33227 matches found
Snappier has an infinite loop during SnappyStream decompression with malformed framed input
Summary Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. Details The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact...
phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha
Summary BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha at phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:298 and :330 interpolate the User-Agent header and client IP address into DELETE and INSERT queries with sprintf and no escaping. Both methods run on every hit to the publi...
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
Summary Client::deleteClientFolder in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583 takes a URL from the caller, strips the https:// prefix, and passes the remainder to Filesystem::deleteDirectory relative to the multisite clientFolder. No path-traversal validation runs. An admin with the...
phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query
Summary The public /solutionidid.html route calls Faq::getIdFromSolutionId in phpmyfaq/src/phpMyFAQ/Faq.php:1312. That query joins faqdata with faqcategoryrelations solely by solutionid and returns the matching FAQ's id, lang, thema title, and categoryid with no permission filter. An...
phpMyFAQ has SQL Injection in CurrentUser::setTokenData through unescaped OAuth token fields
Summary CurrentUser::setTokenData in phpmyfaq/src/phpMyFAQ/User/CurrentUser.php at lines 515-534 builds a SQL UPDATE statement with sprintf and interpolates OAuth token fields refreshtoken, accesstoken, codeverifier, and jsonencode$token'jwt' without calling $db-escape. Sibling methods...
phpMyFAQ enables unauthenticated 2FA brute-force attack via /admin/check acceptance of arbitrary user-id
Summary The /admin/check endpoint in AuthenticationController implements SkipsAuthenticationCheck, making it reachable without any prior authentication. An anonymous attacker Bob can POST arbitrary user-id and token values to brute-force any user's 6-digit TOTP code. No rate limiting exists. The...
Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed
Impact A receiver who specifies "--output " where that output directory currently exists as a directory. Patches 0.24.0 will contain the patch Workarounds Ensure local target directories specified by "--output" do not already exist Resources Private email and Signal communications from a user...
phpMyFAQ: Ordinary Authenticated User Can Access Admin-Only API Endpoints Due to Insufficient Authorization Check in phpMyFAQ
Summary A review of phpMyFAQ-main uncovered an authorization issue in the admin-api routes. Several backend endpoints only check whether the caller is logged in. They do not verify that the caller actually has backend or administrative privileges. As a result, a normal frontend user can access AP...
phpMyFAQ has stored XSS via | raw Filter in search.twig — html_entity_decode(strip_tags()) Bypass in Search Result Rendering
Summary The search result rendering template search.twig outputs FAQ content fields result.question and result.answerPreview using Twig's | raw filter, which completely disables the template engine's built-in auto-escaping. A user with FAQ editor/contributor privileges can store a payload encoded...
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User
Summary 12 endpoints in ConfigurationTabController.php use userIsAuthenticated login-only check instead of userHasPermissionPermissionType::CONFIGURATIONEDIT. This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the...
phpMyFAQ has a SVG Sanitizer Entity Decoding Depth Limit Bypass Leading to Stored XSS
Summary The SvgSanitizer::decodeAllEntities method limits recursive entity decoding to 5 iterations. By wrapping each character of javascript in an href attribute value with 5 levels of & encoding around numeric HTML entities e.g., amp;amp;amp;106; for j, an attacker can bypass both isSafe...
phpMyFAQ has Stored XSS in FAQ Question/Answer via Encode-Decode Bypass of removeAttributes() Sanitization
Summary The FAQ creation and update endpoints in phpMyFAQ apply FILTERSANITIZESPECIALCHARS which HTML-encodes input, then immediately call htmlentitydecode which reverses the encoding, followed by Filter::removeAttributes which only strips HTML attributes — not tags. This allows , , , and tags to...
Harvester's SUSE Virtualization Registration Client Vulnerable to MITM and DOS
Impact A vulnerability has been identified in the SUSE Virtualization Harvester Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution of a man-in-the-midd...
phpMyFAQ's Missing Authorization on Tag Deletion Allows Any Authenticated User to Delete Tags
Summary The TagController::delete endpoint at DELETE /admin/api/content/tags/tagId only verifies that the user is logged in userIsAuthenticated, but does not check any permission. Any authenticated user — including regular non-admin frontend users — can delete any tag by ID. This contrasts with...
phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check
Summary AbstractAdministrationController::userHasPermission catches the ForbiddenException thrown when a user lacks a specific permission, sends a "forbidden" HTML page via $response-send, but does not terminate execution. The calling controller method continues to execute, fetches protected data...
phpMyFAQ has stored XSS via Utils::parseUrl() in comment rendering
Summary A stored XSS vulnerability in the comment rendering pipeline allows an authenticated user to inject JavaScript that executes for every visitor of an affected FAQ or News page. An attacker with a registered account can steal admin session cookies and take over the application. Details...
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header
Summary TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag accepts arbitrary BCP 47 private-use...
Micronaut has Unbounded `bundleCache` in `ResourceBundleMessageSource` that Allows Memory Exhaustion via `Accept-Language` Header
Summary ResourceBundleMessageSource maintains two caches: messageCache bounded at 100 entries via ConcurrentLinkedHashMap and bundleCache unbounded ConcurrentHashMap. The bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications tha...
Mezo: ERC-20 bridgeOut burn can be erased by a stale StateDB overwrite leading to full L1 bridge drain
Note: the fixed version of the validator client has been deployed for some time. Impact Potential full drain of L1 bridge without changing bridged balance on Mezo. Brief/Intro A malicious user can steal all ERC-20 tokens locked in the L1 bridge by repeatedly calling the bridgeOut precompile from ...
Scramble vulnerable to remote code execution via evaluation of user-controlled input in validation rules
Impact A remote code execution RCE vulnerability affects versions 0.13.2 through 0.13.21. When documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of...
wger: trainer_login open redirect - ?next= parameter not validated against host
Summary The trainerlogin view in wger redirects to request.GET'next' directly via HttpResponseRedirect without calling urlhasallowedhostandscheme. After the trainer successfully enters impersonation mode, their browser is redirected to any attacker-controlled URL supplied in the ?next= parameter,...
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
Summary The resetuserpassword and gympermissionsuseredit views in wger perform a gym-scope authorization check using Python object comparison != that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment gym=None. A user with...
wger: CSV/TSV formula injection in gym member export (first_name/last_name)
Summary The gym member TSV export endpoint in wger writes firstname and lastname profile fields verbatim to TSV cells with no formula-prefix sanitization. Any gym member including newly self-registered users can pre-load a spreadsheet formula into their own profile. When a gym admin later exports...
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository
🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
Summary basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before authentication. The client keeps appending...
Lemur: LDAP Filter Injection enables post-authentication privilege escalation
Description Overview Lemur's LDAP authentication module lemur/auth/ldap.py constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership querie...
Lemur: LDAP Authentication Globally Disables TLS Certificate Verification When LDAP_USE_TLS Is Enabled
Description Overview When LDAP TLS is enabled LDAPUSETLS = True, Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all...
Kimai's Twig function config() leaks server-wide secrets (LDAP bind password, SAML SP private key) via invoice/export templates
Summary Kimai's Twig sandbox StrictPolicy, used for admin-uploaded invoice and export templates allow-lists the config Twig function with no key filtering. configname delegates to App\Configuration\SystemConfiguration::find$name, which returns arbitrary entries from the flattened kimai.config...
Velocidex Velociraptor has an Incorrect Authorization issue
Velociraptor versions prior to 0.76.4 contain a cross organization authorization bypass in the HTTP API. A user with only the reader role in the root organization the lowest authenticated role, holding only READRESULTS permission can issue a single authenticated HTTP GET that can read any files...
Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation
Summary Any ROLETEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction deleted billable hours, data tampering forged timesheet durations, and full authorization bypass on...
Nokogiri XSLT transform has a memory leak
Summary Nokogiri's Nokogiri::XSLT::Stylesheettransform leaks a small heap allocation when passed a Ruby string parameter containing a null byte. For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against...
Nokogiri CSS selector tokenizer has regular expression backtracking
Summary Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release: 1. String-literal tokenization on certain unterminated quoted-string input. 2...
dssrf: every IPv6 category bypasses is_url_safe
A vulnerability on dssrf allow, an attacker to use, one of them following ipv6 rust Input Category http://::1/ IPv6 loopback http://fc00::1/ IPv6 ULA http://fe80::1/ IPv6 link-local http://::ffff:127.0.0.1/ IPv4-mapped loopback http://::ffff:169.254.169.254/ IPv4-mapped IMDS...
phpseclib: guardrails needed on isPrime and randomPrime
Impact Anyone trying to generate a prime and testing the primality of a number. Patches https://github.com/phpseclib/phpseclib/commit/ad5dbdf2129f5e0fb644637770b7f33de8ca8575 Workarounds Using the GMP extension would probably help, assuming that one has its own guardrails. Resources...
Craft CMS's Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Summary AssetsController::actionShowInFolder fetches an asset by ID and returns its filename and complete folder hierarchy including volume handle, volume UID, folder names, folder UIDs, and folder URI paths without checking whether the requesting user has viewAssets or viewPeerAssets permission ...
PyLoad vulnerable to unauthenticated traceback disclosure via global exception handler in WebUI
Summary pyload-ng WebUI returns full Python traceback details to clients on unhandled exceptions. Because /web/ is reachable without authentication and renders attacker-controlled template names, an unauthenticated user can reliably trigger a server exception for example by requesting a...
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in...
Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Summary The GraphQL Address element resolver src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the...
next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys
Summary setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys proto, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true...
mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`
Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...
astral-tokio-tar: `unpack_in` can chmod arbitrary directories by following symlinks
Impact In versions 0.6.0 and earlier of astral-tokio-tar, the unpackin API could inadvertently modify the permissions of external i.e. non-archive directories outside of the archive. An attacker could use this to contrite a tar archive that maliciously changes directory permissions outside of its...
astral-tokio-tar is Vulnerable to PAX Header Desynchronization
Impact Versions of astral-tokio-tar prior to 0.6.1 contain a PAX header interpretation bug that allows manipulated entries to be made selectively visible or invisible during extraction with astral-tokio-tar versus other tar implementations. An attacker could use this differential to smuggle...
QuantumNous/new-api has an SSRF Filter Bypass via 0.0.0.0
SSRF Filter Bypass via 0.0.0.0 Summary The SSRF protection introduced in v0.9.0.5 CVE-2025-59146 and hardened in v0.9.6 CVE-2025-62155 does not block the unspecified address 0.0.0.0. A regular non-admin user holding any valid API token can send a multimodal request to /v1/chat/completions,...
DevSpace UI Server WebSocket CheckOrigin does not validate source
Description DevSpace's UI server WebSocket accepts connections from all origins by default, and therefore several endpoints are exposed via this WebSocket. When a developer runs the DevSpace UI and at the same time uses a browser to access the internet, a malicious website they visit can use thei...
Auth.js SDK has Improper Permission Checking
Description Under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. Am I Affected? Users are affected if they meet each of the following preconditions: - Applications built...
Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore
Product: nginx-ui Repository: 0xJacky/nginx-ui branch: dev Vulnerability Class: Authentication Bypass → Arbitrary File Write → OS Command Injection Affected Component: POST /api/restore --- 1. Vulnerability Summary nginx-ui exposes a backup restore endpoint POST /api/restore that is completely...
Nginx-UI Settings API Exposes Protected Secrets
Summary The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is...
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
Summary An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets th...
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...
Tauri has an Origin Confusion Issue that Allows Remote Pages to Invoke Local-Only IPC Commands
Summary A flaw in Tauri's islocalurl function causes it to incorrectly classify remote URLs as trusted local origins on Windows and Android. On these systems, Tauri maps custom URI scheme protocols to http://.localhost/ because those platforms' WebView implementations cannot serve custom URI...