33225 matches found
n8n: Git Node Clone and Push Operations Bypass File Sandbox
Impact An authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push operation, bypassing the N8NRESTRICTFILEACCESSTO file sandbox. This allowed the...
n8n: Python sandbox escape
Impact An authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. Patches The issue has bee...
vLLM: OpenAI auth bypass
Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Summary The "Shareable Playground" or "Public Flows" in code contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read b...
Langflow: Unauthenticated RCE in Shareable Playgrounds
Summary The "Shareable Playground" or "Public Flows" in code contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe Details Shareable Playground feature works by enabling the...
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw...
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
Summary An assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode python -O or PYTHONOPTIMIZE=1. Details vLLM uses ...
Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints
Summary Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated...
Galaxy NG: command injection vulnerability
A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...
phpseclib: X.509 certificate validation sends attacker-controlled outbound requests (server-side request forgery) via Authority Information Access
Summary When an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it. Attacker who supplies certificate fully controls host, port, and path of that connectio...
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
Summary Several LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or t...
Astro: XSS via Unescaped Attribute Names in Spread Props
Summary The spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props on an HTML element and the object...
Astro: Host header SSRF in prerendered error page fetch
Summary Astro SSR apps with prerendered error pages /404 or /500 using export const prerender = true fetch those pages over HTTP at runtime when an error occurs. The URL for this fetch is derived from request.url, which in turn gets its origin from the incoming Host header. When the Host header i...
@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config
Summary @astrojs/netlify converts Astro image.remotePatterns into Netlify Image CDN images.remoteimages regular expressions with broader semantics than Astro's canonical matcher. A single wildcard hostname such as .example.com is converted to an optional subdomain regex, so the apex host matches....
Natural Language Toolkit (NLTK): URL-Encoded Path Traversal in nltk.data.load() Allows Arbitrary Local File Read
Summary nltk.data.load in NLTK is vulnerable to path traversal via URL-encoded path separators and traversal segments when using the nltk: URL scheme. The unsafe-path regex check is performed before url2pathname decodes the %xx sequences a classic decode-after-check / TOCTOU-style flaw, allowing ...
Microsoft Security Advisory CVE-2026-45491 – .NET Tampering Vulnerability
Executive Summary Microsoft is releasing this security advisory to provide information about a vulnerability in System.Formats.Tar. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A tampering vulnerability exists in the...
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
Summary The Body Limit Middleware trusts the request's Content-Length header to decide whether a body is within the limit. On AWS Lambda API Gateway v1/v2, ALB, VPC Lattice, and Lambda@Edge the body is delivered fully buffered and the adapter builds the request with the client-declared...
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
Summary On AWS Lambda@Edge, CloudFront delivers a request header that appears more than once as several separate entries. The adapter writes each value with Headers.set instead of Headers.append, so every value overwrites the previous one and only the last reaches the application. Repeated reques...
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
Summary With credentials: true and no explicit origin the default wildcard, the CORS Middleware reflects the request's Origin and sends Access-Control-Allow-Credentials: true. Any site can then make credentialed cross-origin requests and read the responses, exposing cookie-authenticated endpoints...
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Summary On Windows hosts, an encoded backslash %5C in the request path decodes to , which the Windows path resolver treats as a separator. serve-static then resolves a single URL segment such as admin\secret.txt into a nested file under the root and serves it, letting an attacker read static file...
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
Summary On AWS Lambda, the ALB single-header response and the VPC Lattice v2 response join multiple Set-Cookie headers into one comma-separated value. Because commas also appear inside cookie attributes for example Expires dates, clients cannot split the value back into individual cookies and...
Bleach clean() / Cleaner() fails to sanitize dangerous URI schemes in allowed formaction attributes
Summary Bleach clean / Cleaner fails to sanitize dangerous URI schemes in allowed formaction attributes. Bleach applies URI protocol sanitization only to attributes listed in attrvalisuri. While URI-bearing attributes such as action, href, src, and poster are included in that set, formaction is...
Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning
Summary Bleach 6.3.0 exposes a documented email-linkification path through bleach.linkify..., parseemail=True. The implementation scans attacker-controlled text with EMAILRE.finditer over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email...
Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output
Impact A possible XSS bypass affects users calling bleach.clean with all of: a in the allowed tags href in allowed attributes The bleach.clean sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme...
pypdf: Possible infinite loop when processing outlines/bookmarks in writer
Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. Patches This has been fixed in pypdf==6.13.0. Workarounds If you cannot upgrade yet, consider applying the changes from PR 3830...
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. Patches This has been fixed in pypdf==6.13.0. Workarounds If you cannot upgrade yet, consider applying the changes from PR 3830...
Astro: Reflected XSS via unescaped slot name
Summary When a component uses a client: directive, Astro inserts named slot content into a data-astro-template attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR. This is similar...
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Summary did not validate the URL scheme of values bound to its to or href props before rendering them into the href attribute of the underlying element. When an application binds attacker-controlled input a query parameter, a CMS field, a user-supplied profile URL to or :href, the attacker can...
Nuxt dev server vite-node IPC socket is world-connectable on Linux
Impact When running nuxt dev on Linux Node.js 20+, outside Docker / StackBlitz, Nuxt's internal vite-node IPC server binds to a Linux abstract-namespace Unix socket \0nuxt-vite-node--.sock. Abstract sockets have no filesystem inode and therefore no permission bits: any local UID on the host that...
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Impact Nuxt looks up routeRules for the current navigation by calling getRouteRules path: to.path from the page-router plugin and the no-pages router plugin. The compiled routeRules matcher built on rou3 performs case-sensitive matching, while vue-router is configured with its default sensitive:...
Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
Summary Three weaknesses in Nuxt's client-navigation URL handling, all reachable from documented public APIs navigateTo and reloadNuxtApp: 1. SSR open redirect in navigateTo via path-normalisation bypass. navigateTo decided whether a target was external by inspecting the raw input with...
pypdf: Possible large memory usage for form XObjects during text extraction
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. Patches This has been fixed in pypdf==6.12.2. Workarounds If you cannot upgrade yet, consider applying...
pypdf: Inefficient decoding of FlateDecode PNG predictor streams
Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. Patches This has been fixed in pypdf==6.12.2. Workarounds If you cannot upgrade yet, consider applying the changes...
pypdf: Manipulated XMP metadata streams can exhaust RAM
Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. Patches This has been fixed in pypdf==6.12.1. Workarounds If you cannot upgrade yet, consider applying the change...
Remotion: arbitrary file write vulnerability
remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability...
Remotion: remote code execution (RCE) vulnerability
remotion-dev remotion v4.0.409 was discovered to contain a remote code execution RCE vulnerability...
Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`
Summary When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to nodemodules/.cache/nuxt/chrome-workspace.json. The route is enabled by...
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
Summary AWS CDK aws-cdk-lib is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow a threat actor who...
Netty susceptible to HTTP/2 Reset Attack with different on-the-wire signature
Summary Netty HTTP/2 max header size handling produces attack similar to HTTP/2 Rapid Reset. Details There is a setting in the http2 specification called SETTINGSMAXHEADERLISTSIZE. According to the RFC: “This advisory setting informs a peer of the maximum field section size that the sender is...
Netty: HttpObjectDecoder skips arbitrary initial control characters when only initial CRLF characters are permitted
Summary Before reading the first request-line, HttpObjectDecoder skips every byte for which Character.isISOControlb is true 0x00–0x1F and 0x7F as well as all whitespace. RFC 9112 §2.2 only asks servers to ignore empty CRLF lines preceding the request-line — a carefully scoped robustness allowance...
Netty: Unbounded pre-allocation in RedisArrayAggregator from RESP array length
Summary RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken from the wire before the corresponding child messages exist. A small malicious header can claim a huge initial capacity. Details The...
Netty: Wrapping plain trust manager silently disables hostname verification
SimpleTrustManagerFactory.engineGetTrustManagers and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends X509ExtendedTrustManager but implements the 3-arg checkServerTrustedchain, authType, SSLEngine by discarding the SSLEngine and calling the 2-a...
Netty: QUIC stateless reset token material exposed through header-visible connection IDs
Summary Netty QUIC exposes the stateless reset token on the network path when using the default HMAC-based connection-ID and stateless-reset-token generators. The reset token for the server's current source connection ID can be derived from bytes that appear as the connection ID in QUIC headers...
Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion
Summary A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Details The vulnerability exists in io.netty.handler.codec.http3.QpackDecodershouldWaitForDynamicTableUpdates: If a client sends a header...
markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
Summary A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule enabled via the typographer: true option. An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service...
Starlette: request.form() limits silently ignored for application/x-www-form-urlencoded enable DoS
Summary request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An unauthenticated attacker can therefore send a urlencoded body with an...
OpenTelemetry Core: Unbounded memory allocation in W3C Baggage propagation
Overview W3CBaggagePropagator.extract in @opentelemetry/core does not enforce size limits when parsing inbound baggage HTTP headers. The W3C Baggage specification recommends a maximum of 8,192 bytes and 180 entries; these limits were only enforced on the outbound inject path, not on the inbound...
Starlette: Unvalidated request path concatenated into authority poisons request.url.hostname
Summary In affected versions, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating scheme://hostpath and re-parsing the result, a path that does not begin with / for example @google.com moves the authority boundary...
Tornado: CurlAsyncHTTPClient leaks per-request credentials on handle reuse
CurlAsyncHTTPClient leaks per-request credentials on handle reuse Summary CurlAsyncHTTPClient pools and reuses pycurl handles across requests but does not reset them between requests, and several per-request options are applied with no clearing branch. As a result, sensitive state set by one...
Nest: Middleware Bypass on Fastify via Trailing Slash
Impact An authentication bypass vulnerability exists in @nestjs/platform-fastify confirmed on version 11.1.24, the latest available release at time of report. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes API on the Fastify adapter, an unauthenticated client can bypa...