33225 matches found
NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL
Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...
vLLM: OOM Denial of Service via Audio Decompression Bomb
Summary vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to 14.9GB of float32 PCM at decode time. Tested on vLLM v0.19.0. Details SpeechToTextProcessor rejects uploads over VLLMMAXAUDIOCLIPFILESIZEMB default 25MB based on...
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Severity: CVSS 3.1 5.3 Medium AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Target: https://github.com/vllm-project/vllm ---...
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
Summary Integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels csrc/quantization/gguf/ggufkernel.cu causes partial tensor processing. The output tensor is allocated at full size via torch::empty uninitialized memory, but the dequantize CUDA kernel processes only a truncated...
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
Summary Issue 1: EXIF orientation not normalized → The image orientation processed by the model differs from how humans view it, introducing interpretation bias. Issue 2: PNG tRNS not explicitly flattened before converting to RGB → After conversion, transparent/semi-transparent pixels are rendere...
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
Summary All temperature validation gates use comparison operators , which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors tha...
Traefik: Kubernetes Gateway crossProviderNamespaces bypass allows HTTPRoute outside the allowlist to expose internal Traefik services
Summary There is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple WRR backendRefs, Traefik evaluates the allowlist against the target backendRef.namespace instead of the route's own...
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory
Summary The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync to a deterministic runtime path. On typical macOS environments, and on Linux sessions where $XDGRUNTIMEDIR is unset, that runtime path falls back to /tmp/chrome-devtools-mcp-/daemon.pid. Because the write does not us...
n8n: Wrong OAuth Scope on Evaluation Test Runs Endpoints
Impact Three mutating endpoints in the evaluation test runs controller authorized state-changing actions using workflow:read instead of the action-appropriate workflow:execute scope. An authenticated user with project:viewer role on a project could start new evaluation test runs, cancel in-flight...
Pi Agent: Pi loads project-local extensions without approval
Pi loads project-local extensions without approval Pi before 0.79.0 loaded project-local configuration and resources from a repository's .pi directory without first asking the user to trust that repository. This included project-local extensions, which are executable TypeScript or JavaScript...
Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can...
Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
Pi auth.json writes could briefly expose stored credentials to local users Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to...
Laravel Framework: Temporary Signed URL Path Confusion
A vulnerability in Laravel's local filesystem driver allows temporary signed URLs to be parsed ambiguously, potentially misrouting requests and bypassing expiration enforcement. Under certain conditions, a generated temporary signed URL can be interpreted differently by the server than intended a...
Laravel Framework: CRLF injection in default email rule
Summary A CRLF injection vulnerability in Laravel's email validation, in combination with how Symfony Mailer and Symfony Mime handle certain character sequences, may allow an unauthenticated attacker to interfere with outbound email processing in applications that send mail to user-supplied...
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Potential XSS in HTML session exports via Markdown URL handling Pi HTML exports render session Markdown into a static HTML file. Affected versions did not consistently reject unsafe Markdown link and image URL schemes. In versions with scheme filtering, C0 control characters in the URL scheme cou...
Gitea: Token scope bypass on web archive download endpoint
Summary PR 37698 added checkDownloadTokenScope to /raw/, /media/, and attachment download web endpoints. The /archive/ endpoint repo.Download in routers/web/repo/repo.go:372 was not included in the fix. This endpoint accepts OAuth2 tokens via webAuth.AllowOAuth2 registered at...
Gitea: Missing repository-unit authorization on issue-template API endpoints
Summary Three Gitea API endpoints — GET /repos/owner/repo/issuetemplates, GET /repos/owner/repo/issueconfig and GET /repos/owner/repo/issueconfig/validate — read files from the repository's Code default branch .gitea/ISSUETEMPLATE/ and issueconfig.yaml and return their contents, but are registere...
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Summary Two related issues in the token public-only scope enforcement introduced by PR 32204 CVE-2025-68941 fix. A public-only scoped API token can access private organization data. Issue 1: /user/orgs missing checkTokenPublicOnly routers/api/v1/api.go line 1599: go m.Get"/user/orgs", reqToken,...
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create...
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only read:user can use the same token as Authorization: Basic base64:x-oauth-basic and perform write actions, including...
Gogs: Overwriting critical files results in a denial of service
Vulnerability type: Path Traversal Impact: DoS Exploitation prerequisite: authorized user Description: As an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the...
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
Summary rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: text /remote:path/object The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during...
@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
Summary This is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address e.g. nuxt dev --host and the developer opens a malicious site on the same network. Details The fix for...
Cross-site scripting via <NoScript> slot content in Nuxt's head components
Impact Nuxt's globally registered component from @unhead/vue head components, re-exported by Nuxt wrote its default-slot content to the innerHTML of the head tag, bypassing the HTML escaping that interpolation normally applies in Vue templates. Applications that placed untrusted,...
LiteLLM: Authentication Bypass via Host Header Injection
Impact A Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from request.url.path in litellm/proxy/auth/authutils.py::getrequestroute, which Starlette reconstructs...
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — CheckRepoScopedToken returns early unless ctx.IsBasicAuth is true — so the same...
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
Impact An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard...
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
Impact When @n8n/mcp-browser is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke browser-control tools. Whe...
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could...
n8n: Credential Exfiltration via Permission Bypass
Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing i...
n8n: Denial of Service via ZIP decompression in webhook workflow
Impact The Compression node's Decompress operation expanded attacker-controlled archives into memory without enforcing limits on decompressed output size. An unauthenticated attacker could send a small compressed archive to a public webhook workflow using this node, causing the n8n process to...
n8n: Public API Execution Retry Authorization Bypass
Impact The Public API endpoint for retrying executions authorized access using workflow:read rather than workflow:execute. An authenticated user with read-only access to a shared workflow could use the Public API to retry executions of that workflow, bypassing the intended permission boundary...
n8n: Python Code Node AST Validator Bypass
Impact An authenticated user with permission to create or modify workflows containing a Python Code node could bypass the AST security validator and access the task executor module namespace. On self-hosted instances where N8NBLOCKRUNNERENVACCESS=false is set, this extended to disclosure of...
n8n: Stored XSS in Chat Trigger Node
Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges. Patches T...
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
Impact An endpoint in the Meta and Microsoft Teams trigger nodes reflects a query parameter into the HTTP response without sanitization or Content-Security-Policy headers, enabling reflected XSS in the n8n origin when a logged-in user visits a crafted URL. Patches The issue has been fixed in n8n...
n8n: Microsoft SQL Node Prototype Pollution
Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes Object.prototype process-wide for the lifetime of the n8n server process, causing...
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
Summary yt-dlp's --exec option is vulnerable to arbitrary command injection when handling untrusted metadata if the argument uses standard string formatting e.g. %titles or other unsafe conversions. An attacker could achieve remote code execution on the user's machine via maliciously crafted...
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
Affects - Nova: =18.0.0 =32.0.0 =33.0.0 33.0.2 Description Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova's server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling...
Duplicate Advisory: Shell inline-command parsing could miss an allowlist check
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f397-5vjw-v2c2. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows...
Duplicate Advisory: Bootstrap token replay could widen pending pairing scopes
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9v8j-9c9g-w66c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access ...
Duplicate Advisory: BlueBubbles sender policy could match mutable conversation identifiers
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8j37-5w68-wj2g. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to mat...
Duplicate Advisory: Workspace-derived service PATH could influence trash command selection
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rx78-29qr-5hq8. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows...
Duplicate Advisory: Host environment sanitizer missed two Node.js control variables
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-ccwh-wwpp-6wg5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that...
Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-985f-72mj-8gf7. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept...
Duplicate Advisory: macOS Swift exec allowlist missed combined POSIX inline flags
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c226-q6fx-6j6c. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses...
Duplicate Advisory: Workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-wc84-j36w-pw4x. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATEDIRECTORY...
Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mg9-j9cf-54cj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows...
Duplicate Advisory: Internal/webchat command auth could inherit ownerAllowFrom wildcard state
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hpg-mp64-x7xq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authenticatio...
Duplicate Advisory: Config recovery could restore openclaw.json with broad file permissions
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rwp6-7w3q-75fq. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores...
Duplicate Advisory: Zalo allowFrom could bind to mutable display names
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8c59-hr4w-qg69. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadat...