33426 matches found
go-f3 module vulnerable to integer overflow leading to panic
Impact Filecoin nodes consuming F3 messages are vulnerable. go-f3 panics when it validates a "poison" messages. A "poison" message can can cause integer overflow in the signer index validation. In Lotus' case, the whole node will crash. There is no barrier to entry. An attacker doesn't need any...
go-f3 Vulnerable to Cached Justification Verification Bypass
Description A vulnerability exists in go-f3's justification verification caching mechanism where verification results are cached without properly considering the context of the message. An attacker can bypass justification verification by: 1. First submitting a valid message with a correct...
MinIO Java Client XML Tag Value Substitution Vulnerability
Description In minio-java versions prior to 8.6.0, XML tag values containing references to system properties or environment variables were automatically substituted with their actual values during processing. This unintended behavior could lead to the exposure of sensitive information, including...
j178/prek-action vulnerable to arbitrary code injection in composite action
Summary There are three potential attacks of arbitrary code injection vulnerability in the composite action at action.yml. Details The GitHub Action variables inputs.prek-version, inputs.extraargs, and inputs.extra-args can be used to execute arbitrary code in the context of the action. PoC yaml ...
mkdocs-include-markdown-plugin susceptible to unvalidated input colliding with substitution placeholders
Impact CWE-20: Improper Input Validation Low impact Patches Patched in v7.1.8 commit https://github.com/mondeja/mkdocs-include-markdown-plugin/commit/7466d67aa0de8ffbc427204ad2475fed07678915 Workarounds No...
go-mail has insufficient address encoding when passing mail addresses to the SMTP client
Impact Due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, this could lead to a possible wrong address routing or even to ESMTP parameter smuggling. Vulnerability details Instead ...
vet MCP Server SSE Transport DNS Rebinding Vulnerability
SafeDep vet is vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. To exploit this vulnerability following conditions must be met: 1. A vet scan is executed and reports are saved as sqlite3 database 2. A vet MCP server is running on default port with SSE...
CodeQL zero to hero part 5: Debugging queries
When you're first getting started with CodeQL, you may find yourself in a situation where a query doesn't return the results you expect. Debugging these queries can be tricky, because CodeQL is a Prolog-like language with an evaluation model that's quite different from mainstream languages like...
llama-index-core insecurely handles temporary files
The llama-index-core package, up to version 0.12.44, contains a vulnerability in the getcachedir function where a predictable, hardcoded directory path /tmp/llamaindex is used on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal...
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the merge function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is...
github.com/nyaruka/phonenumbers Vulnerable to Improper Validation of Syntactic Correctness of Input
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range"...
PiranhaCMS stored XSS
PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser...
OpenMLS improper persistence of the secret tree during message processing
Summary A bug in the OpenMLS library prevented private key material from being updated in storage during message processing. The key material in question are the keys stored in the MLS secret tree, which are used for decryption of private MLS messages. The effects of the bug are limited in scope,...
Duplicate Advisory: SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7vm2-j586-vcvc. This link is maintained to preserve external references. Original Description A flaw was found in the live query subscription mechanism of the database engine. This vulnerability allows record or...
kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace
Impact Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing. This allows to add or remove an...
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
Impact A Cross-Site Request Forgery CSRF vulnerability was identified in Apollo’s Embedded Sandbox and Embedded Explorer. The vulnerability arises from missing origin validation in the client-side code that handles window.postMessage events. A malicious website can send forged messages to the...
Kicking off Cybersecurity Awareness Month 2025: Researcher spotlights and enhanced incentives
October marks Cybersecurity Awareness Month, a time when the developer community reflect on the importance of security in the evolving digital landscape. At GitHub, we understand that protecting the global software ecosystem relies on the commitment, skill, and ingenuity of the security research...
express-xss-sanitizer has an unbounded recursion depth
Security Advisory: express-xss-sanitizer Overview A vulnerability was discovered in express-xss-sanitizer that allowed unbounded recursion depth during sanitization of nested objects. Affected Versions - All versions prior to 2.0.1 Patched Versions - 2.0.1 and later Description The sanitize...
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
Summary A vulnerability in get-jwks can lead to cache poisoning in the JWKS key-fetching mechanism. Details When the iss issuer claim is validated only after keys are retrieved from the cache, it is possible for cached keys from an unexpected issuer to be reused, resulting in a bypass of issuer...
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves...
Rancher update on users can deny the service to the admin
Impact A vulnerability has been identified within Rancher Manager where a missing server-side validation on the .username field in Rancher can allow users with update permissions on other User resources to cause denial of access for targeted accounts. Specifically: - Username takeover: A user wit...
Rancher CLI SAML authentication is vulnerable to phishing attacks
Impact A vulnerability has been identified within Rancher Manager whereby the SAML authentication from the Rancher CLI tool is vulnerable to phishing attacks. The custom authentication protocol for SAML-based providers can be abused to steal Rancher’s authentication tokens. Rancher Manager...
Rancher sends sensitive information to external services through the `/meta/proxy` endpoint
Impact A vulnerability has been identified within Rancher Manager whereby Impersonate-Extra- headers are being sent to an external entity, for example amazonaws.com, via the /meta/proxy Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses. If...
Argument injection vulnerability in SonarQube Scan Action
A command injection vulnerability exists in SonarQube GitHub Action prior to v6.0.0 when workflows pass user-controlled input to the args parameter on Windows runners without proper validation. This vulnerability bypasses a previous security fix and allows arbitrary command execution, potentially...
WSO2's Input Validation Management Service contains Observable Discrepancy when Multi-Attribute Login is enabled
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validateusername setting. This behavior allows malicious actor...
Apache Airflow: Connection sensitive details exposed to users with READ permissions
Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was...
Duplicate Advisory: Open Babel has out-of-bounds read in PQS lowerit (pre-buffer read)
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m982-7q3h-r784. This link is maintained to preserve external references. Original Description A vulnerability was determined in Open Babel up to 3.1.1. This affects the function PQSFormat::ReadMolecule of the fi...
Duplicate Advisory: Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-55j6-rjhx-hwfh. This link is maintained to preserve external references. Original Description A vulnerability was found in Open Babel up to 3.1.1. The impacted element is the function CacaoFormat::SetHilderbrand...
Duplicate Advisory: Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j35x-w4gj-pf7w. This link is maintained to preserve external references. Original Description A vulnerability was detected in Open Babel up to 3.1.1. This issue affects the function OBSmilesParser::ParseSmiles o...
Duplicate Advisory: Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-j9pp-7wfg-q7fj. This link is maintained to preserve external references. Original Description A vulnerability has been found in Open Babel up to 3.1.1. The affected element is the function...
Duplicate Advisory: Open Babel has heap buffer overflow in ChemKin ChemKinFormat::CheckSpecies
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8wq6-qh76-wpv9. This link is maintained to preserve external references. Original Description A flaw has been found in Open Babel up to 3.1.1. Impacted is the function ChemKinFormat::CheckSpecies of the file...
Duplicate Advisory: Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pp85-5j63-xpq3. This link is maintained to preserve external references. Original Description A weakness has been identified in Open Babel up to 3.1.1. This affects the function GAMESSOutputFormat::ReadMolecule ...
Duplicate Advisory: Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8j3x-m868-cpw8. This link is maintained to preserve external references. Original Description A security vulnerability has been detected in Open Babel up to 3.1.1. This vulnerability affects the function...
Hutool allows remote code execution (RCE) via the QLExpressEngine class
An issue was discovered in chinabugotech hutool before 5.8.40 allowing attackers to execute arbitrary expressions that lead to arbitrary method invocation and potentially remote code execution RCE via the QLExpressEngine class...
Liferay Portal and DXP vulnerable to a memory leak
A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions...
ml-logger file handler allows reading arbitrary files
A security flaw has been discovered in geyang ml-logger up to acf255bade5be6ad88d90735c8367b28cbe3a743. Affected by this issue is the function streamhandler of the file mllogger/server.py of the component File Handler. Performing manipulation of the argument key results in information disclosure...
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
Summary Rack::QueryParser in version 2.2.18 enforces its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Details The issue arises...
Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
Impact A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This CVE...
ml-logger has path traversal in the file argument
A vulnerability was identified in geyang ml-logger 0.10.36 and prior. Affected by this vulnerability is the function loghandler of the file mllogger/server.py. Such manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly...
cors-anywhere vulnerable to server-side request forgery
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets SSRF. Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services...
apidoc-core is vulnerable to prototype pollution
apidoc-core is the core parser library to generate apidoc result following the apidoc-spec. A Prototype Pollution vulnerability in the preProcess function of apidoc-core versions thru 0.15.0 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial ...
ml-logger deserialization vulnerability
A vulnerability was determined in geyang ml-logger 0.10.36 and prior. Affected is the function loghandler of the file mllogger/server.py of the component Ping Handler. This manipulation of the argument data causes deserialization. It is possible to initiate the attack remotely. The exploit has be...
dref is vulnerable to prototype pollution
A prototype pollution in the lib.set function of dref v0.1.2 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...
Duplicate Advisory: Malicious versions of Nx were published
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-cxm3-wv7p-598c. This link is maintained to preserve external references. Original Description Malicious code was inserted into the Nx build system package and several related plugins. The tampered package was...
lobe-chat has an Open Redirect
Description --- Vulnerability Overview The project's OIDC redirect handling logic constructs the host and protocol of the final redirect URL based on the X-Forwarded-Host or Host headers and the X-Forwarded-Proto value. In deployments where a reverse proxy forwards client-supplied X-Forwarded-...
json-schema-editor-visual vulnerable to prototype pollution
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a crafted payload,...
ts-fns has prototype pollution vulnerability
A prototype pollution vulnerability exists in the ts-fns package versions prior to 13.0.7, where insufficient validation of user-provided keys in the assign function allows attackers to manipulate the Object.prototype chain. By leveraging this flaw, adversaries may inject arbitrary properties int...
web3-core-method is vulnerable to prototype pollution
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing...
spmrc vulnerable to prototype pollution
spmrc is a package that provides the rc manager for spm. A Prototype Pollution vulnerability in the set and config function of spmrc version 1.2.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service DoS as the minimum...
Duplicate Advisory: rollbar vulnerable to prototype pollution
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-r8c2-2qwq-94p6. This link is maintained to preserve external references. Original Description rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package include...