33100 matches found
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Summary When Steeltoe management endpoints are configured to listen on an alternate port Management:Endpoints:Port is configured, the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Impact An unauthenticated remo...
SimpleSAMLphp has Possible DoS via XPath Transform
Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications and specifically...
Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...
SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass
Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator. The embedded SAML Response th...
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
Summary The HTMLInputElement.checkValidity method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop. Fix Fixed in commit...
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
Summary The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active UPDATESNAPSHOTS=1 or setUpdateMode'all', an attacker who controls test input could write arbitrary content to any filesystem path the...
9router: Missing Authorization and OS Command Injection
Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
Summary UForm and UAuthForm render a server-side element with no method and no action attribute, relying on a hydrated @submit.prevent handler to intercept submission. If a user submits the form before Vue hydration has attached the handler autofill plus Enter on a slow network, JS bundle blocked...
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
Impact In JSONata = 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. References...
zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary The...
zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node participates in a network where chain forks occur mainnet, testnet, or any network with multiple miners. All default configurations are affected. The corruption persists across restarts because it is...
Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves
We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission. Description Craft CMS’s craft\controllers\AssetsController::actionMoveFolder supports moving an asset folder into a destination...
Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
Summary There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and write...
Mautic has Stored Cross-Site Scripting (XSS) in Project Option Selector
Summary A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as optio...
Mautic has Stored Cross-Site Scripting (XSS) in Projects Component
Summary A stored Cross-Site Scripting XSS vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views such as campaigns, emails, or forms, user-supplied project names are rendered without proper sanitization. An authenticate...
Mautic has an Authorization Bypass in API v2 Endpoints
Summary An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...
Mautic vulnerable to Path Traversal via Campaign Import
Summary A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. Impact An authenticated user with campaign import...
Mautic has Server-Side Template Injection (SSTI) in Theme Templates
Summary A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code...
Mautic Focus component Vulnerable to SSRF
Summary A Server-Side Request Forgery SSRF vulnerability exists in the Mautic Focus component MauticFocusBundle. Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server. Impact An authenticated...
Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks past the checkpoint height non-finalized state is active. 3. The network has NU5 or later activated. All default configurations are affected. Summary Chain::push in the non-finalized sta...
Zebra: Finalized address balance credit-first overflow on consensus-valid blocks
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks on any Zcash network. Summary The finalized transparent address balance writer processes all newly-created outputs credits before processing spent outputs debits within the same block. A...
Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections and is syncing or catching up to the chain tip. Summary A malicious peer can answer Zebra's outbound getblocks/FindBlocks request with a small two-hash inventory, then ser...
zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser
Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...
Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache
Description Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node processes blocks past the checkpoint height non-finalized state is active. All...
Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. Summary The P2P codec's Codec::decode method calls src.reservebodylen + HEADERLEN after parsing a 24-byte protocol header,...
zebrad has mempool transaction admission denial via single-peer inbound queue saturation
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary A...
zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listenaddr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enablecookieauth = true, this requires the attacker to read the...
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
Summary Authorization for scoped agent MCP callers is enforced inline, per tool, and is applied inconsistently — several mutating tools silently omit the ancestry/workspace check that their siblings perform. Because the MCP server authenticates all outbound gRPC with the full server API key and t...
zebrad vulnerable to getblocks/getheaders locator CPU amplification via uncapped vector length
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections. Summary The readgetblocks and readgetheaders codec paths accepted block locator vectors up to approximately 65,535 entries the generic TrustedPreallocate ceiling derived...
zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate
Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listenaddr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enablecookieauth = true, this requires the attacker to read the...
Mautic has SQL Injection in API Contact Filtering
Summary An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. Impact An authenticated user with API access ca...
Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API
Summary The Mysqls.add API command lib/Froxlor/Api/Commands/Mysqls.php accepts a customer-controlled mysqlserver parameter and only validates that the value is numeric and that the server index exists in userdata.inc.php. It never checks the value against the calling customer's allowedmysqlserver...
Froxlor: Authenticated customers can read other customers' allowed sender aliases
Summary An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enableallowsender is enabled. customeremail.php loads allowedsender by global auto-increment senderid alone, so a customer can enumerate foreign sender alias...
electerm has Command Injection in File System Operations (rmrf, mv, cp)
Impact A command injection vulnerability exists in electerm's file system operations rmrf, mv, cp in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters. Vulnerable functions: - rmrf - Uses rm...
Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth
Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the clientsecret field. Any network-reachable attacker can read the OAuth client secrets configured f...
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling
Impact A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join with the user-selected download directory without sanitization. A malicious...
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and cause excessive...
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
Summary The default git executor used for all worktree operations spawns git through a shell, and the untrusted task branch name flows into the command unsanitized. A caller able to reach the PowerLine SpawnSession RPC a malicious or compromised agent acting through the orchestration layer, or an...
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/rfc7518/jwsalgs.py:62-70 feed whatever OctKey.getopkey... produced into hmac.new..., and...
SFTPGo has stored XSS via inline parameter on public shares and user file download
Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...
SFTPGo has path confinement bypass in public browsable share partial ZIP download
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's...
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression and urljavascript: using simple regex, but could be bypassed with CSS unicode escapes \65xpression, null bytes, or CSS comments exp//ression. Mitigating Factor: These CSS injection vectors onl...
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
Finding Location: core/src/shared/secure-fetch.ts assertSecureUrl validated only the initial request URL. The fetch API follows redirects by default up to 20 hops. A request to a valid https:// URL could redirect to http://internal-service/ or other unvalidated destinations. Status Fixed in...
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
Finding Location: core/src/shared/secure-fetch.ts:33-35 data: URIs were allowed without any restriction. While data: URIs don't make network requests, they can be used for memory exhaustion via very large data URIs. Status Fixed in v0.2.136 — data: URIs are now limited to 1MB. URIs exceeding this...
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
Finding Location: core/src/shared/secure-fetch.ts:52-54 The localhost exception allowed localhost and 127.0.0.1 but did not cover 0.0.0.0, ::1 IPv6 localhost, or the full 127.0.0.0/8 loopback range. Status Fixed in v0.2.136 — Localhost detection now covers localhost, 127.0.0.1, ::1, 0.0.0.0, and...
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
Finding Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71 Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query...
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
Finding Location: core/src/client/graphql.ts:66-80 The gql template tag function warned about interpolated values containing GraphQL metacharacters : but still concatenated them into the query string, enabling potential GraphQL injection. Status Fixed in v0.2.136 — The gql function now throws an...
@asymmetric-effort/specifyjs: URL parse failure silently allows request
Finding Location: core/src/shared/secure-fetch.ts:42-45 When new URL throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation. Status Fixed in v0.2.136 — The catch block now throws an error instead of silently...
Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets
Summary AssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds cascades deletion to every descendant folder and every asset inside, regardless of who uploaded them. A...