Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/18 8:11 p.m.17 views

OpenTelemetry eBPF Instrumentation: CPU-mismatch fallback uses 256-byte buffer with 8KB size

Summary The per-CPU message-buffer fallback path uses a 256-byte backup buffer but preserves the original payload size, which can be up to 8KB. If a CPU mismatch occurs, OBI can read beyond the fallback buffer and leak adjacent memory into telemetry. Details...

5.9CVSS5.9AI score0.00287EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 8:11 p.m.17 views

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

Summary OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval. Details The vulnerable loop is in...

7.5CVSS5.8AI score0.00319EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 7:20 p.m.32 views

Microsoft Security Advisory CVE-2026-35433 – .NET Elevation of Privilege Vulnerability

Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Improper input validation i...

7.3CVSS5.7AI score0.00662EPSS
Exploits0References8Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/18 7:10 p.m.16 views

Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service Vulnerability

Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Loop with unreachable exit...

7.5CVSS5.7AI score0.0243EPSS
Exploits0References5Affected Software12
Github Security Blog
Github Security Blog
added 2026/05/18 7:8 p.m.20 views

Microsoft Security Advisory CVE-2026-32175 – .NET Core Tampering Vulnerability

Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A tampering vulnerability...

4.3CVSS5.8AI score0.00711EPSS
Exploits0References5Affected Software4
Github Security Blog
Github Security Blog
added 2026/05/18 7:2 p.m.36 views

ws: Uninitialized memory disclosure

Impact The websocket.close implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the reason argument. Proof of concept js import deepStrictEqual from 'node:assert'; import WebSocket, WebSocketServer from 'ws'; const wss = new WebSocketServer port: 0,...

7.5CVSS5.8AI score0.00745EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 7:1 p.m.13 views

AVideo: Authenticated Arbitrary File Read in view/update.php

Summary view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary text files reachable from the web-server process — especially...

6.9CVSS6.1AI score0.00469EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 6:31 p.m.26 views

ChromaDB Python project has a pre-authentication code injection vulnerability

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

10CVSS6.1AI score0.12387EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 6:31 p.m.9 views

ngrok is Vulnerable to Command Injection

ngrok v4.3.3 and 5.0.0-beta.2 are vulnerable to Command Injection...

8.8CVSS5.8AI score0.00981EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:56 p.m.21 views

OpenTelemetry eBPF Instrumentation: Postgres BIND parsing can panic on malformed payloads

Summary The Postgres protocol parser assumes BIND message payloads contain a valid NUL-terminated portal name. A crafted empty or unterminated payload can make OBI slice beyond the end of the captured buffer and panic. Details The vulnerable logic is in pkg/ebpf/common/sqldetectpostgres.go. In th...

7.5CVSS6AI score0.00342EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:56 p.m.32 views

OpenTelemetry eBPF Instrumentation: Redis error text is exported in span status messages

Summary OBI exports raw Redis error text as the span status message. Because Redis error replies can contain attacker-controlled or sensitive values, this behavior can exfiltrate tokens, PII, or other confidential input into telemetry backends and inject untrusted text into downstream analysis...

6.5CVSS5.9AI score0.00212EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:56 p.m.23 views

OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing allows malformed ELF to crash agent

Summary OBI's replacement ELF parser trusts section offsets, counts, and string offsets from the executable file. A crafted local ELF can make OBI dereference invalid section pointers or slice past string tables, causing the agent to panic while determining the process language. Details...

5.5CVSS5.9AI score0.00162EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:55 p.m.17 views

Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp

Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published. Current investigation...

5.8AI score
Exploits0References2Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/18 5:55 p.m.101 views

Malicious dropper in mistralai 2.4.6 PyPI package

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux. No v2.4.6 tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was 2.4.5, and the upload bypassed this repository's normal release...

6AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:53 p.m.16 views

ImageMagick: Policy Bypass in PSD decoder

Due to a missing check in the PSD decoder it would be possible to bypass the list-length resource policy when decoding a PSD image. Other security limits would still apply...

7.5CVSS5.8AI score0.00495EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 5:53 p.m.31 views

Postgrex: Channel-name SQL injection in `Postgrex.Notifications.listen/3`

Summary SQL injection in Postgrex.Notifications.listen/3: the channel argument is interpolated straight into LISTEN "..." / UNLISTEN "..." without escaping the " character. Any caller that lets a user influence the channel name e.g. a pub/sub bridge that uses a tenant id or topic slug as the...

7.8CVSS6.1AI score0.00198EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:53 p.m.22 views

Docker: Race condition in docker cp allows bind mount redirection to host path

Summary A race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. Details When copying files into a container, the daemon sets up a temporary filesystem vie...

7.2CVSS6AI score0.00104EPSS
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/18 5:52 p.m.24 views

Docker: Race condition in docker cp allows creation of arbitrary empty files on the host via symlink swap

Summary A race condition during docker cp mount setup allows a malicious container to create empty files or directories at arbitrary absolute paths on the host filesystem. This advisory covers the race during mountpoint creation. The related race during the subsequent mount syscall is tracked in...

6.1CVSS5.9AI score0.00108EPSS
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/18 5:50 p.m.16 views

CloakBrowser: Unauthenticated path traversal via fingerprint parameter in cloakserve leads to arbitrary directory deletion

The cloakserve CDP multiplexer uses the user-supplied fingerprint query parameter directly as a filesystem path component when creating Chrome profile directories. An unauthenticated attacker who can reach the cloakserve port can supply a crafted fingerprint value containing path traversal...

8.8CVSS5.9AI score0.00475EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:48 p.m.18 views

ImageMagick: Out-of-Bounds Read of a single byte in meta encoder

An of by one in the meta encoder could result in an out of bounds read of a single byte in the meta encoder...

5.3CVSS5.8AI score0.0024EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 5:48 p.m.33 views

ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define

An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation...

7.1CVSS5.9AI score0.00122EPSS
Exploits0References3Affected Software18
Github Security Blog
Github Security Blog
added 2026/05/18 5:47 p.m.19 views

Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API Affected Software: Budibase Affected Component: packages/server/src/api/controllers/view/viewBuilder.ts, packages/server/src/api/routes/view.ts CWE: CWE-94 Improper Control of Generation of Code...

6.5CVSS6AI score0.00263EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:47 p.m.24 views

Docker: `PUT /containers/{id}/archive` executes container binary on the host

Summary When a user uploads a compressed archive into a container, a malicious image can execute arbitrary code with daemon host root privileges. Details When handling PUT /containers/id/archive requests with compressed archives, the daemon decompresses them using external system binaries. Due to...

7.5CVSS6.4AI score0.00153EPSS
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/18 5:44 p.m.19 views

Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows

Summary The row action trigger endpoint POST /api/tables/:sourceId/actions/:actionId/trigger fails to validate that the user-supplied rowId is within the scope of the view's row filters. A user with access to a filtered view can trigger row actions on any row in the underlying table, including ro...

5.4CVSS5.9AI score0.00146EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:42 p.m.30 views

Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration

Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...

8.8CVSS6AI score0.00261EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:41 p.m.16 views

n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

Summary When ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8NAPIURL / N8NAPIKEY credentials...

8.1CVSS6.6AI score0.00235EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:40 p.m.20 views

multiparty vulnerable to ReDoS via filename parsing

Impact [email protected] and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A multipart upload with a long header value containing !filename="1 repeated can cause regex matching to take seconds, blocking...

7.5CVSS5.8AI score0.00335EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:35 p.m.35 views

multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

Impact [email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition: filename=utf-8'' header containing a malformed percent-encoding e.g., %FF, %GG, the parser invokes decodeURI on the value...

7.5CVSS5.8AI score0.00279EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:35 p.m.15 views

multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception

Impact [email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.prototype property e.g., proto, constructor, toString, the parser invokes .push on the inherited...

7.5CVSS5.8AI score0.00473EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:34 p.m.18 views

Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:27 p.m.18 views

Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens

Impact The password reset tokenand API key generation uses a weak cryptographical hash algorithm. Patches Fixed in 2.6.23 and 3.0.6 version. Workarounds Patch the related User.php and ResettingController.php file in the SecurityBundle...

6.9CVSS5.8AI score0.00193EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:24 p.m.48 views

ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351

JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token. OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key, and no raise InvalidKeyError if key.empty? precondition exists in the HMAC algorithm. JWT.decodetoken, "", true, algorithm: 'HS256' ...

9.1CVSS5.7AI score0.00236EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:23 p.m.15 views

Formie: Pre-authenticated server-side template injection in Hidden fields

Impact - Unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending on template/sandbox behavior. - Sites with public Formie forms that...

9.8CVSS5.7AI score0.00475EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:20 p.m.18 views

TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

Title Missing authentication on WebRTC ingest endpoint allows unauthenticated stream injection in TinyIce Ecosystem / Package - Ecosystem: Go or "Other" — TinyIce is shipped as a Go binary, not a Go module published to a registry - Package name: github.com/DatanoiseTV/tinyice Affected versions =...

8.2CVSS5.9AI score0.00357EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:7 p.m.13 views

@tmlmobilidade/utils has prototype pollution in its setValueAtPath

Impact Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath. Patches A fix is available in versions 20260509.0340.15 and up...

5.8AI score0.00055EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:0 p.m.20 views

LibreNMS: Cross-Site Scripting in ShowConfigController

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the ShowConfig page of devices affected by the RANCID Integration settings. The application fails to properly sanitise the rancidrepourl configuration value. When a user navigates to a device's configuration page, this unsanitised...

4.8CVSS6.2AI score0.00225EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 5:0 p.m.13 views

dynoxide: DNS rebinding and cross-origin CSRF via MCP HTTP transport

Summary dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host...

8.8CVSS5.8AI score0.00213EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/18 4:43 p.m.13 views

parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

Summary parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with proto, or contains .proto. mid-path, causes the parser to traverse onto Object.prototype and assign properties...

8.2CVSS5.9AI score0.00315EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:42 p.m.19 views

async-http-client: Cookie header not stripped on cross-origin redirect

Summary async-http-client leaks Cookie headers to cross-origin redirect targets. When following a redirect across a security boundary different origin, or HTTPS→HTTP downgrade, the propagatedHeaders method in Redirect30xInterceptor.java strips Authorization and Proxy-Authorization headers but doe...

7.4CVSS5.8AI score0.00322EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:41 p.m.21 views

Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Summary In a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that: - Sends an HTTP POST to the supplied URL with attacker-controlle...

8.6CVSS5.8AI score0.01491EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:37 p.m.24 views

shopper/framework: Race condition on Discount.usage_limit allows silent over-redemption

Impact CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was silently exceeded: orders were committed with the...

5.9CVSS5.8AI score0.00239EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:34 p.m.24 views

shopper/framework: Authorization bypass in multiple Livewire admin components

Impact Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: - Order detail Filament actions cancel, mark paid, mark complete, capture payment, archive, start processing were callable with readorders only and di...

8.1CVSS5.8AI score0.00258EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:33 p.m.16 views

iskorotkov/avro: CPU Exhaustion in Decoder

CPU Exhaustion in Avro Decoder via Unbounded Block-Count Iteration Summary The Avro array and map decoders looped over an attacker-controlled block-count value without checking the underlying reader's error state inside the loop body. Reader.ReadBlockHeader returns the count as a Go int, which is...

8.7CVSS7.2AI score0.00378EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:23 p.m.16 views

CI4MS: Stored XSS in Pages Module Content via Broken html_purify Validation Rule

Summary The Pages backend module registers the htmlpurify validation rule on language-keyed page content but persists the raw, un-purified POST value into the database. The public renderer for pages Home::index → app/Views/templates/default/pages.php emits $pageInfo-content without esc, yielding...

6.1AI score0.00062EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:22 p.m.20 views

iskorotkov/avro: Integer Overflow in Decoder

Integer Overflow in Avro Decoder Summary Several Avro decoder paths read attacker-controlled 64-bit values from the wire format and either narrowed them to platform-sized int before bounds-checking, or summed them with overflow-prone signed-int arithmetic. On 32-bit targets GOARCH=386, arm, mips,...

8.7CVSS7.2AI score0.00397EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:22 p.m.25 views

brace-expansion: Large numeric range defeats documented `max` DoS protection

The max option was being applied too late: When expanding a single large numeric range like 1..10000000, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 4:21 p.m.16 views

CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations

Summary The Fileeditor module enforces an extension allowlist 'css','js','html','txt','json','sql','md' on content-write operations saveFile, createFile, but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with...

6AI score0.00037EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 3:39 p.m.16 views

CI4MS: Stored XSS in Blog Content via Broken `html_purify` Validation Rule

Summary The custom htmlpurify validation rule used to sanitize blog post bodies relies on by-reference mutation ?string &$str, but CodeIgniter 4's validator passes a local copy of the value, so the sanitized text is silently discarded. The Blog controller writes $lanData'content' directly into...

5.7AI score0.00029EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/18 3:38 p.m.16 views

Microsoft DirectX12: .spritefont multiply overflow only in 32-bit builds

Impact The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE. This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files. Note this only applies to x86/ARM builds of the library. ARM64 and...

5.8AI score
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/18 3:38 p.m.27 views

Microsoft DirectX: .spritefont multiply overflow only in 32-bit builds

Impact The spritefont reader can be induced to perform a 32-bit overflow multiply that could in theory result in a RCE. This impacts the use of the DirectX Tool Kit SpriteFont class file loading ctor if given untrusted data files. Note this only applies to x86/ARM builds of the library. ARM64 and...

5.8AI score
Exploits0References4Affected Software2
Total number of security vulnerabilities33227