Lucene search
K
GithubRecent

33254 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 9:30 a.m.19 views

Apache Airflow Providers OpenSearch: OpenSearch task-log handler leaks credentials embedded in the host URL

The OpenSearch logging provider, when configured with a host URL that embeds credentials for example https://user:[email protected]:9200, wrote the full host URL — including the embedded credentials — into task logs. Any user with task-log read permission could harvest the backend...

6.5CVSS5.8AI score0.0041EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/11 6:31 a.m.19 views

bettercap Has an Integer Coercion Error in modules/mysql_server/mysql_server.go

A flaw has been found in bettercap up to 2.41.5. Affected by this issue is some unknown functionality of the file modules/mysqlserver/mysqlserver.go of the component MySQL Server. Executing a manipulation can lead to integer coercion error. The attack can be launched remotely. The attack requires...

6.3CVSS4.9AI score0.00389EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/11 6:31 a.m.11 views

bettercap Has an Integer Coercion Error in the ippReadChunkedBody Function

A vulnerability was detected in bettercap up to 2.41.5. Affected by this vulnerability is the function ippReadChunkedBody of the file modules/zerogod/zerogodippprimitives.go of the component zerogod IPP Service. Performing a manipulation results in integer coercion error. The attack can be...

6.3CVSS5.1AI score0.00523EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/10 3:31 p.m.9 views

Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint wi...

8.8CVSS6.7AI score0.00927EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/10 12:33 a.m.18 views

OSGeo gdal has a heap-based buffer overflow

A flaw has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this vulnerability is the function SWSDfldsrch of the file frmts/hdf4/hdf-eos/SWapi.c. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been published and may be...

5.5CVSS5.8AI score0.00205EPSS
Exploits1References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 3:31 a.m.12 views

Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs

Spring AI's MilvusVectorStoredoDeleteList implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 o...

8.6CVSS5.8AI score0.00353EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/09 12:46 a.m.14 views

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

4.3CVSS6AI score0.00197EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:45 a.m.31 views

Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Summary Improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches...

3.8CVSS5.8AI score0.00216EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:42 a.m.11 views

@profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module

Security Advisory: OS Command Injection in profullstack/mcp-server domainlookup Module Field | Value -- | -- Project | profullstack/mcp-server Repository | https://github.com/profullstack/mcp-server Affected Commit | 2e8ea913573610667ad54e31dba2e8198ebf7cf9 Affected Module | mcpmodules/domainlook...

6.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:40 a.m.9 views

Velocity.js has a Prototype Pollution vulnerability through #set path assignment

Summary A prototype pollution vulnerability was discovered in Velocity.js key = val. Because there is no validation or filtering to block sensitive keys such as \proto\, constructor, or prototype, an attacker can traverse the prototype chain and pollute the global Object.prototype. PoC javascript...

9.8CVSS5.8AI score0.00505EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:38 a.m.11 views

Vert.x has a DoS via unbounded server-side SNI SslContext cache growth

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsentserverName, ... in a serverName-keyed SslContext cache. The implementation differs slight...

6.9CVSS5.8AI score0.00238EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:28 a.m.15 views

Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage

Summary Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. Details The Cache Middleware skips caching when...

5.3CVSS5.8AI score0.00197EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:13 a.m.13 views

Mistune Heading ID Attribute has Injection XSS

Summary HTMLRenderer.heading builds the opening tag by string-concatenating the id attribute value directly into the HTML — with no call to escape, safeentity, or any other sanitisation function. A double-quote character " in the id value terminates the attribute, allowing an attacker to inject...

6.1CVSS6AI score0.00228EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:10 a.m.13 views

@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools

SSE Transport Has No Authentication and Wildcard CORS, Exposing All 86 GitLab Tools Including Destructive Operations A review of mcp-gitlab-server at commit 80a7b4cf3fba6b55389c0ef491a48190f7c8996a uncovered that the SSE HTTP transport — advertised in the README and comparison table as a...

9.2CVSS6AI score0.00392EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/09 12:2 a.m.29 views

smallbitvec: Integer overflow in safe API leads to heap buffer overflow

Summary An integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller. Details The issue originates from...

7.3CVSS6AI score0.00151EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:50 p.m.12 views

SharpCompress has directory traversal via directory entries in WriteToDirectory (zip slip variant)

Summary A path traversal vulnerability in IArchive.WriteToDirectory allows a malicious archive to create directories outside the intended extraction root. For TAR archives, this can be escalated to arbitrary file writes by chaining with a symlink entry, giving a full write primitive on the target...

6.5CVSS6AI score0.00313EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:47 p.m.12 views

epa4all-client has a VAU Signature bypass

Impact In SignedPublicKeysTrustValidatorImpl.isTrusted, the ECDSA signature verification at line 45 discards the boolean return value of Signature.verify. The method performs certificate chain validation, OCSP check, and signature algorithm setup, but never checks whether the signature actually...

8.1CVSS5.8AI score0.00121EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:43 p.m.18 views

Mistune has XSS via unescaped figclass/figwidth in Figure directive

In src/mistune/directives/image.py, the renderfigure function concatenates figclass and figwidth options directly into HTML attributes without escaping lines 152-168. This allows attribute injection and XSS even when HTMLRendererescape=True is used, because these values bypass the inline renderer...

6.1CVSS5.8AI score0.00198EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:40 p.m.19 views

Mistune Math Plugin has an XSS Escape Bypass

Summary The mistune math plugin renders inline math $...$ and block math $$...$$ by concatenating the raw user-supplied content directly into the HTML output without any HTML escaping. This occurs even when the parser is explicitly created with escape=True, which is supposed to guarantee that all...

6.1CVSS5.9AI score0.00228EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:33 p.m.23 views

view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

Summary The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-rou...

7.5CVSS5.8AI score0.00412EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:33 p.m.10 views

view_component: Preview Route Can Dispatch Inherited Helper Methods

Summary The preview route derives an example name from the URL and calls it with publicsend. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are...

6.5CVSS5.9AI score0.00343EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:25 p.m.21 views

Snipe-IT has an open redirect vulnerability

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable. Impact - Phishing: Redirect users to fake login pages to steal credentials - Session Hijacking: Redirect to attacker site that captures...

7.1CVSS5.8AI score0.00163EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:19 p.m.12 views

GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath

Summary The patch for CVE-2026-42215 GitPython 3.1.49 validates newlines only in the value parameter of setvalue. The section and option parameters are passed to configparser without any newline validation. An attacker who controls the section argument can inject \n to write arbitrary section...

8.8CVSS5.9AI score0.00719EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:12 p.m.14 views

eml_parser has recursion DoS via nested message/rfc822 attachments

Summary EmlParser.getrawbodytext recurses unconditionally for every nested message/rfc822 attachment without any depth limit. An attacker who can supply a badly crafted EML file with approximately 120 nested message/rfc822 parts triggers an unhandled RecursionError and aborts parsing of the...

6.3CVSS6AI score0.00395EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:7 p.m.11 views

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

8.2CVSS6AI score0.00406EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:6 p.m.11 views

Phpseclib needs guardrails on large binaryfield integers

Impact Anyone loading untrusted ASN1 files eg. X509 certificates, RSA PKCS8 private or public keys, etc Patches https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f Workarounds No. References...

7.5CVSS7.1AI score0.00762EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:4 p.m.8 views

Snipe-IT has insecure permissions in file uploads

Insecure Permissions vulnerability in grokability snipe-it versions through 8.4.0, fixed after 2026-03-10 commit 676a9958, allow a remote attacker to execute arbitrary code via the app/Http/Controllers/Api/UploadedFilesController.php component Impact Users who can view assets, consumables, etc we...

9.8CVSS6.2AI score0.00475EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:2 p.m.13 views

free5GC's NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions

Summary free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token e.g. Authorization: Bearer not-a-real-token to read PFD application data via GET...

10CVSS6AI score0.00287EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:2 p.m.13 views

free5GC's SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers

Summary free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab...

10CVSS5.8AI score0.00331EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 11:1 p.m.9 views

free5GC's SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

Summary free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware same root cause as the broader UPI auth gap reported in free5gc/free5gc887. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarde...

8.2CVSS6AI score0.00324EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:59 p.m.12 views

free5GC's NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler

Summary free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can hit the OAM route with no Authorization header at all and the handler returns 200 OK. The current OAM handler is a stub that returns null, b...

10CVSS5.8AI score0.00311EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:58 p.m.13 views

free5GC's NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions

Summary free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, patch, and delete traffic-influence subscriptions either with no Authorization header at all, or with a forged bearer...

9.4CVSS5.8AI score0.00311EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:56 p.m.15 views

free5GC NRF: type-confusion panic in POST /oauth2/token structured-form parser via Reflect.Set on incompatible types

Summary free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/apiaccesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:52 p.m.19 views

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing UE state via nil interface type assertion (single authenticated request)

Summary free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler panics on a single authenticated request against a fresh UDR instance when the supplied ueId does not exist in UESubsCollection. The processor checks value, ok :=...

6.5CVSS5.9AI score0.0042EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:52 p.m.11 views

free5GC's UDR nudr-dr DELETE amf-subscriptions panics on missing subsId when UE state exists (nil pointer dereference)

Summary free5GC's UDR nudr-dr DELETE /subscription-data/ueId/servingPlmnId/ee-subscriptions/subsId/amf-subscriptions handler contains a nil-pointer dereference reachable from a single authenticated request, after one preparatory authenticated EE-subscription create. The handler checks , ok =...

6.5CVSS5.8AI score0.0035EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:50 p.m.13 views

free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary free5GC's NEF PATCH /3gpp-pfd-management/v1/afId/transactions/transId/applications/appId handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil ProblemDetails. The handler's errPfdData != nil branch...

7.5CVSS5.8AI score0.0039EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:47 p.m.16 views

free5GC's SMF UPI POST /upi/v1/upNodesLinks exits the SMF process on overlapping UE pools (unauthenticated, reachable Fatalf)

Summary free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware same root cause as free5gc/free5gc887. The POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON and passes it directly into UpNodesFromConfiguration, which calls...

7.5CVSS5.9AI score0.00364EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:46 p.m.10 views

free5GC's NEF nnef-callback route group is unauthenticated; forged callback requests are accepted into the processing path

Summary free5GC's NEF mounts the nnef-callback route group without inbound OAuth2/bearer-token authorization. A forged or arbitrary bearer token e.g. Authorization: Bearer not-a-real-token is enough to reach the SMF-callback handler -- the callback body is parsed and dispatched into NEF business...

7.3CVSS5.9AI score0.00241EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:44 p.m.10 views

free5GC's NEF crashes via logger.Fatal on PFD notification delivery failure (attacker-controlled notifyUri)

Summary free5GC's NEF terminates the entire process when a stored PFD-subscription notifyUri cannot be reached. In PfdChangeNotifier.FlushNotifications, the notifier calls NnefPFDmanagementNotify... and on any delivery error invokes logger.PFDManageLog.Fatalerr, which is os.Exit1-equivalent in Go...

7.5CVSS5.8AI score0.00404EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:41 p.m.12 views

free5GC's BSF concurrent PUT /nbsf-management/v1/subscriptions/{subId} crashes the BSF process via concurrent map read/write on Subscriptions

Summary free5GC's BSF PUT /nbsf-management/v1/subscriptions/subId handler has an unsynchronized write on the global Subscriptions map. The handler first reads the map under RLock via BSFContext.GetSubscriptionsubId, but if the subscription does not exist, ReplaceIndividualSubcription writes back ...

6.5CVSS5.9AI score0.00268EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:40 p.m.19 views

free5GC's PCF npcf-policyauthorization POST /app-sessions panics on suppFeat=1 with missing AfRoutReq via nil pointer dereference

Summary free5GC's PCF POST /npcf-policyauthorization/v1/app-sessions handler panics on a single authenticated request whose ascReqData.suppFeat == "1" enabling traffic-routing feature negotiation and whose medComponents entries supply an afAppId but NO AfRoutReq. The create path then calls...

6.5CVSS5.8AI score0.0035EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:39 p.m.14 views

free5GC's PCF npcf-smpolicycontrol POST /sm-policies panics on downstream UDR/OpenAPI 404 via nil pointer dereference

Summary free5GC's PCF POST /npcf-smpolicycontrol/v1/sm-policies handler HandleCreateSmPolicyRequest panics with a nil-pointer dereference when a downstream OpenAPI consumer call UDR lookup returns 404 Not Found and the consumer wrapper returns err != nil together with a nil response struct. The...

7.5CVSS5.8AI score0.00404EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:39 p.m.10 views

free5GC's NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions

Summary free5GC's NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can create, read, and delete PFD-management transaction state with a forged or arbitrary bearer token e.g. Authorization: Bearer...

9.4CVSS6AI score0.00314EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:38 p.m.11 views

gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

Summary gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees:...

5.3CVSS5.8AI score0.00119EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:38 p.m.11 views

Open WebUI Vulnerable to Arbitrary File Upload and Path Traversal

CONFIDENTIAL KL-CAN-2024-002 Vulnerability Details | | Field | Value | |---|-------|-------| | 1 | Discoverer | Jaggar Henry & Sean Segreti of KoreLogic, Inc. | | 2 | Date Submitted | 2024.03.12 | | 3 | Title | Open WebUI Arbitrary File Upload + Path Traversal | | 5 | Affected Vendor | Open WebUI...

9.8CVSS6.2AI score0.00336EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:34 p.m.9 views

Open WebUI has Improper Authorization Control

CONFIDENTIAL Vulnerability Disclosure Analysis Documentation --- Vulnerability Details | | Field | Value | |---|-------|-------| | 1 | Discoverer | Taylor Pennington of KoreLogic, Inc. | | 2 | Date Submitted | June 11, 2024 | | 3 | Title | Open WebUI Improper Authorization Control | | 5 | Affecte...

7.3CVSS5.9AI score0.0023EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:26 p.m.12 views

Open WebUI has stored XSS in Excel file preview

Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. Details The...

8.7CVSS5.8AI score0.00318EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:24 p.m.19 views

Snipe-IT has Privilege Escalation via API Permissions Assignment

Impact An authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api/v1/users/id with permissionsadmin=1. The API controller only strips the superuser key from the permissions array, allowing admin and all other permission keys...

8.8CVSS5.8AI score0.00314EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:24 p.m.11 views

in-toto-golang and in-toto-python have inconsistent negation behavior

Impact What kind of vulnerability is it? Who is impacted? in-toto-golang and in-toto-python both support glob patterns in artifact rules to indicate the artifacts that a rule applies to. Both support negations in character classes to indicate what should not be matched, but they used different...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/08 10:23 p.m.12 views

Snipe-IT has Stored XSS via Component Checkout Notes (v8.4.0)

Impact Users with component view access could be impacted by an unescaped notes column. Patches This was patched in https://github.com/grokability/snipe-it/commit/28f493d84d057895fbb93b6570e7393a2c2fa438, and is fixed in v8.4.1 or greater. Workarounds None...

5.4CVSS5.8AI score0.00218EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities33254