Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/29 10:13 p.m.20 views

stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback

Impact Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node ...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:10 p.m.23 views

Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host

Summary An authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhookurl, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request wit...

6.4CVSS6AI score0.00182EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/29 10:9 p.m.24 views

Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024

Summary Commit d37ca6b27b9674238e58491cf7ba292e66898f15 "Delete item not check admin rights 2024", 2026-04-12 added a missing isAdministratorInventory gate to case 'itemdelete': in modules/inventory.php. The same fix was not applied to the sibling case 'fielddelete': handler, which destroys an...

5.8AI score0.00029EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:7 p.m.22 views

Admidio writes session IDs and auto-login cookie values to application logs

Summary When debug logging is enabled, Session::setCookie logs full cookie values and Session::start logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live...

5.8AI score0.00015EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:7 p.m.22 views

Admidio PKCS#12 private key export action lacks CSRF protection

Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a...

5.8AI score0.00009EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:6 p.m.23 views

Admidio has IDOR in `documents-files.php` `mode=move_save` that lets any folder-uploader exfiltrate files from private folders

Summary modules/documents-files.php gates state-changing modes by checking that the actor has hasUploadRight on the URL parameter folderuuid. The movesave handler then operates on a separate URL parameter fileuuid and calls File::moveToFolder$destFolderUUID. File::moveToFolder checks the upload...

5.7AI score0.00032EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:5 p.m.23 views

Admidio: IDOR in documents-files.php allows cross-folder file rename and description changes by unauthorized uploaders

Summary modules/documents-files.php mode filerenamesave shares the same root-cause shape as the cross-folder move bug 05-documents-cross-folder-move-idor.md: the top-level rights check at lines 79-89 validates hasUploadRight on the URL parameter folderuuid, but the rename operation acts on fileuu...

5.8AI score0.00029EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 10:1 p.m.21 views

Admidio: CSRF in SSO client `enable` action toggles SAML/OIDC clients without token validation

Summary modules/sso/clients.php validates an admcsrftoken on every state-changing branch except enable. The enable case loads the SAML or OIDC client by UUID, calls $client-enable$enabled, and persists the new state with no token check. Because the action is reachable via plain GET parameters, a...

5.8AI score0.00016EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:58 p.m.25 views

Admidio's CSRF in registration `send_login` mode resets arbitrary user passwords

Summary modules/registration.php mode sendlogin regenerates a random password for useruuidassigned, stores its bcrypt hash in admusers.usrpassword, and emails the cleartext to that user. Every other state-changing mode in the same file assignmember, assignuser, deleteuser, createuser calls...

5.7AI score0.00015EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:57 p.m.23 views

Admidio module-administrator can delete or reorder categories owned by other modules via dead authorization check in `modules/categories.php`

Summary modules/categories.php checks that the supplied type parameter ANN, EVT, ROL, USF, … corresponds to a module the actor administers. The follow-up "is this specific category editable by me" check at lines 56-61 is dead code because it compares $getType a category-type code against mode nam...

5.9AI score0.00029EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:54 p.m.19 views

Admidio: Authorization bypass in file_delete enables cross-folder file removal by authenticated users without delete privileges

Summary An authenticated Admidio member with upload rights on any one folder can permanently delete files from folders where they have only view access. The authorization check at the top of modules/documents-files.php evaluates upload rights against the attacker-supplied folderuuid URL parameter...

5.6AI score0.00025EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:45 p.m.22 views

BoxLite has a Timeout Bypass Vulnerability

Summary BoxLite is a sandbox service that allows users to create lightweight virtual machines Boxes and run OCI containers within them. BoxLite allows users to configure a timeout for services running inside the virtual machine. When the timeout is triggered, BoxLite sends a signal to kill the...

6.5CVSS5.8AI score0.00268EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:32 p.m.29 views

Symfony: Twilio SMS Notifier allows unauthenticated webhook injection due to missing X-Twilio-Signature verification

Description The Twilio SMS notifier bridge ships a webhook request parser used to authenticate and decode the status callbacks Twilio POSTs to an application's webhook endpoint. Its doParseRequest $request, \SensitiveParameter string $secret method receives the configured webhook secret but never...

5.8AI score0.00026EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/29 9:31 p.m.6 views

Spatie Laravel Media Library contains a file upload restriction bypass

Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer. The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo preserving inner .php...

8.8CVSS5.8AI score0.0044EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:31 p.m.4 views

Spatie Laravel Media Library contains a server-side request forgery vulnerability

Spatie Laravel Media Library before version 11.23.0 contains a server-side request forgery vulnerability that allows remote attackers to cause the server to issue arbitrary outbound HTTP requests by passing user-controlled URLs to the addMediaFromUrl method in InteractsWithMedia.php...

7.4CVSS6AI score0.00248EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:22 p.m.21 views

ouroboros-ai Vulnerable to Remote Code Execution via Untrusted Project-Directory .env

Impact A Remote Code Execution RCE vulnerability was discovered in Ouroboros. If a user clones a malicious repository and runs Ouroboros commands within that directory, it can lead to arbitrary code execution and potential system takeover. The vulnerability CWE-426: Untrusted Search Path & CWE-15...

6.4AI score0.00557EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 9:21 p.m.23 views

Authelia Missing Username Canonicalization in Basic Auth (LDAP)

Impact CVSSv4 Baseline Score: Moderate 6.3 CVSSv4 Weighted Score: Low 2.9 The full CVSSv4 Vector for this vulnerability is:...

6.3CVSS5.9AI score0.00308EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 8:25 p.m.22 views

authentik's XML Signature Wrapping in SAML Source ACS allows authentication as arbitrary federated user

Summary authentik's SAML Source ACS endpoint is vulnerable to XML Signature Wrapping when validating upstream SAML responses. An attacker with any account at the upstream IdP can reuse a valid signed assertion to authenticate as another federated user. Patches authentik 2026.5.1, 2026.2.4 and...

8.5CVSS5.8AI score0.00162EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 8:21 p.m.26 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

Summary CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can...

6AI score0.00054EPSS
Exploits0References2Affected Software8
Github Security Blog
Github Security Blog
added 2026/05/29 8:18 p.m.22 views

zeroconf has unbounded DNS record cache that allows LAN-local memory exhaustion via multicast flood

Impact DNSCache.asyncadd inserted every response record into cache, expirations, expireheap, and servicecache with no cap on entry count. The only pre-existing protection was a PTR TTL floor DNSPTRMINTTL = 1125 s, RFC 6762 §10, which actually prolonged attacker-injected records, and a periodic...

5.8AI score0.00023EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 8:13 p.m.20 views

zeroconf: Unbounded exception-dedup state retains packet buffers via traceback frame locals, enabling LAN-local memory exhaustion

Impact DNSIncoming.logexceptiondebug and the four QuietLogger exception-dedup methods stored an unbounded seenlogs dict keyed by strsys.excinfo1. The seven IncomingDecodeError messages raised from readname / decodelabelsatoffset RFC 6762 §18 name-decoding error paths all embed self.source — the...

5.8AI score0.0002EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 8:9 p.m.18 views

zeroconf has unbounded recursion in DNS compression-pointer decoder that allows LAN-local denial of service

Impact DNSIncoming.decodelabelsatoffset recurses once per DNS-name compression pointer RFC 1035 §4.1.4. Pointer cycles and label counts were capped, but the chain length of unique forward pointers was not. A single 3 kB mDNS packet carrying 1500 chained pointers drives the recursion past CPython'...

5.8AI score0.0002EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 8:2 p.m.22 views

Nerdbank.MessagePack has Inefficient CPU Computation

Impact Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a On² algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add metho...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:56 p.m.22 views

Koel Vulnerable to SSRF via Podcast Episode Enclosure URLs

Summary Koel validates the podcast feed URL via the SafeUrl rule DNS resolution + public IP check, but the individual episode values extracted from the RSS XML are stored directly into the database without any SSRF validation. When a user plays an episode, the server downloads the full HTTP...

7.7CVSS5.8AI score0.00263EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:55 p.m.39 views

Nerdbank.MessagePack has a memory amplification DoS in collection deserialization

Nerdbank.MessagePack deserializers for many collection-shaped types trusted the element count declared in MessagePack array and map headers when allocating destination storage. A crafted payload could therefore force large arrays, pooled buffers, dictionaries, or collection instances to be...

5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:47 p.m.30 views

Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection

Summary AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection. Details Autoupdate/AppInstaller.m's shouldAcceptNewConnection: only enforces SUCodeSigningVerifier validateConnection: before stage 1 completes. After...

5.8AI score0.00014EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:45 p.m.17 views

Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta

Summary Binary delta apply intermediate-symlink traversal in malicious .delta Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relativ...

5.8AI score0.00029EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:43 p.m.47 views

go-git: Malformed Git object data may cause panics or resource exhaustion

Impact Several denial-of-service issues were identified in go-git when parsing maliciously crafted Git repository data. An attacker may craft a malicious .pack, .idx or loose objects that causes an application using an affected version of go-git to panic or consume excessive resources. This can...

5.7AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/29 7:39 p.m.18 views

russh server userauth state is not reset when authentication principal changes

Summary The russh server authentication path keeps internal userauth state across SSHMSGUSERAUTHREQUEST messages without separating that state when the request principal changes. RFC 4252 allows the user name and service name fields to change between authentication requests. The issue is not that...

5.3CVSS5.8AI score0.00218EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:37 p.m.16 views

russh: Post-decompression SSH packet size was not bounded, allowing remote oversized compressed packets

Summary When SSH compression is enabled, russh accepted compressed packets whose on-wire size passed the normal transport packet-length checks but whose decompressed size was much larger. This allowed a remote peer to send oversized post-decompression packets that should have been rejected. In...

7.5CVSS6.1AI score0.00268EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:32 p.m.18 views

amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection

Summary amazon-redshift-python-driver is the official Python connector for Amazon Redshift. In versions 2.1.13 and earlier, the driver insufficiently validates data received from the server during query result processing. A rogue server or man-in-the-middle could leverage this to execute arbitrar...

9.8CVSS6.5AI score0.00808EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:26 p.m.41 views

uv is vulnerable to arbitrary file write through entry point names

Impact In versions of uv prior to 0.11.15, when installing a distribution containing an entry point specification under consolescripts or guiscripts, uv would place the generated entry point according to the given name even if doing so resulted in a path outside of the environment's scripts...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:23 p.m.16 views

AgenticMail API/storage and outbound relay hardening fixes

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

5.8AI score0.00014EPSS
Exploits0References8Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/29 7:18 p.m.20 views

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

Impact Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who knows only the public application id can iteratively send malformed queries to reconstruct...

6.9CVSS5.9AI score0.00291EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:16 p.m.11 views

tar has a PAX header desynchronization issue

Summary When a tar stream contains multiple "header" entries prior to a file entry, tar-rs applies the PAX header x to the next entry in the stream, regardless of type. For example, a stream of x - L - file PAX, GNU longname, file would result in x's extensions being applied to L rather than to...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:8 p.m.66 views

astral-tokio-tar has a PAX Header Desynchronization issue

Impact Versions of astral-tokio-tar prior to 0.6.2 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:7 p.m.16 views

ezsystems/ezpublish-legacy has a SQL injection in dfscleanup

NB: All tags and branches in this repository are past their end of life, so the vulnerability will not be fixed. The advisory is posted on the request of the researcher, for the information of anyone who might still use this software. Impact There is a security vulnerability in eZ Publish Legacy,...

5.8AI score0.00017EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:5 p.m.15 views

unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race

Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...

5.8CVSS5.8AI score0.0013EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 7:1 p.m.17 views

CAPM3 vulnerable to Cross-Namespace resource access

Summary CAPM3 is Metal3's Cluster API CAPI provider for baremetal provisioning in Kubernetes. Multiple cross-namespace access control vulnerabilities in Cluster API Provider Metal3 allow users with permissions to create or modify CAPM3 resources in one namespace to reference, read, or claim...

6AI score
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:31 p.m.4 views

xiaomusic contains an unauthenticated path traversal vulnerability

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/filepath:path endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from...

8.7CVSS5.9AI score0.00513EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:31 p.m.5 views

agno contains a SQL injection vulnerability

agno 2.6.5 contains a SQL injection vulnerability in the ClickHouse vector database backend that allows attackers to inject arbitrary SQL expressions by supplying malicious metadata keys and values to the deletebymetadata method. Attackers can exploit the unsafe f-string interpolation in...

8.7CVSS6AI score0.00319EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:31 p.m.7 views

Duplicate Advisory: OpenClaw: QQBot native approval buttons did not enforce configured approver identity

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgq6-vr84-7m2j. This link is maintained to preserve external references. Original Description OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails ...

8CVSS5.7AI score0.00199EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:24 p.m.21 views

IPAM controller service account granted unnecessary full access to Secrets

Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...

4.4CVSS5.8AI score0.00333EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:23 p.m.18 views

Ironic Standalone Operator's controller modifies user-owned resources without consent

Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. IRSO controller automatically adds its environment label to user-provided Secrets and ConfigMaps without the resource owner's consent. A high-privilege controller modifying user-owned resources...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:22 p.m.18 views

Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces

Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:20 p.m.19 views

NodeVM observability builtins leak host process and HTTP request data

Summary NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The following builtins are not blocked by the dangerous builtin denylist: text diagnosticschannel asynchooks perfhooks These modules are process-wide, not sandbox-local. Sandboxed code c...

6.9CVSS5.8AI score0.00308EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 6:8 p.m.10 views

NodeVM network builtin exclusions bypass via internal _http_client and _http_server

Summary NodeVM supports excluding public network builtins from the wildcard builtin option. With this configuration direct access to http, https, http2, net, dgram, tls, dns, and dns/promises is blocked. However, Node.js also exposes underscored internal HTTP builtins such as httpclient and...

8.6CVSS5.8AI score0.00282EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:59 p.m.14 views

NodeVM builtin denylist bypass via process and inspector/promises allows host code execution

Summary NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass...

10CVSS6.3AI score0.00536EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:58 p.m.13 views

ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag

Impact When parsing an image with an embedded ICC profile that contains a crafted multiLocalizedUnicodeType mluc tag, ExifReader can be made to allocate memory proportional to attacker-controlled fields in the tag rather than to the actual size of the input. Processing such an image causes...

8.7CVSS5.9AI score0.00528EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:52 p.m.13 views

ExifReader is vulnerable to denial of service via unbounded decompression of image metadata

Impact Versions of ExifReader from 4.20.0 through 4.38.1 do not bound the size of decompressed metadata blocks. When a caller invokes the asynchronous API e.g. ExifReader.loadfile or ExifReader.loadbuffer, async: true on an attacker-supplied image, a small compressed chunk in the file can expand ...

6.9CVSS5.8AI score0.00464EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities33227