Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/29 5:51 p.m.18 views

vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

Summary A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending. In the tested configuration, a JSPI-backed Promise can reach...

9.8CVSS6.4AI score0.00507EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:50 p.m.18 views

vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE

Summary The fix for GHSA-8hg8-63c5-gwmx CVE-2023-37903 introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality options.require === false, which is trivially bypassed by omitting the require option entirely. When...

10CVSS6.3AI score0.0279EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:49 p.m.16 views

vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain

Summary The BaseHandler.set trap in bridge.js line 1231 ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy e.g., when a child object inherits from the proxy via Object.create, the property assignment...

8.6CVSS6AI score0.00287EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:44 p.m.12 views

vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks

Summary vm2 3.11.2 Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them...

8.7CVSS5.9AI score0.00266EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:40 p.m.63 views

vm2 is Vulnerable to Sandbox Breakout Through Promise Species

Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The localPromise constructor was changed to call this.thenundefined, eater to ensure a rejected promise i...

10CVSS6.5AI score0.0051EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:38 p.m.34 views

vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter

Summary defaultSandboxPrepareStackTrace in lib/setup-sandbox.js lines 605, 607 appends to a fresh sandbox-realm lines = via lineslines.length = value. This is the exact invariant-violating pattern that GHSA-9qj6-qjgg-37qq commit ca195f0, 2026-05-01 just patched in neutralizeArraySpeciesBatch and...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:33 p.m.21 views

vm2 has a Sandbox Escape issue

Summary By combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. PoC ...

10CVSS5.9AI score0.004EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 5:15 p.m.14 views

Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`

Summary When experimental.componentIslands is enabled default in Nuxt 4, any .server.vue file under pages/ is automatically registered as a server island under the key page and exposed via the /nuxtisland/:name endpoint. Until this fix, requests through that endpoint rendered the page component...

6.3CVSS5.9AI score0.0023EPSS
Exploits1References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/29 4:56 p.m.14 views

Gotenberg has a Race Condition via Multipart `downloadFrom` Handling

Summary Gotenberg is vulnerable to a remote denial of service in multipart downloadFrom handling. A multipart request containing multiple downloadFrom entries causes concurrent goroutines to write to shared maps without synchronization. This can terminate the process with fatal error: concurrent...

5.9AI score0.00138EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 4:50 p.m.12 views

Gotenberg has an SSRF deny-list bypass in IsPublicIP via IPv6 6to4 / NAT64 / site-local prefixes

Summary IsPublicIP in pkg/gotenberg/outbound.go incorrectly classifies IPv6 6to4 / NAT64 / deprecated site-local addresses as public IPs, allowing an unauthenticated attacker to reach internal destinations e.g., cloud metadata services at 169.254.169.254 via a single crafted DNS AAAA record. This...

6.3CVSS5.9AI score0.00285EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 4:38 p.m.33 views

Gotenberg has path traversal in zip entry name via Windows-style separators in upload filename

Summary filepath.Base on the Linux container does not strip backslashes , because \ is only a path separator on Windows. A multipart filename like ........\Windows\System32\evil.pdf survives Gotenberg's input sanitisation and lands verbatim as the zip entry name when a multi-output route...

5.8AI score0.00032EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 4:7 p.m.14 views

axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge

Summary Axios versions before the fixed releases contain prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request...

7CVSS6.1AI score0.00495EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 4:4 p.m.24 views

axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`

Vulnerability Disclosure: Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into a full...

8.7CVSS5.8AI score0.01041EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:59 p.m.16 views

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

Summary shouldBypassProxy, introduced in v1.15.0 to fix CVE-2025-62718, does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe still routes through the...

8.6CVSS7.3AI score0.00889EPSS
Exploits1References30Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:54 p.m.15 views

axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions

Summary axios 1.15.2 exposes two read-side prototype-pollution gadgets. When Object.prototype is polluted by an upstream dependency in the same process e.g. lodash .merge / CVE-2018-16487, axios silently picks up the polluted values: 1. Header injection - lib/utils.js line 406 builds merge's...

8.2CVSS5.8AI score0.00287EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:51 p.m.15 views

Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix

Patch Bypass Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix in Axios 1.15.2 Summary The Object.createnull fix introduced in Axios 1.15.2 GHSA-q8qp-cvcw-x6jj protects the top-level config object from prototype pollution. However, nested objects created...

5.3CVSS5.8AI score0.00228EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:45 p.m.15 views

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

8.8CVSS5.9AI score0.00544EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:40 p.m.15 views

Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path

Summary Froxlor 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without verifying that the target path is not a symbolic...

8.8CVSS6AI score0.00366EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:36 p.m.15 views

Froxlor has an authorization bypass in FTP shell assignment via missing server-side `available_shells` enforcement

Summary Froxlor 2.3.6 lets administrators configure system.availableshells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer wi...

9.4CVSS5.9AI score0.00227EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 3:30 p.m.20 views

GitHub CLI has an incorrect authorization header in API requests to TUF repository mirrors via `gh attestation`, `gh release verify`, and `gh release verify-asset` commands

Summary GitHub CLI incorrectly includes an authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. Affected users: - Authenticated github.com users who previously ran gh attestation commands, gh release verify, or...

9.1CVSS5.9AI score0.00289EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 2:7 p.m.13 views

HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint

Summary HaxCMS is affected by a stored cross-site scripting XSS vulnerability in the /system/api/saveNode endpoint. An authenticated user with a permission to edit pages can bypass the HTML sanitizer by injecting an event handler attribute without whitespace before the attribute name. For example...

8.7CVSS5.8AI score0.00228EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/29 12:38 a.m.6 views

OpenStack Neutron has an Incorrect Authorization issue

In OpenStack Neutron before 28.0.1, the tagging controller enforces plural policy action names on single-tag write operations while the defined policy rules use singular names. The mismatched names evaluate as allowed under the default policy, permitting a project reader to create and update tags...

5.3CVSS5.8AI score0.00295EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 10:46 p.m.15 views

tuf has platform-dependent delegation path matching

DelegatedRole.istargetinpathpattern uses fnmatch.fnmatch to decide whether a given target path is authorized by a delegation's glob pattern. Python's fnmatch.fnmatch calls os.path.normcase on both arguments before matching. On POSIX hosts normcase is the identity function; on Windows hosts os.pat...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 10:39 p.m.21 views

Arcane Has an Authenticated Arbitrary Host File Read via Docker Compose Include Directives

Summary ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating includ...

7.7CVSS6AI score0.00307EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 10:29 p.m.14 views

Dulwich Vulnerable to Command Injection via Merge Driver Path

Summary Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the %P placeholder and executes it with subprocess.run..., shell=True. An attacker who can cause a victim to merge an untrusted...

7.7CVSS6.3AI score0.00555EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 10:28 p.m.27 views

Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows

Impact Arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax: - \ — the Windows path...

9.8CVSS7.8AI score0.22427EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 9:32 p.m.2 views

OpenStack Keystone doesn't verify that the user supplied in the authentication request matches the owner of the application credential

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their own application...

8.8CVSS5.8AI score0.00303EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 9:32 p.m.2 views

OpenStack Keystone has an Authorization Bypass

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforcecall unconditionally merges the raw JSON request body into the policy enforcement dictionary via policydict.updatejsoninput.copy, overwriting trusted target data that was previously set from...

8.8CVSS5.9AI score0.00329EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 9:32 p.m.5 views

OpenStack Keystone has an Incorrect Authorization issue

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The impersonated token...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 9:32 p.m.4 views

OpenStack Keystone's federated token rescoping mechanism doesn't propagate the original token's expiry to the newly issued token

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handlescopedtoken function in the mapped...

8.1CVSS5.8AI score0.00249EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 8:47 p.m.12 views

Pimcore Platform - SQL Injection in DataObject composite index handling during class definition import/save

My name is Oscar Uribe, Security Researcher at Fluid Attacks. I am reaching out because we have identified a security vulnerability in Pimcore 12.3.3 that we would like to report to you so we can coordinate a responsible disclosure together. As part of our standard disclosure measures, we follow ...

7CVSS6.3AI score0.00346EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 8:33 p.m.16 views

FUXA provides guest and invalid-token access to protected read APIs in secure mode

Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...

5.9AI score0.00089EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 8:2 p.m.10 views

Shamefile has an arbitrary file read via shamefile.yaml in shame next

Impact A path traversal vulnerability in shame next allows an attacker-controlled shamefile.yaml to disclose contents of files outside the repository, one line at a time, to the terminal of a user who runs the command. See patch commit for technical details. Patches Fixed in 0.1.7. Upgrade to...

5.8AI score0.00013EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 7:55 p.m.13 views

nono: Sandbox escape on Linux via D-Bus: `systemd-run --user`

Summary The nono Landlock/seccomp policies allow access to local Unix domain sockets concrete and abstract. This allows an easy sandbox escape by talking to the per-user systemd dbus socket. Threat scenario: Running Aider, Claude Code, OpenCode or similar tools with "allow bash" policy so that it...

6AI score0.00012EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 7:52 p.m.19 views

symfony/polyfill-intl-idn: xn-- labels with ASCII-only Punycode payloads are treated as equivalent to their decoded form

Description symfony/polyfill-intl-idn provides a userland implementation of idntoutf8 and idntoascii for runtimes that lack the intl extension. Its Idn::process method decodes labels prefixed with xn-- using Punycode but never enforces the validity criterion added in UTS 46 revision 33 Section 4...

5.9AI score0.00137EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/28 7:18 p.m.19 views

local-deep-research has an SSRF bypass in `safe_get`

Summary The URL checking logic in local-deep-research has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. Details The current project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...

5CVSS5.9AI score0.00247EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 7:1 p.m.13 views

compliance-trestle Vulnerable to Remote Code Execution via Recursive Server-Side Template Injection (SSTI)

A High severity Server-Side Template Injection SSTI vulnerability exists in the trestle author jinja command. The command recursively evaluates rendered templates, allowing an attacker to achieve arbitrary command execution with privileges of the running process by injecting malicious payloads in...

6.2AI score0.00022EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:55 p.m.18 views

OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

5.8AI score0.00083EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.4 views

Casdoor: GetTokenExchangeToken bypass through lack of cross-organization JWT signature check

Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/tokenoauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This c...

9.8CVSS6AI score0.0042EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.4 views

Casdoor doesn't enforce SAML assertion time bounds

Casdoor versions 2.362.0 and earlier do not enforce SAML assertion time bounds. The gosaml2 library reports all time-validation results, including NotOnOrAfter and NotBefore, in the assertionInfo.WarningInfo field. However, ParseSamlResponse never reads this field, meaning that time bounds are...

7.5CVSS5.8AI score0.0033EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.15 views

Casdoor does not validate the AudienceRestriction element in SAML assertions

In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/samlsp.go never sets AudienceURI on the gosaml2 SAMLServiceProvider struct and never inspects...

9.8CVSS5.8AI score0.00365EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.4 views

Casdoor has an authentication bypass

Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extracts the X.509 certificate directly from the incoming SAMLResponse instead of using the trusted...

9.1CVSS5.9AI score0.00201EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.7 views

Casdoor doesn't verify that a JWT used for token exchange is still active

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken function in object/tokenoauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...

9.8CVSS5.7AI score0.00405EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.5 views

Casdoor SAML callback handler accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest

In Casdoor versions 2.362.0 and earlier, the SAML callback handler in controllers/auth.go accepts any well-formed SAMLResponse sent to /api/acs without verifying that it corresponds to an AuthnRequest previously issued by Casdoor. Additionally, if an administrator disables or deletes an IdP...

9.1CVSS5.8AI score0.0023EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.5 views

Calico Inserts Sensitive Information into Log File

When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...

7.2CVSS5.8AI score0.00224EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.4 views

Calico Inserts Sensitive Information into Log File

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...

6.5CVSS5.8AI score0.00504EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.6 views

Casdoor allows users to bypass configured MFA requirements

Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go calls HandleLoggedIn directly without invoking checkMfaEnable. Any user authenticating via this pat...

5.3CVSS5.8AI score0.00322EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:30 p.m.5 views

Calico Inserts Sensitive Information into Log File

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...

6.5CVSS5.8AI score0.00323EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:27 p.m.16 views

compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module. Finding 1 Critical: SSRF CWE-918 The HTTPSFetcher.dofetch method passes a user-supplied URL directly to requests.get without validation. This allows an attacker to...

6AI score0.00012EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/28 6:8 p.m.25 views

OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd

Summary An organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to their own organization. Impact Full platform access, access to sensitive or proprietary information...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33227