Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/06/15 5:24 p.m.133 views

@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning

Angular's HttpTransferCache caches HTTP requests made during Server-Side Rendering SSR so that they can be reused during client-side hydration. This avoids repeating the same HTTP requests on the client. The cached responses are stored in TransferState using a cache key generated by hashing reque...

8.8CVSS5.3AI score0.0009EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:22 p.m.73 views

@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)

An issue in the @angular/compiler package allows bypassing DOM property sanitization through the use of two-way property bindings. Specifically, when a native DOM property that requires sanitization such as innerHTML, srcdoc, src, href, data, or sandbox is bound using the two-way binding syntax...

6.1CVSS5.7AI score0.00195EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:21 p.m.26 views

Angular: Template and Attribute Namespace Sanitization Bypass (XSS)

An issue in the @angular/compiler and @angular/core packages allows bypassing element and attribute sanitization/validation through specific namespace workarounds. Specifically, namespaced script elements e.g., or were not properly identified as script elements by the Angular template preparser,...

6.1CVSS5.9AI score0.00206EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/15 5:21 p.m.11 views

@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR

A Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino when serializing the content of elements. When rendering dynamic text content inside a element via template bindings such as value or textContent, the template engine expects the browser ...

8.6CVSS5.4AI score0.00239EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:20 p.m.10 views

@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A Cross-Site Scripting XSS vulnerability exists in @angular/platform-server's DOM emulation dependency domino when serializing the content of raw-text elements such as , , and . domino supports escaping raw-text elements during serialization to prevent closing-tag breakout. However, a Unicode ind...

8.6CVSS5.4AI score0.00167EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:19 p.m.44 views

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Summary tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extended header x describes the next file entry, not the...

6.9CVSS5.4AI score0.00107EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:18 p.m.50 views

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

Summary The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result ...

5.5CVSS5.8AI score0.00322EPSS
Exploits0References2Affected Software3
Github Security Blog
Github Security Blog
added 2026/06/15 5:17 p.m.257 views

vite: `server.fs.deny` bypass on Windows alternate paths

Summary The contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network using --host or server.host config option - the sensitive file...

8.2CVSS5.4AI score0.00393EPSS
Exploits2References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/15 5:15 p.m.70 views

JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

Summary A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing by repeating the same alias many times in a merge sequence. This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relative...

5.3CVSS5.5AI score0.00259EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:14 p.m.106 views

@babel/core: Arbitrary File Read via sourceMappingURL Comment

Impact Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true: - the attacker controls the input source code - the attacker can read the output source code - the attacker knows the...

3.6CVSS5.3AI score0.00116EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 5:13 p.m.34 views

@angular/service-worker: Request Credential & Cache Policy Stripping

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

6.1CVSS5.5AI score0.0015EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:52 p.m.37 views

@angular/common: Denial of Service (DoS) via OOM in Number Formatting (digitsInfo)

A Denial of Service DoS vulnerability exists in the @angular/common package of Angular. The formatNumber function, which is also utilized by DecimalPipe, PercentPipe, and CurrencyPipe, does not properly validate the upper bounds of the digitsInfo parameter. Specifically, the minimum and maximum...

8.2CVSS5.5AI score0.00161EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:51 p.m.14 views

@angular/common: Information Leak via Default Caching of Credentialed Requests in HttpTransferCache

A vulnerability was discovered in @angular/common when Server-Side Rendering SSR and hydration are enabled. The HttpTransferCache utility optimizes hydration by caching outgoing HTTP requests performed during SSR and transferring the cached state to the client-side application via TransferState...

8.2CVSS5.4AI score0.00267EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:51 p.m.39 views

@angular/core: Angular Template and Dynamic Component Namespace Bypass leading to Cross-Site Scripting (XSS)

An issue in the @angular/core package allows bypassing script-execution restrictions during dynamic component creation. Specifically, the dynamic component instantiation mechanism createComponent failed to reject mounting components directly onto a or namespaced script element such as . This...

6.1CVSS6.1AI score0.00238EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:46 p.m.13 views

Symfony: HtmlSanitizer UrlAttributeSanitizer Misses URL Attributes

Description Symfony\Component\HtmlSanitizer\Visitor\AttributeSanitizer\UrlAttributeSanitizer::getSupportedAttributes enumerates the attribute names whose values are scrubbed through UrlSanitizer::sanitize scheme and host allow-lists, javascript: rejection, BiDi check, etc.. The list is 'src',...

5.3AI score0.00051EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/15 4:44 p.m.26 views

Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

6.1CVSS5.5AI score0.00165EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:39 p.m.31 views

@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass

An issue in the @angular/platform-server package allows remote attackers to bypass host allowlist constraints and direct server-side outgoing requests to arbitrary external endpoints. This occurs due to a parser differential between the strict WHATWG URL parser used for allowlist validation and t...

8.8CVSS5.7AI score0.00193EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:36 p.m.16 views

tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template

Summary The assertPath guard added to [email protected] rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value Array, Buffer, or any object whose includes'..' returns falsy but whose stringification still contains ../...

8.2CVSS5.6AI score0.00496EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 4:34 p.m.71 views

ws: Memory exhaustion DoS from tiny fragments and data chunks

Impact A high volume of exceptionally small fragments and data chunks can be sent by a peer, with modest network traffic, to force the remote peer into allocating and holding structural wrappers that consume far more memory than the default documented message-size limit, leading to process...

7.5CVSS5.3AI score0.00782EPSS
Exploits1References21Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/15 3:16 p.m.13 views

Angular Client Hydration DOM Clobbering & Response-Cache Poisoning

To optimize client-side bootstrap in Server-Side Rendered SSR environments, Angular supports Hydration via provideClientHydration. During SSR, Angular serializes the application's runtime state such as cached HttpClient responses and outputs it into the HTML stream as a tag with a predictable...

8.6CVSS5.4AI score0.00179EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/13 6:30 a.m.6 views

Duplicate Advisory: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fcw4-wwqm-m8cf. This link is maintained to preserve external references. Original Description We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a...

8.8CVSS5.8AI score0.00361EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 10:52 p.m.23 views

File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection

!NOTE This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new...

8.7CVSS6AI score0.00323EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 9:53 p.m.16 views

File Browser has incorrect access control for public directory shares via rule path rebasing

Summary File Browser's public share handlers rebase the share owner's filesystem root to the shared directory and then evaluate descendant paths against the owner's global and per-user rules using the rebased relative path instead of the original path relative to the owner's scope. As a result, a...

7.5CVSS5.5AI score0.00471EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:53 p.m.50 views

File Browser: FilePath traversal in download-as-zip/tar via Windows-style backslash separators in stored filenames

Summary filebrowser builds the download-as-zip / download-as-tar archive entry names with filepath.ToSlash, which on a Linux host is a no-op for backslashes \ is only a path separator on Windows. A file whose name contains Windows-style traversal ......\evil.txt is accepted by the resource...

6.8CVSS5.7AI score0.00189EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:53 p.m.15 views

File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

Summary File Browser enforces per-user scope with afero.NewBasePathFsafero.NewOsFs, scope, set up in users/users.go. This blocks lexical ../ traversal, but it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a...

7.5CVSS5.1AI score0.0046EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:51 p.m.15 views

File Browser has a DoS Vulnerability via Public Login API

Summary Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the...

6.5CVSS5.3AI score0.00484EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:7 p.m.18 views

File Browser: Improper Access Control Occurs via Pre-Created Public Share for a Non-existent Path

Summary This is similar vulnrability of CVE-2026-0035, which was fixed in Android MediaProvider with high severity. In the original Java issue, MediaStore.createWriteRequest accepted attacker-controlled URIs and created a future grant even when the referenced media item did not exist yet. The...

8.4CVSS5.5AI score0.00175EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:2 p.m.17 views

ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing

Summary The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays. A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger tha...

5.4AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 9:2 p.m.18 views

ConnectBot SSH Client Library: Unbounded SSH field lengths can cause excessive memory allocation

Summary The SSH protocol parser trusted attacker-controlled length and count fields without first checking that the declared values fit within the containing packet. When a client connects to a malicious or compromised SSH server, the server can send a small, malformed packet containing an inner...

5.5AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 9:0 p.m.15 views

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Summary A low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose...

7.2CVSS5.5AI score0.00411EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 9:0 p.m.16 views

Fleet: Observer-level enrollment secret extraction via ORDER BY oracle on Apple MDM commands endpoint

Summary A vulnerability in Fleet's Apple MDM commands listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract sensitive values from joined database tables — including host enrollment secrets and Apple Push Notification Service APNS tokens — through a...

5.5AI score0.00019EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 9:0 p.m.15 views

Fleet has observer-level enrollment secret extraction via ORDER BY oracle on labels host-listing endpoint

Summary A vulnerability in Fleet's labels host-listing endpoint allowed authenticated users with the lowest-privilege Observer role to extract host enrollment secrets nodekey, orbitnodekey through a cursor-based binary search oracle. The endpoint accepted a user-supplied orderkey parameter that w...

5.4AI score0.00032EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 9:0 p.m.17 views

Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

Summary A potential Cross-Site Scripting XSS vulnerability exists in Fabric.js due to improper escaping of user-controlled input during SVG serialization via the toSVG method. Specifically, the color field within the colorStops array of a fabric.Gradient object is not properly escaped when...

6.1CVSS5.8AI score0.00194EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:9 p.m.28 views

PyO3 has a missing `Sync` bound on `PyCFunction::new_closure` closures

PyCFunction::newclosure and the temporary newclosurebound complement in the 0.21–0.22 series required the supplied closure to be Send + 'static but not Sync. The resulting PyCFunction is a Python callable that can be invoked from any Python thread, which means the closure may be called concurrent...

5.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:8 p.m.218 views

Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Withdrawn Advisory This advisory has been withdrawn because the affected package was incorrectly identified and the actual affected package is not in a supported ecosystem. This link is maintained to preserve external references. Original Description Summary The esbuild Deno module lib/deno/mod.t...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:8 p.m.219 views

esbuild allows arbitrary file read when running the development server on Windows

Summary The development server contains a path traversal vulnerability on Windows when serving files from servedir. Due to the use of path.Clean which only normalizes forward-slash / separators instead of a Windows-aware path normalization function, it is possible to craft requests using...

5.6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:8 p.m.16 views

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation (Multi-Tenant Installs)

Radius Controller May Delete a Container Resource via an Injected Deployment Annotation Multi-Tenant Installs Summary A configuration-validation issue in the Radius Kubernetes controller can cause it to issue a DELETE for the container resource referenced by a tampered radapp.io/status annotation...

5.7AI score0.00051EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:8 p.m.17 views

TYPO3 CMS has Broken Access Control in its Form Framework

Problem Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing...

7.6CVSS6.1AI score0.00238EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 8:8 p.m.13 views

TYPO3 CMS has Broken Access Control in the Recycler Module

Problem Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 8:7 p.m.13 views

TYPO3 CMS has an Open Redirect Vulnerability via Core Utilities

Problem Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attack...

5.3CVSS5.2AI score0.00294EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:7 p.m.14 views

TYPO3 CMS: Destructive Actions on File Mount Folders

Problem Non-privileged backend users with file mount access were able to perform write operations move, delete, rename on folders representing the root of an active file mount due to missing authorization restrictions. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS,...

7.2CVSS5.2AI score0.00238EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 8:7 p.m.15 views

TYPO3 HTML Sanitizer allows Cross-site Scripting

Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2. Credits to Doyensec in collaboration with Claude and Anthropic Research for reporting this vulnerability...

5.1CVSS4.9AI score0.00366EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 7:32 p.m.20 views

PyO3 has an Out-of-bounds Read in `nth` / `nth_back` for `PyList` and `PyTuple` iterators

PyO3 0.24.0 added optimized implementations of Iterator::nth and DoubleEndedIterator::nthback for the BoundListIterator and BoundTupleIterator types. These implementations computed the target index using unchecked usize addition index + n before bounds-checking against the sequence length, then...

5.6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 7:32 p.m.17 views

TYPO3 CMS has Privilege Escalation & SQL Injection in its Form Framework

Problem Backend users with write access to the formdefinition database table were able to directly create, update, or delete form definition records via DataHandler, bypassing the Form Framework's persistence validation and permission checks. This allowed injecting arbitrary form configurations,...

8.7CVSS5.8AI score0.00244EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 7:32 p.m.13 views

TYPO3 CMS has Broken Access Control in its DataHandler

Problem Backend users were able to move records to a different page without having edit permissions on the source page. Solution Update to TYPO3 versions 13.4.31 LTS, 14.3.3 LTS that fix the problem described. Credits TYPO3 CMS thanks Hyunseo Shin for reporting this issue, and TYPO3 security team...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 7:32 p.m.20 views

TYPO3 CMS has Broken Access Control in its Form Framework

Problem Backend users with file write permissions were able to upload form definition files with mixed-case extensions e.g., .FORM.YAML to bypass the Form Framework's upload restriction. Maliciously crafted form definition files can be used to execute arbitrary SQL statements, allowing attackers ...

7.6CVSS6AI score0.00253EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 7:9 p.m.15 views

TYPO3 CMS has Broken Access Control in its Media Module

Problem Backend users with file download permissions were able to download files from the fallback storage of the file abstraction layer FAL via the Media Module. Since the fallback storage resolves paths relative to the server's document root, this could expose sensitive files such as log files...

7.1CVSS5.2AI score0.00313EPSS
Exploits0References7Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/12 7:9 p.m.13 views

TYPO3 CMS has Insecure Deserialization via Core API

Problem TYPO3's cache frontend VariableFrontend and persistent key-value store Registry deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the underlying storage backend cache store or sysregistry database table could inject a crafted...

6.3CVSS5.9AI score0.00215EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 7:9 p.m.16 views

TYPO3 CMS has Broken Access Control in its File Abstraction Layer

Problem The path allowance check in GeneralUtility::isAllowedAbsPath performed a plain string prefix comparison without requiring a directory separator boundary, causing a path like /var/www/html-other/secret.yaml to be incorrectly accepted as valid when the project root was /var/www/html...

2.1CVSS5.2AI score0.00356EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/12 7:8 p.m.12 views

TYPO3 CMS has Broken Access Control in Backend API

Problem Authenticated backend users were able to retrieve file metadata via several Backend API routes without proper permission checks, allowing access to files outside their permitted file mounts or storages. Solution Update to TYPO3 versions 10.4.57 ELTS, 11.5.51 ELTS, 12.4.46 ELTS, 13.4.31 LT...

5.3CVSS5.2AI score0.00238EPSS
Exploits0References7Affected Software2
Total number of security vulnerabilities33225