Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/19 2:44 p.m.14 views

HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is viewed. This enables attackers to execute arbitrary JavaScript in the context...

9.3CVSS6AI score0.0023EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/19 2:44 p.m.14 views

HAXcms createSite SSRF Enables Arbitrary File Read

Summary An authenticated Server-Side Request Forgery SSRF vulnerability in HAXcms allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and internal network access. Details The createSite endpoint in HAXcms...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 2:36 p.m.13 views

Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 2:36 p.m.14 views

Algernon: handler.lua discovery walks parent directories above the server root

Summary When Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancest...

9CVSS6.5AI score0.00437EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 2:35 p.m.32 views

Algernon: Single-file mode unconditionally enables debug mode

Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow algernon foo.lua, algernon page.po2, algernon index.html, algernon mywebsite.alg — singleFileMode is set to true and debugMode is forcibly enabled with no opt-out: go //...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 2:35 p.m.26 views

Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString

Summary ArrayFunctions.InsertAt in Scriban allocates index - list.Count null entries in a tight C for loop with no bound on index. The function is exposed to template authors as array.insertat, and the fill loop ignores every existing safety control: LoopLimit, LimitToString, ObjectRecursionLimit...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/19 2:35 p.m.57 views

Malware in @opensearch-project/opensearch

Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 2:34 p.m.15 views

Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" N or "\u30fb" N + "\u6f22" utilize the validcontexto function prior to length rejection, and for high values of N will take a long time to process. Impact A speciall...

6.9CVSS6.7AI score0.00408EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.10 views

Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

5.8CVSS5.8AI score0.00117EPSS
Exploits0References4Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.61 views

Keycloak: Session fixation in OIDC login flow that can lead to account takeover

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which...

7.5CVSS5.8AI score0.00418EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.9 views

Keycloak: Access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

7.1CVSS5.7AI score0.00344EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.21 views

Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further...

8.1CVSS5.7AI score0.005EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.13 views

Keycloak: Denial of Service via specially crafted SAML input

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language SAML endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service DoS where the server becomes...

7.5CVSS5.8AI score0.00743EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.4 views

Keycloak Protection API allows authenticated clients to access and modify resources owned by other Resource Servers

Keycloak's Authorization Services feature exposes a User-Managed Access Protection API that include an Insecure Direct Object Reference IDOR vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier UUID belonging to another Resour...

6.8CVSS5.8AI score0.00303EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.11 views

Keycloak: Unauthorized account takeover via WebAuthn token replay

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn Web Authentication flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's...

6.8CVSS5.8AI score0.0044EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.5 views

Keycloak Account Resources user lookup contains broken access control

Keycloak's Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access UMA resource, to enumerate and harvest personally identifiable information PII for all realm users. By sending crafted requests with arbitrary usernames or email values,...

4.3CVSS5.9AI score0.0037EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.10 views

Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...

6.5CVSS5.7AI score0.00366EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.4 views

TYPO3 sf_register extension allows unauthorized assignment of frontend user groups

The create and edit flows in the TYPO3 extension sfregister do not restrict which user properties may be submitted, and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account...

6.9CVSS5.9AI score0.00352EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.6 views

TYPO3 Remote Code Execution in extension "Content Element Selector" (ceselector)

The TYPO3 "Content Element Selector" ceselector extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code...

9.2CVSS5.9AI score0.02306EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.7 views

TYPO3 ke_search path traversal from arbitrary table configuration input

In TYPO3 faceted fulltext search kesearch, theadditionaltables configuration of the page and ttcontent indexers accept arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. This has...

5.9CVSS5.9AI score0.00318EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.6 views

TYPO3 Remote Code Execution in extension "Site Crawler" (crawler)

The TYPO3 Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrati...

7.1CVSS6.1AI score0.00389EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.11 views

georgringer/news has SQL Injection in extension "News system" (news)

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "Date Menu of news articles" plugin. Exploitation requires the "Date Menu of news articles" plugin ...

8.2CVSS5.7AI score0.00386EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.4 views

TYPO3 SQL Injection in extension "Address List" (tt_address)

In the TYPO3 extension ttaddress, the AddressRepository::getSqlQuery method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation...

8.2CVSS5.7AI score0.00327EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.14 views

Keycloak: Information Disclosure via evaluate-scopes Admin API

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

4.9CVSS5.9AI score0.00398EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.6 views

TYPO3 ke_search path traversal due to lack of normalization on config directory from file indexer

In TYPO3 faceted fulltext search kesearch, the file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences. This has been patche...

5.9CVSS5.9AI score0.00404EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.6 views

TYPO3 ke_search XML External Entity Injection

In TYPO3 faceted fulltext search kesearch, the OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being...

5.9CVSS5.7AI score0.00301EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 12:31 p.m.15 views

MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS6.1AI score0.00371EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 9:31 a.m.10 views

Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

5.4CVSS5.8AI score0.00281EPSS
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/19 9:31 a.m.11 views

Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction fails to validate that the newly created credential's parameters, such as public key...

4.3CVSS5.7AI score0.00392EPSS
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.14 views

MLFlow Creates a Temporary File With Insecure Permissions

In mlflow/mlflow versions prior to 3.11.0, the getorcreatenfstmpdir function in mlflow/utils/fileutils.py creates temporary directories with world-writable permissions 0o777, and the createmodeldownloadingtmpdir function in mlflow/pyfunc/init.py creates directories with group-writable permissions...

7.8CVSS7.6AI score0.00193EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.11 views

Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links

Summarize prior to 0.15.0 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthines...

7.4CVSS5.8AI score0.0033EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.11 views

Summarize contains a missing authorization vulnerability

Summarize prior to 0.15.0 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.10 views

Summarize contains a missing authorization vulnerability

Summarize prior to 0.15.0 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

6.1CVSS5.8AI score0.00195EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 9:31 p.m.11 views

Summarize contains a path traversal vulnerability

Summarize prior to 0.15.0 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit...

7.1CVSS5.9AI score0.00396EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:37 p.m.17 views

ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.

An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options...

4CVSS5.9AI score0.00116EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:37 p.m.29 views

ImageMagick: Stack overflow in fx operation

Due to a missing depth check a stack overflow can occur in the fx operation by passing a crafted argument...

6.2CVSS5.9AI score0.0012EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:37 p.m.14 views

ImageMagick: Use-After-Free in MSL decoder.

A crafted MSL image can trigger a heap-use-after-free...

7.5CVSS5.8AI score0.00301EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:37 p.m.16 views

ImageMagick: Infinite Loop in the MIFF decoder can lead to CPU exhaustion

Due to a missing check in the MIFF decoder a crafted file could cause an infinite loop resulting in CPU exhaustion...

7.5CVSS5.8AI score0.01849EPSS
Exploits4References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:36 p.m.13 views

ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression

When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check...

5.5CVSS5.8AI score0.00111EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:36 p.m.23 views

ImageMagick: Heap Buffer Over-Write in IPL decoder when reading multiple images of different dimensions

When reading multiple images with different dimensions an out of bounds heap write can occur...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:33 p.m.28 views

ImageMagick: Policy Bypass in MNG coder could

Because of a missing check in the MNG coder it would be possible to read more images than the list limit policy would allow resulting in excessive resource use...

7.5CVSS5.8AI score0.00441EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:33 p.m.17 views

ImageMagick: Heap Buffer Over-Read of a 4 bytes in distort operation.

When performing a polynomial distortion an out of bounds over-read of 24 bytes can occur when specifying specific arguments...

5.1CVSS5.8AI score0.0012EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 8:23 p.m.21 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

6.1AI score0.00086EPSS
Exploits0References2Affected Software8
Github Security Blog
Github Security Blog
added 2026/05/18 8:22 p.m.13 views

NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...

5.3CVSS6.1AI score0.00343EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:21 p.m.16 views

NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

Summary ui.restructuredtext renders reStructuredText server-side with Docutils without disabling file insertion directives. When a NiceGUI application passes attacker-controlled content to ui.restructuredtext, an attacker can use standard Docutils directives include, csv-table with :file:, raw wi...

7.5CVSS5.9AI score0.00255EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:21 p.m.18 views

OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI

Summary A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large values and adds the payload delimite...

7.5CVSS6.3AI score0.00354EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:20 p.m.13 views

OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

Summary Malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetry agent and cause a denial of service. The parser operates on raw attacker-controlled network payloads before the input is fully validated...

7.5CVSS6AI score0.00463EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:17 p.m.20 views

OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

Summary OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total ioviter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. Details In...

5.3CVSS5.9AI score0.00172EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:17 p.m.13 views

OpenTelemetry eBPF Instrumentation: CappedConcurrentHashMap leaks keys after removals

Summary The custom CappedConcurrentHashMap introduced for Java TLS state tracking never removes keys from its insertion-order queue when entries are deleted. In long-running instrumented JVMs, repeated connection churn can therefore grow the queue without bound and exhaust heap memory. Details Th...

5.5CVSS5.8AI score0.00161EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:12 p.m.16 views

OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure

Summary The Java TLS ioctl probe reads user-controlled ioctl pointers with bpfproberead instead of bpfprobereaduser. An instrumented local process can therefore point OBI at kernel memory and cause that memory to be copied into telemetry. Details The vulnerable path is in...

3.8CVSS5.8AI score0.00174EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33227