI score0.00197EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 3:32 p.m.6 views

VaahCMS is vulnerable to XSS through its Avatar Upload endpoint

Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar method of UserBase.php...

6.1CVSS7.3AI score0.00279EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 3:32 p.m.9 views

Liferay Portal is vulnerable to Stored XSS through Forms text type field

Stored cross-site scripting XSS vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a...

6.1CVSS5.5AI score0.00224EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 3:32 p.m.11 views

Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

There is a Stored Cross-Site Scripting XSS vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to...

5.4CVSS5AI score0.00205EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 3:32 p.m.8 views

Liferay Portal is vulnerable to XSS through its Commerce Product's Name text field

Cross-site Scripting XSS vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML v...

5.4CVSS5.8AI score0.00205EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:43 p.m.12 views

FuelVM is vulnerable to heap memory allocation re-use bug

Impact A memory safety vulnerability was present in the Fuel Virtual Machine FuelVM, where memory reads could bypass expected access controls. Specifically, when a smart contract performed a mload or other opcodes which access memory on memory that had been deallocated using ret, it was still abl...

6.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:30 p.m.7 views

Melis Platform CMS Unauthenticated File Upload Leading to RCE

File upload leading to remote code execution RCE in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetailimg'...

9.3CVSS8.3AI score0.02503EPSS
Exploits3References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:30 p.m.10 views

Melis Platform CMS Unauthenticated Admin Account Creation

Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'...

9.3CVSS7AI score0.00305EPSS
Exploits3References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:30 p.m.8 views

Melis Platform CMS SQL Injection

SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint...

9.3CVSS8.1AI score0.00385EPSS
Exploits2References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:31 a.m.8 views

Liferay Portal has multiple Stored XSS vulnerabilities on its View Order page

Multiple stored Cross-site Scripting XSS vulnerabilities in Liferay Portal 7.4.3.15 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 15 through update 92 allow remote attackers to inject arbitrary web script or HTML via crafted payload...

5.4CVSS6AI score0.00205EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/08 12:31 a.m.7 views

Liferay Portal is vulnerable to XSS through its Commerce Search Result widget

Cross-site Scripting XSS vulnerability in the Commerce Search Result widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4 before patch 6, 2023.Q3 before patch 9, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload...

5.4CVSS5.8AI score0.00205EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 10:36 p.m.11 views

Deno's --deny-write check does not prevent permission bypass

Summary Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./. It's possible to change to change the access atime and modification mtime times on the file stream resource even when the file is opened with read only permission...

3.3CVSS6.8AI score0.00184EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 10:14 p.m.10 views

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows...

7.1CVSS6.5AI score0.00231EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 10:8 p.m.13 views

LLaMA Factory's Chat API Contains Critical SSRF and LFI Vulnerabilities

Summary A Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure of sensitive internal services, reconnaissance of the internal network, or...

8.1CVSS5.9AI score0.0035EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 9:35 p.m.9 views

vLLM: Resource-Exhaustion (DoS) through Malicious Jinja Template in OpenAI-Compatible Server

Summary A resource-exhaustion denial-of-service vulnerability exists in multiple endpoints of the OpenAI-Compatible Server due to the ability to specify Jinja templates via the chattemplate and chattemplatekwargs parameters. If an attacker can supply these parameters to the API, they can cause a...

6.9AI score0.00207EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 9:15 p.m.9 views

Akka.Remote TLS did not properly implement certificate-based authentication

Impact This is a critical network security vulnerability for Akka.Remote users who have SSL / TLS enabled on their Akka.Remote connections and were expecting certificate-based authentication to be enforced on all peers attempting to join the network. In all versions of Akka.Remote from v1.2.0 to...

9.3CVSS7AI score0.00374EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2025/10/07 5:28 p.m.7 views

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

Summary Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line CRLFCRLF. The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of...

7.5CVSS7AI score0.00868EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 5:27 p.m.9 views

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Summary Rack::Multipart::Parser stores non-file form fields parts without a filename entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request hundreds of megabytes or more can consume equivalent process memory, potentially leading to out-of-memory OOM...

7.5CVSS6.9AI score0.00528EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 5:26 p.m.6 views

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Summary Rack::Multipart::Parser buffers the entire multipart preamble bytes before the first boundary in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory OOM...

7.5CVSS7.2AI score0.00868EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 5:24 p.m.7 views

vLLM is vulnerable to timing attack at bearer auth

Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an attacker to discover a valid API key using an approach more efficient than brute force. Details...

7.5CVSS7AI score0.00532EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 4:0 p.m.8 views

How a top bug bounty researcher got their start in security

As we kick off Cybersecurity Awareness Month, the GitHub Bug Bounty team is excited to spotlight one of the top performing security researchers who participates in the GitHub Security Bug Bounty Program, @xiridium! GitHub is dedicated to maintaining the security and reliability of the code that...

7AI score
Exploits0
Github Security Blog
Github Security Blog
added 2025/10/07 1:42 p.m.28 views

Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

The email parsing library incorrectly handles quoted local-parts containing @. This leads to misrouting of email recipients, where the parser extracts and routes to an unintended domain instead of the RFC-compliant target. Payload: "[email protected] x"@internal.domain Using the following code to...

7.5CVSS7.1AI score0.00544EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 12:55 p.m.10 views

python-socketio vulnerable to arbitrary Python code execution (RCE) through malicious pickle deserialization in certain multi-server deployments

Summary A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious pickle deserialization in multi-server deployments on which the attacker previously gained access to the message queue that the servers use...

6.4CVSS8.5AI score0.00446EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 6:31 a.m.8 views

pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding

Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that...

8.7CVSS6.6AI score0.00331EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/07 12:31 a.m.9 views

Liferay Profile Widget does not prevent vCard extension spoofing

The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...

5.4CVSS6.5AI score0.00217EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 8:18 p.m.19 views

SillyTavern Web Interface Vulnerable DNS Rebinding

Summary The web UI for SillyTavern is susceptible to DNS rebinding, allowing attackers to perform actions like install malicious extensions, read chats, inject arbitrary HTML for phishing, etc. Details DNS rebinding is a method to bypass the CORS policies by tricking the browser into resolving...

9.6CVSS6.6AI score0.00236EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 8:18 p.m.8 views

Litestar X-Forwarded-For Header Spoofing Vulnerability Enables Rate Limit Evasion

While testing Litestar's RateLimitMiddleware, I discovered that rate limits can be completely bypassed by manipulating the X-Forwarded-For header. This renders IP-based rate limiting ineffective against determined attackers. The Problem Litestar's RateLimitMiddleware uses cachekeyfromrequest to...

7.5CVSS6.6AI score0.00452EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 8:16 p.m.9 views

XWiki Platform is vulnerable to HQL injection via wiki and space search REST API

Impact The REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is added twice in the query, though, once in the field list for the select and once in the order clause, so it's not that easy to exploit. The part of the query between the two fields can b...

9.3CVSS7.4AI score0.02207EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 6:31 p.m.12 views

LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing

The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity XXE attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using lxml.etree.parse and lxml.etree.XSLT without any...

7.5CVSS6.9AI score0.00604EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 5:58 p.m.9 views

XWiki OIDC Authenticator: Users with "view" access can create tokens for any users they can view

Impact Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user since users are very commonly viewable, at least to other registered users. Patches Version 2.18.2...

9.2CVSS7.1AI score0.00536EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 2:8 p.m.10 views

Flowise vulnerable to RCE via Dynamic function constructor injection

Summary User-controlled input flows to an unsafe implementaion of a dynamic Function constructor , allowing a malicious actor to run JS code in the context of the host not sandboxed leading to RCE. Details When creating a new Custom MCP Chatflow in the platform, the MCP Server Config displays a...

9.8CVSS7.8AI score0.18448EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 6:32 a.m.11 views

NovoSGA: Manipulation of User Creation Page can lead to weak password requirements

A flaw has been found in Mangati NovoSGA up to 2.2.12. The impacted element is an unknown function of the file /novosga.users/new of the component User Creation Page. Executing manipulation of the argument Senha/Confirmação da senha can lead to weak password requirements. The attack can be launch...

6.3CVSS6.6AI score0.00331EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 3:31 a.m.13 views

Duplicate Advisory: Flowise Stored XSS vulnerability through logs in chatbot

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7r4h-vmj9-wg42. This link is maintained to preserve external references. Original Description Flowise before 3.0.5 allows XSS via a FORM element and an INPUT element when an admin views the chat log...

8.2CVSS6.2AI score0.00382EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/06 3:31 a.m.10 views

Duplicate Advisory: Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-964p-j4gg-mhwc. This link is maintained to preserve external references. Original Description Flowise before 3.0.5 allows XSS via an IFRAME element when an admin views the chat log...

8.2CVSS6.2AI score0.13138EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/05 12:30 p.m.10 views

clearml is vulnerable to Path Traversal through its `safe_extract` function

A vulnerability in clearml versions before 2.0.2 allows for path traversal due to improper handling of symbolic and hard links in the safeextract function. This flaw can lead to arbitrary file writes outside the intended directory, potentially resulting in remote code execution if critical files...

5.8CVSS8.3AI score0.00276EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/05 9:30 a.m.7 views

ZenML is vulnerable to Path Traversal through its `PathMaterializer` class

ZenML version 0.83.1 is affected by a path traversal vulnerability in the PathMaterializer class. The load function uses ispathwithindirectory to validate files during data.tar.gz extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file...

7.8CVSS7.4AI score0.00334EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/05 9:30 a.m.7 views

MCPHub has an Improper Authorization vulnerability via its handleSseConnection function

A vulnerability was identified in samanhappy MCPHub up to 0.9.10. This vulnerability affects the function handleSseConnection of the file src/services/sseService.ts. Such manipulation leads to improper authentication. The attack may be launched remotely. The exploit is publicly available and migh...

9.8CVSS6.7AI score0.00577EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/05 6:30 a.m.8 views

MCPHub's ServerController is vulnerable to Command Injection

A vulnerability was found in samanhappy MCPHub up to 0.9.10. Affected by this issue is some unknown functionality of the file src/controllers/serverController.ts. The manipulation of the argument command/args results in os command injection. The attack can be launched remotely. The exploit has be...

8.8CVSS6.9AI score0.07794EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/04 12:32 a.m.9 views

Liferay Portal exposes sensitive user data through its Freemarker template

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA...

6.5CVSS6.6AI score0.00282EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 9:48 p.m.17 views

Flowise Stored XSS vulnerability through logs in chatbot

Description In the chat log, tags like input and form are allowed. This makes a potential vulnerability where an attacker could inject malicious HTML into the log via prompts. When an admin views the log containing the malicious HTML, the attacker could steal the admin's credentials or sensitive...

8.2CVSS6.5AI score0.00382EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 9:47 p.m.11 views

Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel

Summary A stored Cross-Site Scripting XSS vulnerability in FlowiseAI allows a user to inject arbitrary JavaScript code via message input. When an administrator views messages using the "View Messages" button in the workflow UI, the malicious script executes in the context of the admin’s browser,...

8.2CVSS5.5AI score0.13138EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 7:27 p.m.6 views

Flowise vulnerable to XSS

Summary A XSScross-site scripting vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code HTML code or client-side Javascript code into web pages, and when users browse these web pages, the...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 7:25 p.m.7 views

wrflib has a soundness issue and is unmaintained

All functions under wrflib::byteextract are simply wrapper of unsafe pointer offset and lacks sufficient checks to it pointer and offset parameter. wrflib is unmaintained...

7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 7:19 p.m.10 views

NiceGUI has a Reflected XSS

Summary A Cross-Site Scripting XSS risk exists in NiceGUI when developers render unescaped user input into the DOM using ui.html. Before version 3.0, NiceGUI does not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input with ui.html without...

6.1CVSS7AI score0.00188EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 6:31 p.m.13 views

Duplicate Advisory: motionEye vulnerable to RCE via unsanitized motion config parameter

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j945-qm58-4gjx. This link is maintained to preserve external references. Original Description MotionEye v0.43.1b4 and before is vulnerable to OS Command Injection in configuration parameters such as imagefilenam...

7.2CVSS7.8AI score0.18993EPSS
Exploits17References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 2:52 p.m.10 views

phpMyFAQ duplicate email registration allows multiple accounts with the same email

Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause...

9.8CVSS7.6AI score0.00388EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/10/03 2:17 p.m.13 views

Claude Code permission deny bypass through symlink

Claude Code failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update wil...

6.5CVSS6.9AI score0.00396EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities33426