33426 matches found
Chaos Controller Manager is vulnerable to OS command injection
The cleanTcs mutation in Chaos Controller Manager is vulnerable to OS command injection. In conjunction with CVE-2025-59358, this allows unauthenticated in-cluster attackers to perform remote code execution across the cluster...
Mattermost Open Redirect vulnerability
Mattermost versions 10.5.x = 10.5.9 fail to properly validate redirect URLs which allows attackers to redirect users to malicious sites via crafted OAuth login URLs...
Mattermost Missing Authorization vulnerability
Mattermost versions 10.10.x = 10.10.1 fail to properly sanitize user data during shared channel membership synchronization, which allows malicious or compromised remote clusters to access sensitive user information via unsanitized user objects. This vulnerability affects Mattermost Server instanc...
Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function lib/sanitize.js when...
Hugging Face Transformers library has Regular Expression Denial of Service
A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalizenumbers method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises fro...
Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack
Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service DoS attacks on the application...
Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect
An open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs vi...
Hono has Body Limit Middleware Bypass
Summary A flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. Details The middleware previously prioritized the Content-Length header even when a Transfer-Encoding: chunked header was also included. According to...
httpsig-rs: HMAC verification is vulnerable to timing attack
Summary HMAC signature comparison is not timing-safe and is vulnerable to timing attacks. Details SharedKey::sign returns a Vec which has a non-constant-time equality implementation. Hmac::finalize returns a constant-time wrapper CtOutput which was discarded. Alternatively, Hmac has a constant-ti...
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
Summary The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account...
Liferay Portal's selection modal is vulnerable to XSS
A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.2...
Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer
A Regular Expression Denial of Service ReDoS vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's removelanguagecode method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from...
Liferay Portal's Organization Selector exposes organization data to remote authenticated users
The Organization Selector in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q1.1 through 2024.Q1.12 and 7.4 update 81 through update 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations...
Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution
JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed...
Neo4j Cypher MCP server is vulnerable to DNS rebinding
Impact DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spen...
SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions
LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggerin...
Subrion CMS: Authenticated administrators are able to gain escalated access through Run SQL Query tool
An issue was discovered in Subrion CMS 4.2.1, allowing authenticated adminitrators or moderators with access to the built-in Run SQL Query feature under the SQL Tool admin panel — to gain escalated privileges in the context of the SQL query tool...
matrix-sdk-base: Panic in the `RoomMember::normalized_power_level()` method
In matrix-sdk-base before 0.14.1, calling the RoomMember::normalizedpowerlevel method can cause a panic if a room member has a power level of Int::Min. Patches The issue is fixed in matrix-sdk-base 0.14.1. Workarounds The affected method isn’t used internally, so avoiding calling...
Axios is vulnerable to DoS attack through lack of data size check
Summary When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory Buffer/Blob and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength which only protect HTTP...
Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name
An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API...
Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass
An Insecure Direct Object Reference IDOR vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate...
Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods
Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create...
Prebid-universal-creative latest on npm briefly compromised
Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. Patches We unpublished the version on npm. Workarounds This has already been unpublished. See Prebid.js ...
Prebid.js NPM package briefly compromised
Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. Patches 10.10.0 is solved References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack...
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
Vulnerability in jsondiffpatch Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting XSS in the HtmlFormatter HtmlFormatter::nodeBegin. When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a...
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
Impact Angular uses a DI container the "platform injector" to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share...
interactive-git-checkout has a Command Injection vulnerability
The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Resources: Project'...
Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data
An Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entry information via the API Builder...
Liferay Portal is vulnerable to Reflected XSS attack through get_editor path
A reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML...
Infrahub: Deleted and expired API tokens can still authenticate
Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. Patches This issue is fixed in versions 1.3.9 and 1.4.5 Workarounds...
Shopware: Reflective Cross Site-Scripting (XSS) in CMS components
Impact By exploiting XSS vulnerabilities, malicious actors can perform harmful actions in the user's web browser in the session context of the affected user. Some examples of this include, but are not limited to: - Obtaining user session tokens. - Performing administrative actions when an...
xml2rfc is vulnerable to arbitrary file reads through prepped files
Impact When generating PDF files, this vulnerability allows an attacker to read arbitrary files from the filesystem by injecting malicious link element into the prepped RFCXML. Workarounds Test untrusted input with link elements with rel="attachment" before processing. References This is related ...
WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled
Summary Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: - Stream real-time application logs information disclosure. - Gain insight into internal file...
PyInstaller has local privilege escalation vulnerability
Impact Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with...
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
At startup, Claude Code constructed a shell command that interpolated the value of git config user.email from the current workspace. If an attacker controlled the repository’s Git config e.g., via a malicious .git/config and set user.email to a crafted payload, the unescaped interpolation could...
Indico vulnerable to Cross-Site Scripting via LaTeX math code
Impact There is a Cross-Site-Scripting vulnerability when rendering LaTeX math code in contribution or abstract descriptions. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds Only let trustworthy users create content on...
Indico may disclose unauthorized user details access via legacy API
Impact A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check. Patches You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update. Workarounds It ...
Picklescan Bypass is Possible via File Extension Mismatch
Summary Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension e.g., .bin. This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle...
Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check
Summary Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check CRC. Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results...
Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation
Summary It has been discovered that the middleware functionality in Hoverfly is vulnerable to command injection through its /api/v2/hoverfly/middleware endpoint due to insufficient validation and sanitization in user input. Details The vulnerability exists in the middleware management API endpoin...
Liferay Portal and Liferay DXP vulnerable to Stored Cross-site Scripting
A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.45 through 7.4.3.128, and Liferay DXP 2024 Q2.0 through 2024.Q2.9, 2024.Q1.1 through 2024.Q1.12, and 7.4 update 45 through update 92 allows remote attackers to execute an arbitrary web script or HTML in the My Workflow Tasks...
Decap CMS Cross Site Scripting (XSS) vulnerability
Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting XSS in the admin preview pane. User-controlled fields e.g., title, description, tags, and body are rendered in the preview without sufficient sanitization/escaping. An attacker with low-privilege author/contributor access can...
Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports
Summary The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead o...
Webrecorder packages are vulnerable to XSS through 404 error handling logic
A Reflected Cross-Site Scripting XSS vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL derived from the original request target is directly embedded into an inline block without sanitization or escaping. This allows an attacker to craft ...
Claude Code rg vulnerability does not protect against approval prompt bypass
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will...
Liferay Portal exposes ERC which can lead to exploit the time response attack
Enumeration of ERC from object entry in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 allow attackers to determine existent ERC in the application by exploit t...
Liferay Portal is vulnerable to XSS attacks via its remote app title field
A stored cross-site scripting XSS vulnerability in Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via remot...
SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor
A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /updateweightsfromtensor. The manipulation of the argument serializednamedtensors results in deserialization. The attack can be launched remotely. The exploit has been releas...
Liferay Portal is vulnerable to XSS attack through its search bar portlet
A reflected cross-site scripting XSS vulnerability in Liferay Portal 7.4.3.110 through 7.4.3.128, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.12 allows remote attackers to inject arbitrary web script or HTML via the URL in search bar...
Monai: Unsafe use of Pickle deserialization may lead to RCE
To prevent this report from being deemed inapplicable or out of scope, due to the project's unique nature for medical applications and widespread popularity 6k+ stars, it's important to pay attention to some of the project's inherent security issues. This is because medical professionals may not...