Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added 3 days ago8 views

Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases

Summary The SQLite databases are created at predictable static paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target. This becomes really...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago7 views

Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

Summary A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset. Details Root-cause analysis: 1. The endpoint accepts an attacker-controlled...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago10 views

Decompress: Archive extraction can create files and links outside of the target directory

Impact When extracting an archive to a directory, a crafted archive can read or write files outside that directory. The flaw is in the code that writes the parsed entries, so it affects every format decompress handles: tar, tar.gz, tar.bz2, and zip by default, plus any others added through the...

9.8CVSS6AI score0.02147EPSS
Exploits1References5Affected Software2
Github Security Blog
Github Security Blog
added 3 days ago8 views

printenv: environment variables with invalid UTF-8 are silently skipped (evades inspection)

The printenv utility in uutils coreutils fails to display environment variables containing invalid UTF-8 byte sequences. While POSIX permits arbitrary bytes in environment strings, the uutils implementation silently skips these entries rather than printing the raw bytes. This vulnerability allows...

4.4CVSS6AI score0.0017EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

uucore: safe_traversal TOCTOU protection only enabled on Linux

The safetraversal module in uutils coreutils, which provides protection against Time-of-Check to Time-of-Use TOCTOU symlink races using file-descriptor-relative syscalls, is incorrectly limited to Linux targets. On other Unix-like systems such as macOS and FreeBSD, the utility fails to utilize...

3.6CVSS6AI score0.0018EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago8 views

mv: symlinks expanded during cross-device move (resource exhaustion / data duplication)

When moving directories across filesystems, uutils mv dereferences symlinks inside the tree, copying their targets as real files/dirs instead of preserving the symlinks. GNU preserves symlinks by default. E.g. a etclink - /etc inside the source becomes a full copy of /etc at the destination...

6.6CVSS5.9AI score0.00161EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago8 views

cp: -R reads device nodes as streams, destroying device semantics

The cp utility in uutils coreutils, when performing recursive copies -R, incorrectly treats character and block device nodes as stream sources rather than preserving them. Because the implementation reads bytes into regular files at the destination instead of using mknod, device semantics are...

5.5CVSS6AI score0.00177EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

rm: 'rm -rf ./' (and ./// variants) silently deletes current directory contents, bypassing dot protection

rm -rf . is correctly refused, but cleantrailingslashes normalizes ./// to ./ while pathiscurrentorparentdirectory only matches ./.. and /.//.., not ./ or ../. So rm -rf ./ recursively deletes the directory's contents and then prints a misleading cannot remove './': Invalid input. Impact: all...

5.6CVSS5.9AI score0.00166EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago8 views

comm: FIFO/pipe inputs are drained before comparison (data loss / hang)

The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The arefilesidentical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input pat...

4.4CVSS5.9AI score0.00135EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago7 views

id: groups= computed from real GID instead of effective GID

The id utility in uutils coreutils miscalculates the groups= section of its output. The implementation uses a user's real GID instead of their effective GID to compute the group list, leading to potentially divergent output compared to GNU coreutils. Because many scripts and automated processes...

4.4CVSS6AI score0.00108EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago4 views

mkdir: -m exposes directory with umask perms before chmod (race window)

The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by creating a directory with umask-derived permissions typically 0755 before subsequently changing them to the requested mode via a separate chmod system call. In multi-user environments, this introduces ...

3.3CVSS6AI score0.00102EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago6 views

rm: --preserve-root bypassed via a symlink to / (string check instead of dev/inode)

The --preserve-root check uses a path-string test path.hasroot && path.parent.isnone rather than comparing device/inode. A symlink to / e.g. /tmp/rootlink - / has a parent component, so it passes the check. GNU caches /'s dev/inode at startup and compares every traversed directory against it...

7.7CVSS6AI score0.00184EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago5 views

id: pretty-print uses effective GID instead of effective UID for name lookup

The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when the real UID and effective UID differ. The implementation incorrectly uses the effective GID instead of the effective UID when performing a name lookup for the effective user. This results in misleadi...

3.3CVSS6AI score0.00123EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago6 views

kill: 'kill -1' parsed as PID -1, sending SIGTERM to all processes (system crash / DoS)

kill -1 is incorrectly parsed as a positional pid = -1; combined with the default SIGTERM this calls kill-1, SIGTERM, signaling nearly every process the caller can see. GNU kill recognizes -1/-9 as signals and reports "not enough arguments". $ kill -1 uutils: kill-1, SIGTERM - mass termination /...

5.5CVSS6AI score0.00128EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago5 views

install -D: symlink race in directory creation allows arbitrary file overwrite

The -D path runs fs::createdirall on a pathname then later opens the destination via path-based File::create/fs::copy, neither anchored to a directory fd. Between the two, an attacker can replace a path component with a symlink, redirecting the write. Impact: an attacker with concurrent write...

6.3CVSS6.1AI score0.00108EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago5 views

cut: -s (only-delimited) ignored when delimiter is a newline

The cut utility in uutils coreutils incorrectly handles the -s only-delimited option when a newline character is specified as the delimiter. The implementation fails to verify the onlydelimited flag in the cutfieldsnewlinechardelim function, causing the utility to print non-delimited lines that...

3.3CVSS6AI score0.00135EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago5 views

install: TOCTOU symlink race (unlink-then-create without O_EXCL) allows arbitrary file overwrite

copyfile in install/src/install.rs removes the destination then recreates it by pathname via File::create / fs::copy without OEXCL/createnew. Between the unlink and the recreate, a local attacker with write access to the destination directory can drop in a symlink and redirect the write. Impact:...

6.3CVSS6AI score0.00118EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago5 views

ln: rejects non-UTF-8 source filenames in target-directory mode

In target-directory forms ln SOURCE... DIRECTORY, ln rejects source paths with non-UTF-8 filename bytes, while GNU accepts them. Breaks GNU compatibility for byte-oriented filenames on Unix filesystems. PoC: name=$printf 'bad\377'; mkdir dst; : "$name"; ln "$name" dst GNU: exit 0, creates...

5.5CVSS5.9AI score0.00121EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago7 views

comm: lossy UTF-8 conversion silently corrupts non-UTF-8 output

The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on all output lines. The implementation uses String::fromutf8lossy, which replaces invalid UTF-8 byte sequences with the Unicode replacement character U+FFFD. This behavior differs from GNU comm, whic...

3.3CVSS6AI score0.00176EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago6 views

mktemp: empty TMPDIR creates temp files in CWD instead of /tmp

The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the...

3.3CVSS5.9AI score0.00133EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago7 views

chmod: recursive mode returns exit code 0 even when some files fail (last-file-wins)

In Chmoder::chmod the recursive branch overwrites the running result instead of accumulating it, so the exit code reflects only the last file processed: if self.recursive r = self.walkdirwithcontextfile, true; // overwrites r else r = self.chmodfilefile.andr; PoC: GNU returns 1 when a file fails;...

5.5CVSS6AI score0.00143EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

chmod: --preserve-root bypassed by any path that resolves to root (e.g. /../)

Chmoder::chmod only compares the literal argument against Path::new"/", so the --preserve-root guard is bypassed by any path that resolves to root — a symlink to / or simply /../. if self.recursive && self.preserveroot && file == Path::new"/" return ErrChmodError::PreserveRoot"/".tostring.into; P...

7.3CVSS6AI score0.00175EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago14 views

flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`

Unauthenticated Command Execution via HTTP MCP executemodule Summary The HTTP MCP endpoint POST /mcp in flyto-core accepts unauthenticated JSON-RPC tools/call requests and dispatches them to arbitrary registered modules, including sandbox.executeshell, which passes attacker-controlled input...

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf

Summary flyto-core's SSRF protection validateurlssrf / isprivateip in src/core/utils.py blocks private and metadata destinations by resolving the host and testing the resulting IP for membership in a hardcoded PRIVATEIPRANGES list. That list contains only the native RFC 1918 / loopback / link-loc...

7.5CVSS6.9AI score0.01034EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago7 views

Scriban: Template Writes to Arbitrary CLR Properties via `TypedObjectAccessor` (Mass Assignment + `private` / `init` / `internal` Setter Bypass)

Description When a host pushes a CLR object into a Scriban TemplateContext via the standard, documented pattern — var so = new ScriptObject; so"user" = currentUser; // direct CLR reference context.PushGlobalso; — TypedObjectAccessor exposes every public-getter property for both reading and writin...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

WeasyPrint has CSS Injection via Presentational Hints

Summary A CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. Details File: weasyprint/css/init.py The...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

Cilium vulnerable to sensitive information disclosure and cluster disruption via local Envoy admin socket access

Impact When Cilium L7 functionality is enabled on a cluster, the Envoy instance supporting this functionality creates a world-accessible socket on cluster nodes. A local attacker would be able to access Envoy admin endpoints. Depending on deployment configuration, this can expose sensitive...

5.9AI score0.00017EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago8 views

OpenRemote read-only asset users can write predicted datapoints

Summary The predicted datapoint write endpoint allows users with only read:assets privileges to write predicted datapoints. The endpoint: text PUT /api/realm/asset/predicted/assetId/attributeName accepts write requests from users lacking write:assets. The implementation appears to check READASSET...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago9 views

Formie Hidden field defaults vulnerable to Server-Side Template Injection

Summary Formie Hidden fields could evaluate request-derived values as Twig during front-end form rendering. When a Hidden field used a dynamic default value such as HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value, the value was copied from the incoming request and late...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 3 days ago10 views

Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION)

Summary A memory-safety vulnerability in Open Babel's MOPAC output parser allowed an out-of-bounds write into the translationVectors array when reading the "UNIT CELL TRANSLATION" block of a crafted input file. Details The MOPAC output reader stored translation vectors from the UNIT CELL...

9.8CVSS6.6AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB

Impact Recce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API. When Recce is configured with a DuckDB-backed project, an attacker can use DuckDB filesystem primitives to read and...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING

Summary The fix for CVE-2026-46339 unauthenticated RCE via unprotected MCP plugin routes introduced a local-only access gate in src/dashboardGuard.js that restricts spawn-capable routes /api/mcp/, /api/tunnel/, /api/cli-tools/ to loopback requests. The gate determines "local" by inspecting the Ho...

6.6AI score0.00147EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

golang.org/x/image/tiff has excessive resource consumption in PackBits decompression

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image both in terms of pixel width/height and encoded size to make the decoder decode large amounts of compressed data...

7.5CVSS5.8AI score0.00353EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

Summary 9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, a...

5.8AI score0.0019EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

Kiwi TCMS's /init-db/ page renders and responds to requests after first use

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use. Impact The /init-db/ page does not require any user...

5.8AI score0.00048EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

LaunchServer FileServerHandler has an unauthenticated path traversal issue

Summary An unauthenticated path traversal in the LaunchServer HTTP file server FileServerHandler lets any remote actor read any file readable by the LaunchServer process e.g. ../../../../etc/passwd. This is a generic arbitrary-file-read primitive, so the fix must address the traversal itself, not...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

SimpleSAMLphp SP accepts a response from an unexpected IdP when unsigned `Response/InResponseTo` is combined with a signed assertion lacking `SubjectConfirmationData/InResponseTo`

Summary SimpleSAMLphp's SAML SP ACS path does not enforce the IdP selected for an SP-initiated login. If a saved SP state contains ExpectedIssuer = IdP A, but the ACS receives a valid response from IdP B, the code logs a warning and continues processing instead of rejecting the response. That...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

Algernon vulnerable to server-side script source disclosure on Windows via NTFS filename

Summary Algernon selects its file handler from filepath.Ext engine/handlers.go:134, which does not treat the NTFS-equivalent names x.lua::$DATA, x.lua., or x.lua as .lua. On Windows, an unauthenticated client appends one of these suffixes to any server-side script on a public path and receives it...

5.9AI score0.00077EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow

Summary On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation. Details & PoC The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid Or you can use Address Sanitizer, which ignores...

6.3AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow

Summary jxl-oxide exposes a public safe API that can construct an undersized FrameBuffer due to unchecked usize multiplication, which immediately trigger panic while initializing the buffer in normal decoding path. Additionally, calling the safe grouped buffer accessors afterward can create inval...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

jxl-oxide: integer subtraction overflow panic in cluster_from_table via crafted JXL input (DoS)

Summary Logic bug in decodesimpletableslow may cause integer arithmetic overflow when decoding Modular image with certain kind of MA tree, which may panic with overflow-checks enabled. Impact Denial of service: any application passing untrusted JXL data to JxlImage::renderframe or equivalent can ...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Kimai Favorite Timesheet Add and Remove Endpoints Allows Cross-User Bookmark Manipulation

Summary Kimai 2.56.0 contains an authenticated improper authorization / IDOR vulnerability in the favorite timesheet add and remove endpoints. A low-privileged user who knows another user's timesheet.id can add that record to, or remove it from, the victim's favorite/recent bookmark list. This...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Keycloak's SAML broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response, injecting an encrypted assertion for an arbitrary principal, leading...

7.7CVSS5.9AI score0.00241EPSS
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added last week14 views

fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection

Summary fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP clie...

9.4CVSS6.1AI score0.00423EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding

Summary Configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS1 v1.5, which is the same algorithm as the DEFAULT setting. Impact Operators who configure encrypt:rsa:algorithm=OAEP to obtain...

1.9CVSS5.8AI score0.00046EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Steeltoe: TLS private keys written to /tmp with default permissions, never deleted

Summary When MySQL or PostgreSQL service bindings from VCAPSERVICES include TLS client credentials, the Connectors library writes those credentials to temporary files in Path.GetTempPath using File.CreateText. On Linux, File.CreateText creates files with mode 0644 world-readable under the process...

4.7CVSS5.8AI score0.00065EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Steeltoe's static JWKS cache shared across schemes and never invalidated

Summary The JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally,...

5.9CVSS5.8AI score0.0029EPSS
Exploits0References5Affected Software3
Github Security Blog
Github Security Blog
added last week8 views

Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission

Summary All Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mapped to Cloud Foundry's readbasicdata permission granted to Space Auditors and similar low-trust roles. Sensitive actuators including heap dump, environment, and thread dump do not raise this to...

6.5CVSS5.8AI score0.00231EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added last week11 views

Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords

Summary The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list password, secret, key, token, .credentials., vcapservices does not cover the standard .NET pattern ConnectionStrings: or Steeltoe...

7.5CVSS5.8AI score0.00185EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added last week10 views

Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch

Summary DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic...

7.5CVSS5.8AI score0.00339EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities33100