33100 matches found
Open WebUI allows limited stored XSS vila uploaded html file
Summary Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files...
EGroupware Vulnerable to Local File Inclusion via file:// URI in Mail Compose
Summary The function processes image URLs embedded in an HTML email body without validating or restricting URI schemes. The check !strstartswith$myUrl, 'http' evaluates to true for file:// URIs, causing filegetcontents$basedir . urldecode$myUrl to read arbitrary files from the server filesystem a...
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)
Summary Null pointer dereference SIGSEGV in Upsample67::adaptupsample67 onnx/versionconverter/adapters/upsample67.h:31 when convertversion processes a model with an Upsample node that has zero inputs. The adapter accesses node-inputs0-sizes without checking input count. 107-byte PoC crashes on...
New API is vulnerable to CSRF through user email binding
Summary The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth...
EGroupware has Authenticated RCE via Malicious eTemplate Upload
Summary An authenticated administrator can achieve OS-level Remote Code Execution RCE by uploading a malicious eTemplate XML file .xet to the VFS /etemplates mount. The Widget::expandname method passes template widget attribute values directly into a PHP eval call with only double-quote escaping...
XWiki Platform Old Core: Resource path traversal via /skin/ action endpoint in Jetty 12+
Impact With Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access. For example http://host/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd allows downloading the content of the /etc/passwd file, provided Jetty is allowed...
New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs
Summary The default SSRF protection configuration did not apply IP filtering to hostnames. With ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address. Authenticated users could configure...
EGroupware has a Remote Code Execution Vulnerability
Summary A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution RCE. The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable without prior...
cut: -s ignored in -z -d '' newline-delimiter mode
cut routes -z -d '' through a special newline-delimiter path that ignores the -s only-delimited flag, emitting whole undelimited records plus NUL that should be suppressed. Pipelines relying on cut -s to drop undelimited records process data that should be filtered. printf 'abc' | cut -z -d '' -s...
mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)
uutils calls mknod before setting the SELinux context GNU uses setfscreatecon first, labeling atomically. If setselinuxsecuritycontext fails, cleanup uses std::fs::removedir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind. Impact: on SELinux-enforcing systems the no...
mkfifo: permissions of an existing file are changed after FIFO creation fails
When mkfifo fails e.g. target already exists, the code shows an error but is missing a continue;, so it falls through to fs::setpermissions and changes the permissions of the pre-existing file to the default FIFO mode 0o666 & umask - 0644. $ touch secret; chmod 000 secret $ coreutils mkfifo secre...
Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write
Summary agentConn.apiClient used the default redirect behavior of http.Client while its custom transport dialed the host from the request URL as long as the port was the workspace agent HTTP API port 4. Agent tailnet IPs are deterministic from agent UUIDs, so a malicious workspace agent could...
OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export
Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
Summary In Kiwi TCMS the fields TestCase.extralink and TestPlan.extralink were meant to represent URLs to external resources however in versions prior to 16.1 user input was not being sanitized and values were rendered verbatim which represents an opportunity for cross-site scripting exploitation...
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...
9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
Summary The /api/settings/database endpoint allows full database export containing all credentials, API keys, OAuth tokens, and settings and full database import complete overwrite without any authentication requirement beyond the ALWAYSPROTECTED middleware check, which only validates JWT or CLI...
Craft CMS: Potential authenticated Remote Code Execution via referrer redirect
Requirements: Control panel access Permissions to edit an entry Details Control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a...
Craft CMS: Stored XSS via Structure entry title in table view
Stored XSS via Structure entry title in table view Summary An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the...
Craft CMS: Sensitive File Disclosure / Server-Side File Read
The dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its content...
Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget
Summary An attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session...
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint
Summary An open redirect vulnerability in the account confirmation endpoint allows an unauthenticated attacker to craft a URL hosted on a legitimate Kiwi TCMS instance that redirects victims to an arbitrary external domain. The attack surface is particularly relevant for phishing campaigns...
Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness
Summary A soundness vulnerability in the variable-base scalar multiplication gadget of halo2gadgets allowed a malicious prover to produce a valid proof for an Orchard Action with an under-constrained base point. Because this gadget enforces the diversified-address-integrity condition of the Orcha...
Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: = 0.4.41 severity: critical cverequest: true --- Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoin...
Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing
Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command
Summary When a check plugin places user provided input inside a command which is passed to shellexec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get...
Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component
Summary The AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Note:...
Coder's AI Bridge Proxy skips TLS certificate verification in default configuration
Summary The AI Bridge Proxy aibridgeproxyd created a goproxy server whose default transport set InsecureSkipVerify: true and only assigned a secure transport when an upstream proxy was configured. In the default configuration no upstream proxy, outbound HTTPS to the Coder access URL accepted any...
Suspended Coder users retain access to AI Bridge LLM proxy endpoints
Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...
Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Summary AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Note: Exploitation requires authenticated access to the AI Bridge endpoints and the impact is...
Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers
Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with...
Coder's sub-agent app registration bypasses template port-sharing policy enforcement
Summary The CreateSubAgent RPC did not validate a requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Note: Exploitation requires the ability to register sub-agent apps in...
Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps
Summary coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSIONTOKEN placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Note: Practical exploitation requir...
Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service
Summary POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Note: Exploitation requires authenticated file-upload access and the impact i...
Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access
Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...
Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator
Summary The tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. Impact A...
Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID
Summary UpsertWorkspaceApp overwrites an existing app's agentid on a primary-key conflict and insertAgentApp accepts the app ID from the provisioner's CompleteJob payload without verifying it belongs to the workspace being built. CompleteJob runs under dbauthz.AsProvisionerd so the authorization...
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Summary NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained Impact An authenticated user able to...
Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`
Summary coder config-ssh wrote server-supplied SSH settings HostnameSuffix, SSHConfigOptions into the user's /.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Note: Practical exploitatio...
Coder: User-admin role can reset owner account password
Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...
Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass
Summary Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the emailverified claim was only enforced when present as a boolean false so an absent or non-boolean...
Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
Summary Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string "false" or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based accou...
OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory
Summary The fix for CVE-2026-40882 addressed only the Velbus asset import handler. The KNX asset import handler KNXProtocol processes user-uploaded ETS project ZIP files through Saxon XSLT and XMLInputFactory.newInstance with no XXE protection, allowing any authenticated user to read arbitrary...
OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl
Summary A realm admin of tenant B can read the profile, client roles, and realm roles of any user in any other realm including the master realm by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl check whether the caller holds the read:admin role but...
CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation
Impact Users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, which enables hijacking traffic to Services in any namespace, bypassing the namespace-scoping guarantees enforced by serviceMatcher. In addition, deleting such a policy can...
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...
Langroid: handle_message() executes user-supplied tool JSON without sender verification
Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...
Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent
Advisory Details Title: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgent Description: Summary Langroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents...
Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls
SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names Summary The SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only...
Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile
Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery SSRF. When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled...