33227 matches found
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL variable, which exposes...
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
Summary vm2's CallSite wrapper class intended as a safe wrapper for V8's native CallSite blocks getThis and getFunction to prevent host object leakage, but allows getFileName to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and...
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
Summary A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then callback preserves host identity. This...
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
Summary Sandboxed code can call Buffer.alloc with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR:...
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 v3.10.2 only sanitized the onRejected callback in .then and...
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Summary NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely bypassing vm2's builtin restriction. This allows sandboxed co...
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
Summary vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet and otherReflectDefineProperty, which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate...
vm2 Access to Host Object Enables Sandbox Escape
Summary It is possible to obtain the host Object, https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160 added some protections, but the implementation is incomplete. Details There are various ways to use the host Object, to escape the sandbox, one example would be usi...
vm2 has a Sandbox Escape Vulnerability
Summary It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes Details https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.jsL655-L658 BaseHandler can be reached via util.inspect same as...
Bandit HTTP/2 Frame Size Limit Bypass via Late Buffer Check Enables Memory Exhaustion
Summary Bandit's HTTP/2 parser checks frame size after it has already buffered the full body, instead of when it sees the 9-byte header. A peer can announce a 16 MiB frame on a connection that agreed to 16 KiB frames and the server will silently buffer up to 1024× the agreed budget per connection...
Bandit trusts client-supplied URI scheme on plaintext connections
Summary Bandit reflects the client-supplied URI scheme into conn.scheme without verifying the actual transport. Over a plaintext HTTP/1.1 connection or h2c, an unauthenticated attacker can send an absolute-form request target like GET https://victim/path HTTP/1.1 and the application observes...
Bandit is vulnerable to CL.CL request smuggling via unrejected duplicate `Content-Length` header
Summary Bandit is vulnerable to CL.CL HTTP request smuggling: it silently accepts requests with two Content-Length headers whose values differ, takes the first value, and dispatches the body bytes as a second pipelined request on the same keep-alive connection. RFC 9110 §5.3 prohibits multiple...
Bandit Buffers Unbounded WebSocket Continuation Frames, Allowing Unauthenticated Memory Exhaustion
Summary A single unauthenticated WebSocket client can exhaust server memory in any Bandit-fronted application that accepts WebSocket connections. The fragmented-message reassembly path appends every Continuationfin: false frame's payload to a per-connection iolist with no cumulative size cap, so ...
Bandit's unbounded WebSocket inflate causes BEAM OOM with a single frame
Summary When a Bandit-fronted server has explicitly enabled WebSocket permessage-deflate compress: true, an unauthenticated client can OOM the BEAM with a single 6 MiB WebSocket frame. Bandit's inflate step has no output-size cap, so a small high-ratio compressed frame e.g. zeros, 1024:1 ratio...
gittuf's policy can be rolled back to prior valid versions
Summary An attacker with push access to gittuf's Reference State Log RSL can roll back the current policy to any previous policy trusted by the current set of root keys. Impact gittuf determines the policy to load by inspecting the RSL. Except for the very first policy which is automatically...
FileBrowser Vulnerable to Stored XSS via SVG File in Public Share (Missing CSP Header)
Summary FileBrowser Quantum serves inline SVG files without a Content-Security-Policy header, allowing embedded JavaScript in SVG files to execute when accessed via public share links. Verified on v1.3.0-stable. Affected product - Product: FileBrowser Quantum gtsteffaniak/filebrowser - Verified...
FileBrowser Public Share DELETE API Path Traversal Allows Unauthenticated Arbitrary File Deletion
Summary Attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an unauthenticated attacker possessing a valid public share hash with delete permissions enabled can delete...
etcd RBAC bypass allows unauthorized data access via PrevKv/lease attachment in nested transaction Put requests
Impact What kind of vulnerability is it? Who is impacted? A vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requests within transaction operations, to bypass RBAC authorization checks. An authenticated user without sufficient read or lease-related permissions may b...
docling-graph has SSRF via Missing Internal IP Validation in URLInputHandler
Impact The URLInputHandler class in doclinggraph/core/input/handlers.py makes HTTP requests to user-supplied URLs without validating whether the target resolves to a private, loopback, or link-local IP address. The URLValidator only checks for a valid scheme and non-empty netloc, performing no...
imageproc: integer overflow in kernel size check leads to out-of-bounds read
A bounds verification of a slice storage of a 2-dimensional matrix's coefficients a kernel would compare the total size against the product of individual dimensions. This would erroneously cast after the multiplication and consequently fail to detect possible violations when overflow occurs...
imageproc: Out-of-bounds read via NaN coordinates in bilinear/bicubic sampling
A bounds check was performed in floating points before a cast to the index passed to an unchecked access function. This checked considered NaN cases improperly, causing them to succeed the check instead of failing it. The floating point coordinate is under caller control by passing a selected...
imageproc has fragile bounds check when sampling from image
A read of pixels was coded as modifying coordinates to lie within the image bounds. It would calculate a coordinate by adding a constant to an input and taking the minimum of the resulting coordinate and 'dimension - 1'. This would not protect against malicious inputs that could overflow the...
ShellHub has cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check
Summary GET /api/namespaces/:tenant returns the full namespace object — including the members list user IDs, e-mails, roles, settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the...
hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec. The name compression logic then searches for matches with a linear scan. A malicious message with many records can both introduce many candidate labels, and invoke this...
hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses
The NSEC3 closest-encloser proof validation in hickory-proto's 0.25.0-alpha.3 ... 0.25.2 and hickory-net's 0.26.0-alpha.1 .. 0.26.0 DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of th...
Daptin's Session Management Vulnerability Leads to Insufficient Session Expiration After Password Change
Summary A session invalidation vulnerability exists in daptin's authentication system where JSON Web Tokens JWTs remain fully valid after a user changes their password. The JWT validation middleware CheckJWT only verifies token signature, expiry, issuer, and signing algorithm — it does not check...
Talos Linux has a local privilege escalation from untrusted workloads
Summary A vulnerability in the Linux kernel's algifaead subsystem CVE-2026-31431, "copy.fail" allows an unprivileged container workload to corrupt arbitrary file page-cache pages via the AFALG crypto interface and splice. On Talos Linux, this vulnerability can be chained into a complete node...
Kubetail has a Cross-Site WebSocket Hijacking issue that allows attacker to read Kubernetes logs from authenticated users
Summary Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to the user's dashboard and read their Kubernetes logs in real time. Thi...
Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components
Background This vulnerability is found in the DiffusionPipeline.frompretrained flow, which is used to load a pipeline from the HuggingFace Hub. This function accepts an optional custompipeline keyword argument: the name of a Python file in the repo that contains a custom class inheriting from...
katalyst-koi: Session cookies can be replayed after user logout
Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...
Free5GC UDM has Improper Input Validation and Generation of Error Messages Containing Sensitive Information
Summary The free5GC UDM component fails to validate the supi path parameter in six GET handlers of the nudm-sdm Subscriber Data Management service. An unauthenticated attacker can inject control characters into the SUPI parameter, causing UDM to forward a malformed request to UDR and return a 500...
go-ipld-prime's DAG-CBOR and DAG-JSON decoders have unbounded recursion depth
The DAG-CBOR and DAG-JSON decoders recurse on each nested map or list without a depth limit. A payload containing deeply nested collections causes the decoder to recurse once per level, growing the goroutine stack until the Go runtime terminates the process with a fatal stack overflow distinct fr...
CSS Parser: Improper Certificate Validation allows MITM injection of remote CSS content
Summary The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle MITM attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFYNONE, meaning any HTTPS certificate—even entirely untrusted—will...
Free5GC PCF: Missing authentication middleware in Npcf_SMPolicyControl allows access to SM policy handlers and disclosure of subscriber SUPI
Summary PCF NpcfSMPolicyControl missing authentication middleware allows unauthenticated access to SM policy handlers and disclosure of subscriber SUPI Details In NewServer, the smPolicyGroup route group is created and routes are applied without attaching the router authorization middleware. In...
ArgoCD ServerSideDiff is vulnerable to Kubernetes Secret Extraction
Summary There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details Argo CD masks Secret...
Free5GC AMF has Missing Concurrent NAS SMC Validation During NGAP Handover
Summary The AMF in Free5GC v4.2.1 does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF does not check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can lead to mismatches between NAS and AS...
rust-zserio has Unbounded Memory Allocation
Impact When deserializing arrays, strings or bytes blob types zserio first reads the size of the variable, and then allocates sufficient memory to load data. Since the size is always trusted this can be abused by creating a data file with a large size value, causing the zserio runtime to allocate...
Free5GC AMF Bypasses UE Security Capabilities on NGAP PathSwitchRequest
Summary The AMF in Free5GC v4.2.1 does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, whic...
Aegra has cross-user run injection in /threads/{thread_id}/runs (IDOR)
Impact Aegra deployments running 0.9.0 through 0.9.6 with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated user User A, given another user's threadid User B, can: - Execute graph runs against User B's thread via POST /threads/threadid/runs...
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
Summary The RedirectHandler middleware in microsoft/kiota-java com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0 and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme. This vulnerability is present in the RedirectHandlers...
container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command
Product Name: container Github Link: https://github.com/apple/container Version: = 0.12.2 Summary The container system dns create --localhost command accepts a domainName argument and passes it unsanitized into the pf anchor file /etc/pf.anchors/com.apple.container as a comment in a rule line. A...
Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering
Impact Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their GitRepo. Helm lookup bypass: The Helm template...
Rancher Extensions have arbitrary file access via path traversal
Impact A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: - Overwrite Rancher binaries or configuration to...
Amazon ECS Container Agent (Windows) is vulnerable to Information Disclosure
Summary Amazon Elastic Container Service Amazon ECS is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. An issue exists where, under certain circumstances, improper input validation in the FSx Windows File Server volum...
Gotenberg allows Chromium URL conversion routes to read arbitrary files under /tmp via file:// scheme
Summary The /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium deny-list intentionally exempts file:///tmp/ so HTML/Markdown routes can load their own request-local assets, and those routes apply a...
Gotenberg vulnerable to unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook
Summary The default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is regex-based and case-sensitive, an unauthenticated attacker can supply URLs such as http://::ffff:127.0.0.1:... and reach loopback or private HTTP services that the...
Gotenberg has an unauthenticated denial of service via echo.Context pool reuse in webhook async goroutine
Summary The webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent request claims the recycled context, c.Reset clears the store. If the...
Gotenberg has arbitrary PDF read via stampExpression and watermarkExpression in merge, split, and convert routes
Summary Six conversion routes pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf + watermarkExpression=/path from anonymous callers. The dedicated...
Gotenberg's DNS rebinding bypasses SSRF validation on Chromium URL conversion routes
Summary FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only the error. It discards the resolved addresses. Chromium later performs its own DNS resolution when it navigates to the URL. An attacker who controls DNS for a hostname...