Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/06/04 7:23 p.m.16 views

Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses the...

5.9AI score0.00034EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/04 6:57 p.m.14 views

WWBN AVideo: Unauthenticated Stored DOM Cross-Site Scripting via Per-Client Metadata Broadcast in YPTSocket Plugin

Unauthenticated Stored DOM XSS via pagetitle Broadcast in AVideo YPTSocket Plugin Summary A stored DOM Cross-Site Scripting vulnerability CWE-79 in the AVideo YPTSocket plugin lets any unauthenticated remote attacker execute arbitrary JavaScript in the authenticated origin of every administrator...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:56 p.m.12 views

WWBN AVideo: Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section

Stored XSS via Hostile YouTube Video Title in AVideo YouTubeAPI Gallery Section Summary A stored Cross-Site Scripting vulnerability CWE-79; chained CWE-829, Inclusion of Functionality from Untrusted Control Sphere in the AVideo YouTubeAPI plugin renders the snippet.title field returned by the...

5.9AI score0.00031EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:55 p.m.13 views

WWBN AVideo: Unauthenticated Reflected XSS via $_GET['search'] in AVideo YouTubeAPI Gallery Pagination

Unauthenticated Reflected XSS via $GET'search' in AVideo YouTubeAPI Gallery Pagination Summary A reflected Cross-Site Scripting vulnerability CWE-79 in the AVideo YouTubeAPI plugin allows any unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session when the victim...

6.2AI score0.00094EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:55 p.m.13 views

WWBN AVideo: Stored XSS via autoEvalCodeOnHTML Bypass in MessageSQLite WebSocket Handler (CVE-2026-43874 Bypass)

AVideo: Stored XSS via autoEvalCodeOnHTML in MessageSQLite WebSocket Handler Summary AVideo has a stored XSS vulnerability in the WebSocket messaging system. The MessageSQLite.php handler only strips autoEvalCodeOnHTML from $json'msg', but msgToResourceId reads from $msg'json' with higher priorit...

7.2CVSS6AI score0.00238EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:47 p.m.14 views

WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

Summary plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance without...

7.1CVSS5.9AI score0.0012EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:46 p.m.19 views

WWBN AVideo: Stored XSS via unescaped Gallery category description

Summary AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes when another user views the affected Gallery/category page. Th...

5.4CVSS5.9AI score0.00162EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:46 p.m.26 views

Spree: CSV Formula Injection in Customer Export

Summary CSV formula injection also known as formula injection or CSV injection affects customer export. User-controlled values customer names, email addresses, and shipping addresses. When an administrator opens a crafted Export in Microsoft Excel or LibreOffice Calc, formulas embedded in user da...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:39 p.m.12 views

OpenMeter: SQL injection through meter creation

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

6.1AI score0.00036EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:1 p.m.16 views

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Summary app.mount strips the mount prefix from the incoming request path using the raw URL pathname, while route matching is performed against the percent-decoded path. This inconsistency causes the prefix to be stripped at the wrong position when the path contains percent-encoded multi-byte...

5.3CVSS5.8AI score0.0026EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 6:0 p.m.12 views

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Summary The ip-restriction middleware hono/ip-restriction compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization. Non-canonical IPv6 representations of an address already listed in a static rule — such as compressed forms,...

5.3CVSS5.8AI score0.00244EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:59 p.m.14 views

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...

5.3CVSS5.8AI score0.00216EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:52 p.m.18 views

Hono: JWT middleware accepts any Authorization scheme, not only Bearer

Summary The jwt and jwk middlewares do not verify that the Authorization header value uses theBearer scheme. Any two-part header value — regardless of the scheme name in the first position — proceeds to JWT verification. A request presenting a valid JWT under a non-Bearer scheme identifier such a...

6.5CVSS5.7AI score0.00199EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:49 p.m.17 views

epa4all-client: Unauthenticated REST API for Patient Record Writes

Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g., following the production Docker example in the README, this is exploitable from the local network without...

6.5CVSS5.9AI score0.00162EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:43 p.m.22 views

Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets

Summary The hidden nhost configserver used by nhost dev exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service, including a web page loaded...

5.9AI score0.00033EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:40 p.m.13 views

Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS)

Publisher note Fixed in v1.7.17. Operators running v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning guarded defer after StartProcessing, disabled when the asynchronous goroutine takes...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 5:38 p.m.16 views

Singluarity: Incorrect path matching for 'limit container paths' directive

Impact The limit container paths directive in singularity.conf is intended to allow a system administrator limit the paths from which containers can be run, under setuid mode. Due to incorrect matching of a path string, sibling directories with similar names may incorrectly be allowed. For exampl...

5.8AI score0.0001EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/04 5:36 p.m.15 views

kas's late signature validation may allow unnoticed repository manipulations

Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions. First of all, the attacker mus...

5.8AI score0.00021EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 3:23 p.m.17 views

React Router vulnerable to Denial of Service via reflected user input in single-fetch

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...

7.5CVSS5.8AI score0.00294EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/04 3:5 p.m.18 views

Nuclio: Missing authorization on project write paths allows any authenticated user to modify or delete any project

This vulnerability exists in Nuclio Dashboard's project management API, allowing any authenticated user without membership in the target project to bypass OPA authorization checks on write paths PUT /api/projects/id, DELETE /api/projects and modify or delete any project along with all its...

6AI score0.00047EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:55 p.m.11 views

Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending

Am I affected? You are affected if all of the following are true: - You use better-auth at a version = 1.6.0, 1.6.11. - The deviceAuthorization plugin is enabled in your auth config deviceAuthorization in your plugins array. - A third party can observe a pending user code before the legitimate us...

5.7AI score0.00017EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:50 p.m.16 views

matrix-sdk-ui: Incomplete edit validation

Impact The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator or an actor with equivalent power to impersonate...

5.9AI score0.00019EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:47 p.m.16 views

Matrix Rust SDK: Sender-binding gaps in to-device and room-key attribution

Impact The matrix-sdk-crypto crate before 0.16.1 is missing a check for the sender's user ID when decrypting an Olm-encrypted to-device message containing the senderdevicekeys property. This could be exploited to spoof the sender of an encrypted to-device message, but only if the attacker collude...

5.8AI score0.0005EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:39 p.m.24 views

Strawberry GraphQL's Bypass of MaxAliasesLimiter via Fragment Spreads leading to GraphQL Alias Amplification

Summary The MaxAliasesLimiter extension in Strawberry fails to account for the multiplicative/amplification effect of FragmentSpreadNode. While it correctly counts static aliases within the AST it does not consider how many times a fragments internal aliases are expanded during execution. this...

5.3CVSS6AI score0.00417EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:38 p.m.19 views

Strawberry GraphQL has a Circular Fragment Reference DOS

Summary The QueryDepthLimiter extension is vulnerable to an Application-level DOS due to a lack of cycle detection in fragment spreads. When a query contains circular fragment references the determinedepth function enters an infinite recursion, leading to a RecursionError and crashing the...

5.3CVSS5.8AI score0.00296EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:37 p.m.20 views

Doorkeeper Openid Connect: Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

5.8AI score0.00058EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:33 p.m.35 views

WebOb: Location header normalization during redirect leads to open redirect - again

Impact When WebOb normalizes the HTTP Location header to include the request hostname, it does so by parsing the URL that the user is to be redirected to with Python's urllib.parse, and joining it to the base URL. urlsplit called internally by urljoin however treats a // at the start of a string ...

6.1CVSS5.7AI score0.00497EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:24 p.m.85 views

Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection

Summary Axios versions before 0.32.0 on the 0.x line and before 1.16.0 on the 1.x line build a regular expression from the configured XSRF cookie name without escaping regex metacharacters. In standard browser environments, an attacker who can influence the cookie name passed to axios can cause...

7.5CVSS6AI score0.00645EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:21 p.m.187 views

Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

7.5CVSS5.8AI score0.0063EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:19 p.m.229 views

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Summary Axios’s Node.js HTTP adapter may forward a Proxy-Authorization header to a redirected origin during specific proxy-to-direct redirect flows. This affects Node.js usage, where an initial HTTP request is sent through an authenticated HTTP proxy, redirects are followed, and the redirected UR...

8.2CVSS5.8AI score0.00689EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 2:15 p.m.314 views

Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection

Summary Axios’ Node.js HTTP adapter can leak proxy credentials to a redirect target in affected versions. When a request is sent through an authenticated proxy, Axios may add a Proxy-Authorization header. If Axios then follows a redirect and the redirected request is no longer sent through that...

7.5CVSS5.9AI score0.00552EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/04 1:15 p.m.16 views

Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks

Summary In affected versions, the HTTP Host request header was not validated before being used to reconstruct request.url. Because the routing algorithm relies on the raw HTTP path while request.url is rebuilt from the Host header, a malformed header could make request.url.path differ from the pa...

6.5CVSS5.9AI score0.01438EPSS
Exploits2References24Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:41 p.m.24 views

Froxlor's API Authentication bypasses 2FA Authentication

Summary Froxlor's API authentication FroxlorRPC::validateAuth does not enforce Two-Factor Authentication. When a user admin or customer enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an...

9.8CVSS7.3AI score0.01119EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:39 p.m.14 views

browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler

Summary The HTTP handler /log in lib/server.js lines 491–515 of browserstack-runner passes unauthenticated user-supplied data to vm.runInNewContext combined with eval, enabling a sandbox escape and arbitrary code execution on the host system. Details When browserstack-runner starts, it creates an...

8.8CVSS6.5AI score0.00392EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:38 p.m.12 views

browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server

Summary The HTTP server in browserstack-runner serves files from the project directory via the default handler. This handler uses path.joinprocess.cwd, uri to resolve file paths but does not validate that the resulting path stays within the project root. Combined with the server binding on 0.0.0....

7.1CVSS6AI score0.00208EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:37 p.m.12 views

Jupyter Enterprise Gateway: Kubernetes Manifest Injection in Jinja2 Template Rendering

Summary The environment variables used during the rendering of the Kubernetes manifest allow YAML injection, enabling attackers to overwrite existing keys like securityContext and inject multi-document YAML to create additional unintended Kubernetes resources. Details The server interpolates...

6.2AI score0.00062EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:36 p.m.11 views

Jupyter Enterprise Gateway: Jinja2 Template Server Side Template Injection resulting in Remote Code Execution

Summary The environment variables KERNELXXX used during the rendering of the Kubernetes manifest are vulnerable to Server Side Template Injection SSTI. By including Jinja2 template expressions it is possible to execution Python code and OS Commands in the Enterprise Gateway service. The code can...

6.4AI score0.0086EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:34 p.m.18 views

AIOHTTP is vulnerable to cross-origin redirect with per-request cookies

Summary Cookies set with the cookies parameter on requests are sent after following a cross-origin redirect. Impact If a developer uses the cookies parameter on a per-request basis then sensitive data might be leaked to an attacker if they manage to control a redirect. Workaround If unable to...

8.7CVSS5.8AI score0.0015EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:30 p.m.11 views

Jupyter Enterprise Gateway: ContainerProcessProxy._enforce_prohibited_ids Bypass

Summary Jupyter Enterprise Gateway has a prohibited UID and GID feature that by default prevents launching kernels with UID or GID 0 root. This can be bypassed. It is possible to launch kernels with a prohibited UID and/or GID by using a specially crafted KERNELUID or KERNELGID value. The feature...

6.1AI score0.00106EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:16 p.m.14 views

Docling Core: Unsafe remote filename resolution

Impact In versions = 1.5.0, = 2.74.1 Workarounds If upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality. References - Fix release: v2.74.1...

5.8AI score0.00055EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:15 p.m.13 views

Docling Core: Insufficient validation of image reference URIs

Impact In versions = 2.5.0, = 2.74.1 Workarounds If upgrading is not immediately possible: - reject file: and data: image references from untrusted input - allow only approved local or remote image sources - apply input size and memory limits to processing workers References - Fix release: v2.74....

5.8AI score0.0004EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:15 p.m.13 views

Docling: Unsafe URI and Path Handling in HTML Backend

Impact The HTML backend did not perform sufficient validation during resource handling: - Accepted file:// URIs enabling local file system access when enablelocalfetch=True - Path resolution allowed traversal outside intended directories via ../ sequences and absolute paths - Did not block intern...

7.1CVSS5.8AI score0.00217EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:14 p.m.13 views

Docling: Potential Path Traversal via LaTeX \includegraphics and \input Commands

Impact The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation. Attackers could craft malicious LaTeX documents with path traversal sequences e.g., ../../../etc/passwd to: - Read arbitrary files from the file system accessible to the...

5.5CVSS5.9AI score0.00163EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:14 p.m.19 views

Docling: Unsafe XML Entity Expansion in USPTO Patent Backend

Impact The USPTO patent XML parser used the standard xml.sax.parseString without protection against XML External Entity XXE attacks. An attacker could craft malicious USPTO patent XML files with external entity references that could: - Read arbitrary files from the server filesystem - Perform...

9.4CVSS6AI score0.00334EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:13 p.m.14 views

Docling: Unsafe Archive Extraction and XML Parsing in METS-GBS Backend

Impact The METS-GBS backend's XML parsing and the input document format detection lacked security controls, enabling: - XML External Entity XXE attacks to read local files or cause denial of service - Decompression bombs zip bombs to exhaust memory and disk space - Unbounded archive extraction...

7.1CVSS5.8AI score0.00113EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:9 p.m.17 views

Docling: Unsafe Playwright-based HTML Rendering

Impact In versions = 2.82.0, 2.91.0, if the HTML backend was explicitly configured for rendering rendering option by default deactivated, then the Playwright-based rendering feature could allow JavaScript execution and unrestricted network access when processing untrusted HTML documents. An...

8.2CVSS6.5AI score0.00384EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:6 p.m.14 views

malla: Stored XSS via Meshtastic node names in multiple frontend pages

Node names longname, shortname received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor. Affecte...

6.1AI score0.00174EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:5 p.m.13 views

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

7.5CVSS5.8AI score0.00299EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/03 9:3 p.m.15 views

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

8.1CVSS5.9AI score0.00416EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/03 9:2 p.m.13 views

Froxlor: BIND Zone File Injection via TXT Record Content

Summary The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitra...

8.8CVSS6AI score0.00544EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities33225