Lucene search
+L
GithubRecent

33426 matches found

Github Security Blog
Github Security Blog
added 2025/09/22 2:42 p.m.13 views

Authlib: JWS/JWT accepts unknown crit headers (RFC violation → possible authz bypass)

Summary Authlib’s JWS verification accepts tokens that declare unknown critical header parameters crit, violating RFC 7515 “must‑understand” semantics. An attacker can craft a signed token with a critical header for example, bork or cnf that strict verifiers reject but Authlib accepts. In...

7.5CVSS7.1AI score0.00244EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 p.m.15 views

Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 Service Pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which...

6.9CVSS6.6AI score0.00346EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 p.m.18 views

Mattermost Path Traversal vulnerability

Mattermost versions 10.8.x = 10.8.3, 10.5.x = 10.5.8, 9.11.x = 9.11.17, 10.10.x = 10.10.1, 10.9.x = 10.9.3 fail to validate import directory path configuration which allows admin users to execute arbitrary code via malicious plugin upload to prepackaged plugins directory...

8CVSS8AI score0.00599EPSS
Exploits0References10Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 p.m.12 views

Mattermost boards plugin fails to restrict download access to files

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate access controls which allows any authenticated user to download sensitive files via board file download endpoint using UUID enumeration...

6.5CVSS6.8AI score0.0025EPSS
Exploits0References6Affected Software3
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 p.m.9 views

Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in the server license registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allow...

5.1CVSS7AI score0.00169EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 p.m.9 views

Liferay Contacts Center widget has insecure direct object reference

Insecure direct object reference IDOR vulnerability in the Contacts Center widget in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.6, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows...

6.9CVSS7AI score0.00257EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 8:12 p.m.11 views

The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Note: This report has already been discussed with the Google OSS VRP team, who recommended that I reach out directly to the Keras team. I’ve chosen to do so privately rather than opening a public issue, due to the potential security implications. I also attempted to use the email address listed i...

7.3CVSS8.5AI score0.00205EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 5:14 p.m.16 views

Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and comman...

8.6CVSS7.4AI score0.00815EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 12:30 p.m.21 views

Grafana-Zabbix ReDoS vulnerability

Grafana is an open-source platform for monitoring and observability. Grafana-Zabbix is a plugin for Grafana allowing to visualize monitoring data from Zabbix and create dashboards for analyzing metrics and realtime monitoring. Versions 5.2.1 and below contained a ReDoS vulnerability via...

4.3CVSS6.8AI score0.00323EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 a.m.6 views

Duplicate Advisory: The Keras `Model.load_model` method **silently** ignores `safe_mode=True` and allows arbitrary code execution when a `.h5`/`.hdf5` file is loaded.

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-36rr-ww3j-vrjv. This link is maintained to preserve external references. Original Description The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One c...

7.3CVSS7.4AI score0.00205EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 9:31 a.m.9 views

Keras is vulnerable to Deserialization of Untrusted Data

Arbitrary Code Execution in Keras Keras versions prior to 3.11.0 allow for arbitrary code execution when loading a crafted .keras model archive, even when safemode=True. The issue arises because the archive’s config.json is parsed before layer deserialization. This can invoke...

8.6CVSS7.7AI score0.00186EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 6:31 a.m.10 views

@digitalocean/do-markdownit has Type Confusion vulnerability

Overview A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fenceenvironment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes...

9.8CVSS6.7AI score0.00361EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 3:30 a.m.12 views

Snipe-IT allows unsafe deserialization

Snipe-IT before 8.1.18 allows unsafe deserialization...

8.1CVSS7AI score0.00349EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/19 3:30 a.m.12 views

Snipe-IT allows XSS

Snipe-IT before 8.1.18 allows XSS...

6.4CVSS7AI score0.00238EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/18 8:4 p.m.13 views

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages

Summary We identified a cross-site scripting XSS vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating ...

7.7CVSS6.6AI score0.00371EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/18 9:31 a.m.5 views

InvokeAI has External Control of File Name or Path

Path Traversal Vulnerability in InvokeAI A path traversal vulnerability in InvokeAI versions 6.7.0 allows an unauthenticated remote attacker to read files outside the intended media directory via the bulk downloads API. The endpoint accepts a user-controlled file/item name and concatenates it int...

9.8CVSS9.2AI score0.00353EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 9:30 p.m.9 views

@sequa-ai/sequa-mcp has Command Injection vulnerability

A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oauth-client-provider.ts of the component OAuth Server Discovery. Performing manipulation results in os command injection. Remote exploitation of the...

6.5CVSS6.4AI score0.01628EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 9:30 p.m.10 views

Parcel has an Origin Validation Error vulnerability

parcel versions 1.6.1 and above have an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Version 2.16.4 supports a --no-cors option which disables CORS...

6.5CVSS5.9AI score0.0022EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 8:46 p.m.14 views

Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can for...

7.5CVSS6.8AI score0.0351EPSS
Exploits3References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 8:42 p.m.7 views

Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival

Summary A client-side path traversal vulnerability in Nuxt's Island payload revival mechanism allowed attackers to manipulate client-side requests to different endpoints within the same application domain when specific prerendering conditions are met. Technical Details The vulnerability occurs in...

3.1CVSS6.5AI score0.00347EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 8:24 p.m.8 views

Keycloak SMTP Inject Vulnerability

Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters limited local part of the email, so the attack is limited to very shorts emails subject and little data, the example is 60 chars. This...

5.3CVSS6.7AI score0.00411EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 8:23 p.m.9 views

DragonFly's tiny file download uses hard coded HTTP protocol

Impact The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak...

6.9CVSS7AI score0.0013EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 8:11 p.m.10 views

DragonFly has weak integrity checks for downloaded files

Impact The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any...

6.9CVSS6.9AI score0.00152EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 8:11 p.m.11 views

DragonFly's manager generates mTLS certificates for arbitrary IP addresses

Impact A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if...

8.7CVSS7.2AI score0.00219EPSS
Exploits1References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 8:11 p.m.11 views

DragonFly vulnerable to arbitrary file read and write on a peer machine

Impact A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain...

9.8CVSS8.3AI score0.0068EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 8:10 p.m.10 views

DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error

Impact We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error figures 9.1 and 9.2. This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug...

6.9CVSS7.1AI score0.00293EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 8:2 p.m.10 views

Dragonfly vulnerable to timing attacks against Proxy’s basic authentication

Impact The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison...

6.9CVSS7.1AI score0.00315EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:56 p.m.13 views

jinjava has Sandbox Bypass via JavaType-Based Deserialization

Summary jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass, and block instantiation of Class objects. However, these protections can be bypassed. By using mapper.getTypeFactory.constructFromCanonical, it is possible to instruct the underlying...

10CVSS8.1AI score0.02315EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 7:55 p.m.11 views

Dragonfly's directories created via os.MkdirAll are not checked for permissions

Impact DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 wi...

5.1CVSS6.8AI score0.00106EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:48 p.m.9 views

Dragonfly incorrectly handles a task structure’s usedTrac field

Impact The processPieceFromSource method figure 4.1 is part of a task processing mechanism. The method writes pieces of data to storage, updating a Task structure along the way. The method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to...

7.5CVSS7AI score0.00331EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:28 p.m.12 views

Dragonfly's manager makes requests to external endpoints with disabled TLS authentication

Impact The Manager disables TLS certificate verification in two HTTP clients figures 3.1 and 3.2. The clients are not configurable, so users have no way to re-enable the verification. golang func getAuthTokenctx context.Context, header http.Header string, error skipped client := &http.Client...

6.9CVSS6.8AI score0.00159EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:27 p.m.12 views

Dragonfly vulnerable to server-side request forgery

Impact There are multiple server-side request forgery SSRF vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the...

6.9CVSS6.8AI score0.00231EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:21 p.m.9 views

Dragonfly doesn't have authentication enabled for some Manager’s endpoints

Impact The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs...

9.1CVSS7AI score0.00361EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2025/09/17 7:3 p.m.13 views

esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

Summary A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s...

6.9CVSS7.8AI score0.02829EPSS
Exploits2References7Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 6:39 p.m.8 views

esm.sh has File Inclusion issue

Summary A Local File Inclusion LFI issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem or other unintended file sources. Severity: High — LFI can expose secrets, configuration files,...

8.7CVSS6.4AI score0.01527EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 6:26 p.m.11 views

REXML has DoS condition when parsing malformed XML file

Impact The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. Patches REXML gems 3.4.2 or later include the patches to fix these vulnerabilities...

5.3CVSS7.1AI score0.00231EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 3:30 p.m.10 views

Jenkins is missing a permission check in the authenticated users' profile menu

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu...

4.3CVSS6.2AI score0.00448EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 3:30 p.m.7 views

Jenkins has a log message injection vulnerability

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output including jenkins.log and equivalent does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to...

5.3CVSS6.7AI score0.00335EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 3:30 p.m.10 views

Jenkins has a missing permission check, allowing users to obtain agent names

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget...

5.3CVSS6.7AI score0.04735EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:30 p.m.10 views

Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references. Original Description A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a...

9.3CVSS6.9AI score0.00761EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:30 p.m.12 views

Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references. Original Description An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and includin...

9.3CVSS6.9AI score0.00816EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:30 p.m.10 views

Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references. Original Description An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314...

9.8CVSS7AI score0.01428EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:31 a.m.9 views

Liferay search widget vulnerable to Cross-site Scripting

There is a Cross-site scripting XSS vulnerability in Liferay Portal's Search widget . Versions 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allow remote attackers to inject arbitrary web scripts or HTML via the...

6.1CVSS6.1AI score0.00216EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:31 a.m.12 views

Liferay Portal allows remote attackers to view display page templates via crafted URLs

Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page...

6.9CVSS7AI score0.00271EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/17 12:31 a.m.18 views

Kubernetes C# client accepts certificates from any CA without properly verifying the trust chain

A vulnerability exists in the Kubernetes C client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority CA without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially...

6.8CVSS6.8AI score0.00288EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/16 10:20 p.m.11 views

Timing Attack Vulnerability in SCRAM Authentication

Impact A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how...

8.7CVSS7AI score0.00835EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/16 8:18 p.m.10 views

matrix-js-sdk has insufficient validation when considering a room to be upgraded by another

Impact matrix-js-sdk before 38.2.0 has insufficient validation of room predecessor links in MatrixClient::getJoinedRooms, allowing a remote attacker to attempt to replace a tombstoned room with an unrelated attacker-supplied room. Patches The issue has been patched and users should upgrade to...

6.9CVSS6.9AI score0.00227EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/16 7:31 p.m.7 views

@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode

The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the mcp-database-server MCP Server distributed via th...

8.1CVSS7.6AI score0.00363EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/16 6:31 p.m.9 views

Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC

Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers...

7.5CVSS7AI score0.00372EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2025/09/16 6:31 p.m.18 views

JasperReports has a Java deserialisation vulnerability

A Java deserialisation vulnerability has been discovered in the Jaspersoft Library. Improper handling of externally supplied data may allow attackers to execute arbitrary code remotely on systems that use the affected library...

9.8CVSS8AI score0.00876EPSS
Exploits0References7Affected Software1
Total number of security vulnerabilities33426