Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added last week14 views

Steeltoe vulnerable to management-port isolation bypass via spoofed Host header

Summary When Steeltoe management endpoints are configured to listen on an alternate port Management:Endpoints:Port is configured, the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Impact An unauthenticated remo...

8.2CVSS6AI score0.00238EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added last week13 views

SimpleSAMLphp has Possible DoS via XPath Transform

Summary This library turned out to be vulnerable to Denial-of-Service attacks using XPath transforms. A mitigation has been put in place to restrict the number of transforms and to restrict transforms to only the transform-algorithms mentioned in the SAML 2.0 Core Specifications and specifically...

5.7AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week10 views

Zebra Address Book Aborted by IPv4-Mapped Mempool Misbehavior Update

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node listens on the default :: address on a Linux host the standard deployment configuration — net.ipv6.bindv6only=0 is the default on all common Linux distributions. 3. Your node is synced near the chain tip...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week18 views

SimpleSAMLphp HTTP-Artifact TLS validator confusion allows cross-IdP authentication bypass

Summary SimpleSAMLphp's HTTP-Artifact receive path can treat an unsigned embedded SAML Response as cryptographically valid for the wrong IdP. In the HTTPArtifact::receive flow, the SOAP ArtifactResponse receives a TLS-based validator from SOAPClient::addSSLValidator. The embedded SAML Response th...

5.9AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week11 views

Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments

Summary In the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoC By choosing a particular argument, you can get as a nagios...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week20 views

@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation

Summary The HTMLInputElement.checkValidity method constructed a RegExp directly from the user-controlled pattern property without any sanitization or timeout protection. This allowed an attacker to inject a regex with catastrophic backtracking, freezing the event loop. Fix Fixed in commit...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write

Summary The matchFileSnapshot function in src/assertions/snapshots.ts accepted a filePath parameter with zero validation. When snapshot update mode was active UPDATESNAPSHOTS=1 or setUpdateMode'all', an attacker who controls test input could write arbitrary content to any filesystem path the...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week18 views

9router: Missing Authorization and OS Command Injection

Unauthenticated RCE via /api/tunnel/tailscale-install Affected: 9router npm package — current master v0.4.39. Summary POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawn...

9.8CVSS5.9AI score0.01372EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration

Summary UForm and UAuthForm render a server-side element with no method and no action attribute, relying on a hydrated @submit.prevent handler to intercept submission. If a user submits the form before Vue hydration has attached the handler autofill plus Enter on a slow network, JS bundle blocked...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion

Impact In JSONata = 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation. References...

5.7AI score
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added last week11 views

zebrad has unbounded memory leak in mempool download pipeline via timeout path cancel_handles retention

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary The...

5.7AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

zebrad has persistent on-disk corruption of Sapling/Orchard subtree roots after chain fork via pop_tip

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node participates in a network where chain forks occur mainnet, testnet, or any network with multiple miners. All default configurations are affected. The corruption persists across restarts because it is...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week10 views

Craft CMS Vulnerable to Unauthorized Deletion of Destination Folders During Forced Moves

We have identified an authorization issue in Craft CMS where a forced folder move can delete a conflicting destination folder without destination delete permission. Description Craft CMS’s craft\controllers\AssetsController::actionMoveFolder supports moving an asset folder into a destination...

7.1CVSS5.9AI score0.00207EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements

Summary There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and write...

7.1CVSS5.9AI score0.00253EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Mautic has Stored Cross-Site Scripting (XSS) in Project Option Selector

Summary A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as optio...

5.4CVSS5.7AI score0.00133EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week10 views

Mautic has Stored Cross-Site Scripting (XSS) in Projects Component

Summary A stored Cross-Site Scripting XSS vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views such as campaigns, emails, or forms, user-supplied project names are rendered without proper sanitization. An authenticate...

7.6CVSS5.7AI score0.00164EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Mautic has an Authorization Bypass in API v2 Endpoints

Summary An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...

7.1CVSS5.8AI score0.00201EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week14 views

Mautic vulnerable to Path Traversal via Campaign Import

Summary A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories. Impact An authenticated user with campaign import...

9.9CVSS6.1AI score0.00583EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week11 views

Mautic has Server-Side Template Injection (SSTI) in Theme Templates

Summary A Server-Side Template Injection SSTI vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute arbitrary code...

9.9CVSS6.1AI score0.00439EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Mautic Focus component Vulnerable to SSRF

Summary A Server-Side Request Forgery SSRF vulnerability exists in the Mautic Focus component MauticFocusBundle. Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server. Impact An authenticated...

6.4CVSS5.9AI score0.00138EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Zebra: Repeated Non-Finalized Shielded Transaction Aborts Zebra Before Duplicate-Nullifier Rejection

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks past the checkpoint height non-finalized state is active. 3. The network has NU5 or later activated. All default configurations are affected. Summary Chain::push in the non-finalized sta...

5.7AI score
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added last week7 views

Zebra: Finalized address balance credit-first overflow on consensus-valid blocks

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node processes blocks on any Zcash network. Summary The finalized transparent address balance writer processes all newly-created outputs credits before processing spent outputs debits within the same block. A...

5.9AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week9 views

Zebra has sync restart poisoning from single unauthenticated peer via above-lookahead block

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections and is syncing or catching up to the chain tip. Summary A malicious peer can answer Zebra's outbound getblocks/FindBlocks request with a small two-hash inventory, then ser...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week9 views

zebrad has consensus divergence via P2SH sigop undercount in pure-Rust disabled-opcode parser

Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate. All default configurations are affected. No feature flags, non-default settings, or...

6AI score
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added last week9 views

Zebra has block suppression via NU5 same-header body poisoning of sent-hash cache

Description Am I affected You are affected if: 1. You run any version of zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node processes blocks past the checkpoint height non-finalized state is active. All...

5.8AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added last week11 views

Zebra has pre-handshake buffer capacity reservation based on attacker-claimed body length

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. Summary The P2P codec's Codec::decode method calls src.reservebodylen + HEADERLEN after parsing a 24-byte protocol header,...

6AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added last week10 views

zebrad has mempool transaction admission denial via single-peer inbound queue saturation

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections network.listenaddr is set, which is the default. 3. Your node's mempool is active node is synced near the chain tip. All default configurations are affected. Summary A...

5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week7 views

zebrad vulnerable to full node denial of service via crafted Sapling receiver in z_listunifiedreceivers

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listenaddr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enablecookieauth = true, this requires the attacker to read the...

5.8AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added last week10 views

Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)

Summary Authorization for scoped agent MCP callers is enforced inline, per tool, and is applied inconsistently — several mutating tools silently omit the ancestry/workspace check that their siblings perform. Because the MCP server authenticates all outbound gRPC with the full server API key and t...

6AI score
Exploits0References2Affected Software3
Github Security Blog
Github Security Blog
added last week7 views

zebrad vulnerable to getblocks/getheaders locator CPU amplification via uncapped vector length

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your node accepts inbound P2P connections. Summary The readgetblocks and readgetheaders codec paths accepted block locator vectors up to approximately 65,535 entries the generic TrustedPreallocate ceiling derived...

5.8AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added last week6 views

zebrad has full node denial of service via non-ASCII LongPollId in getblocktemplate

Am I affected You are affected if: 1. You run zebrad up to and including v4.4.1. 2. Your zebrad.toml sets rpc.listenaddr to a TCP address RPC server is enabled. 3. An attacker can authenticate to the RPC endpoint. With the default enablecookieauth = true, this requires the attacker to read the...

5.8AI score
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added last week7 views

Mautic has SQL Injection in API Contact Filtering

Summary An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands. Impact An authenticated user with API access ca...

7.1CVSS6.1AI score0.00224EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API

Summary The Mysqls.add API command lib/Froxlor/Api/Commands/Mysqls.php accepts a customer-controlled mysqlserver parameter and only validates that the value is numeric and that the server index exists in userdata.inc.php. It never checks the value against the calling customer's allowedmysqlserver...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Froxlor: Authenticated customers can read other customers' allowed sender aliases

Summary An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enableallowsender is enabled. customeremail.php loads allowedsender by global auto-increment senderid alone, so a customer can enumerate foreign sender alias...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week13 views

electerm has Command Injection in File System Operations (rmrf, mv, cp)

Impact A command injection vulnerability exists in electerm's file system operations rmrf, mv, cp in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters. Vulnerable functions: - rmrf - Uses rm...

6.2AI score0.00072EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth

Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the clientsecret field. Any network-reachable attacker can read the OAuth client secrets configured f...

9.8CVSS6AI score0.00713EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling

Impact A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join with the user-selected download directory without sanitization. A malicious...

6AI score0.00034EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week9 views

@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields

A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and cause excessive...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week8 views

Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)

Summary The default git executor used for all worktree operations spawns git through a shell, and the untrusted task branch name flows into the command unsanitized. A caller able to reach the PowerLine SpawnSession RPC a malicious or compromised agent acting through the orchestration layer, or an...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added last week9 views

joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)

Summary joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the caller-supplied verification key is the empty string or None. HMACAlgorithm.sign and HMACAlgorithm.verify in src/joserfc/rfc7518/jwsalgs.py:62-70 feed whatever OctKey.getopkey... produced into hmac.new..., and...

5.9AI score0.00018EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week4 views

SFTPGo has stored XSS via inline parameter on public shares and user file download

Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...

5.8AI score0.00028EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week6 views

SFTPGo has path confinement bypass in public browsable share partial ZIP download

Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's...

5.8AI score0.00057EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added last week5 views

@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString

Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression and urljavascript: using simple regex, but could be bypassed with CSS unicode escapes \65xpression, null bytes, or CSS comments exp//ression. Mitigating Factor: These CSS injection vectors onl...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week14 views

@asymmetric-effort/specifyjs: No redirect target validation in secureFetch

Finding Location: core/src/shared/secure-fetch.ts assertSecureUrl validated only the initial request URL. The fetch API follows redirects by default up to 20 hops. A request to a valid https:// URL could redirect to http://internal-service/ or other unvalidated destinations. Status Fixed in...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week5 views

@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction

Finding Location: core/src/shared/secure-fetch.ts:33-35 data: URIs were allowed without any restriction. While data: URIs don't make network requests, they can be used for memory exhaustion via very large data URIs. Status Fixed in v0.2.136 — data: URIs are now limited to 1MB. URIs exceeding this...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week12 views

@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)

Finding Location: core/src/shared/secure-fetch.ts:52-54 The localhost exception allowed localhost and 127.0.0.1 but did not cover 0.0.0.0, ::1 IPv6 localhost, or the full 127.0.0.0/8 loopback range. Status Fixed in v0.2.136 — Localhost detection now covers localhost, 127.0.0.1, ::1, 0.0.0.0, and...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week4 views

@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state

Finding Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71 Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component names, and query...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week5 views

@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection

Finding Location: core/src/client/graphql.ts:66-80 The gql template tag function warned about interpolated values containing GraphQL metacharacters : but still concatenated them into the query string, enabling potential GraphQL injection. Status Fixed in v0.2.136 — The gql function now throws an...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added last week19 views

@asymmetric-effort/specifyjs: URL parse failure silently allows request

Finding Location: core/src/shared/secure-fetch.ts:42-45 When new URL throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation. Status Fixed in v0.2.136 — The catch block now throws an error instead of silently...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added last week6 views

Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets

Summary AssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds cascades deletion to every descendant folder and every asset inside, regardless of who uploaded them. A...

7.1CVSS6AI score0.00249EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33100