Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/06 4:56 p.m.10 views

Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references. Original Description Summary Denial-of-Service DoS vulnerability in the Mistune Markdown parser. The issue occurs when processing speciall...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 4:52 p.m.8 views

Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input

Summary A ReDoS Regular Expression Denial of Service vulnerability in LINKTITLERE allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds measured on Apple M2, Python 3.14.3, with...

8.7CVSS6AI score0.00481EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 4:44 p.m.8 views

Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

Summary A SQL injection vulnerability in FilterEngine.createpostgresquery allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint GET /dids//dids/search. When the external metadata plugin postgresmeta is...

9CVSS6.7AI score0.00301EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 4:42 p.m.10 views

Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API

Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...

9.4CVSS6.5AI score0.00281EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 3:32 p.m.11 views

Flowise: Bcrypt Password Hash Exposure

A security flaw has been discovered in FlowiseAI Flowise up to 3.0.12. Affected is the function Login of the file packages/server/src/enterprise/services/account.service.ts of the component API Response Handler. The manipulation results in information disclosure. The attack can be launched...

6.3CVSS5.2AI score0.00259EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:30 p.m.11 views

Duplicate Advisory: Keylime has a hardcoded attestation challenge nonce that allows replay attacks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q8w6-w55c-ccv5. This link is maintained to preserve external references. Original Description A flaw was found in Keylime. An attacker with root access on an enrolled monitored machine, where the Keylime agent...

6.3CVSS5.7AI score0.00121EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:30 p.m.11 views

Apache Wicket has a Path Traversal issue

FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName before constructing file paths, allowing an unauthenticated attacker to write arbitrary files outside the intended upload directory or read files from arbitrary locations on t...

6.5CVSS5.9AI score0.00732EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:30 p.m.11 views

Apache Wicket has an Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

7.5CVSS5.8AI score0.00394EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:30 p.m.12 views

Apache Wicket has a Cross-site Scripting issue

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

6.1CVSS5.8AI score0.00357EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:30 p.m.15 views

Apache Wicket has a Session Fixation issue

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

9.1CVSS5.7AI score0.00379EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 3:33 a.m.12 views

Velocidex Velociraptor has an authorization bypass vulnerability

An authorization bypass CWE-639 in the GetUserRoles gRPC API endpoint in Velocidex Velociraptor below version 0.76.5 allows any authenticated low-privilege user to retrieve the complete ACL policy roles and permissions for any user across all organizations by supplying targeted Name and Org...

7.7CVSS5.8AI score0.00255EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 3:33 a.m.13 views

Velocidex Velociraptor has an off-by-one error

An off-by-one error CWE-193 in the ConsumeUnit16Array and ConsumeUnit64Array functions in Velocidex Velociraptor before version 0.76.5 on Windows and Linux allows a local attacker to cause a Denial of Service DoS via a process crash by providing a specially crafted .evtx file to the parseevtx VQL...

5.5CVSS5.8AI score0.00142EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 12:31 a.m.13 views

Paramiko rsakey.py allows the SHA-1 algorithm

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm...

3.4CVSS5.8AI score0.00114EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:22 p.m.14 views

ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases

Impact Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: 1 ServerSecurityUser.getDatabaseUser returned a DB user with an uninitialized fileAccessMap, which...

9CVSS5.8AI score0.00344EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:21 p.m.12 views

vLLM Vulnerable to Remote DoS via Special-Token Placeholders

Summary This report explains a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder sequences supplied without matching data cause vLLM to index into empty grids during...

7.5CVSS5.9AI score0.00414EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:20 p.m.11 views

AVideo Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor and Missing Authorization

Summary An unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints e.g. userslist without logging in. Details objects/plugins.json.php is public and still exposes plugin objectdata containing APISecret. That secret is accepted by...

8.7CVSS5.8AI score0.00257EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:20 p.m.7 views

ciguard: Web UI is missing HTTP defence-in-depth headers

Summary ciguard's FastAPI Web UI src/ciguard/web/app.py does not set HTTP defence-in-depth headers. OWASP ZAP baseline scan flagged 11 alerts: missing Content-Security-Policy Medium, X-Frame-Options Medium, Sub-Resource-Integrity on /api/docs Medium, COOP / COEP / CORP Low, Permissions-Policy Low...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:19 p.m.11 views

ciguard: discover_pipeline_files follows symlinks out of scan root

Summary The discoverpipelinefiles function in src/ciguard/discovery.py introduced in v0.8.0 and used by the MCP scanrepo tool shipped in v0.8.1 walks a directory tree following symlinks, with cycle protection via tracking visited resolved paths. An attacker who can plant a symlink in a directory...

3.2CVSS5.8AI score0.00158EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:18 p.m.11 views

ciguard: Container image runs as root (no USER directive)

Summary The published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. ciguard is a static analyser with no need for root privileges; running as root inside a container makes any future container-runtime escape CVE more impactfu...

3CVSS5.8AI score0.00122EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:17 p.m.7 views

ciguard: SCA HTTP client reads response body without size cap

Summary Both SCA HTTP clients src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py call payload = json.loadsresp.read.decode'utf-8' without a maximum-bytes cap. A hostile or compromised endoflife.date / OSV.dev or a successful TLS MITM could return a multi-GB response,...

3.7CVSS5.9AI score0.00301EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:17 p.m.12 views

sse-channel: SSE Injection via unsanitized event fields

Impact Implementations that allows user-provided values to be passed to event, retry or id fields would be susceptible to event spoofing, where an attacker could inject arbitrary messages into the stream. - Event Spoofing: Attacker can inject arbitrary SSE events into the stream - Client-side...

8.7CVSS5.9AI score0.0041EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:16 p.m.9 views

AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

Summary Two endpoints in AVideo call isSSRFSafeURL to validate user-supplied URLs, then fetch them using bare filegetcontents without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an...

7.7CVSS6AI score0.00348EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:16 p.m.15 views

AVideo: IDOR in PayPalYPT Plugin Allows Any Authenticated User to Cancel Arbitrary PayPal Subscription Agreements

Summary plugin/PayPalYPT/agreementCancel.json.php cancels a PayPal billing agreement using an attacker-supplied agreement parameter without verifying that the authenticated user owns the agreement. A low-privilege authenticated user who learns or obtains another user's PayPal billing agreement ID...

4.2CVSS5.8AI score0.00167EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:15 p.m.5 views

jdbi3-freemarker Vulnerable to Improper Neutralization of Special Elements Used in FreeMarker Template Engine

Summary Description An Improper Neutralization of Special Elements Used in a Template Engine CWE-1336 vulnerability in Jdbi allows arbitrary command execution when an application using jdbi3-freemarker permits attacker-influenced text to reach FreemarkerEngine.parse as template source. This affec...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:14 p.m.12 views

AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

Summary The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS, which builds an ICS calendar file via the ICS helper class. ICS::escapestring objects/ICS.php:167-169 only escapes , and ; and...

4.3CVSS6AI score0.0018EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:4 p.m.11 views

authd: Primary group ID is incorrectly set to value of UID

authd 0.6.0 contains a bug which can lead to an incorrect primary group ID. It affects users whose primary group ID i.e. the GID in the user record differs from their UID. There are two ways which can lead to this: 1. The user was created with authd &2 continue fi if "$OLDGID"...

7.3CVSS5.8AI score0.0011EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 10:2 p.m.9 views

AVideo: Unauthenticated User Enumeration in objects/users.json.php via isCompany Parameter Allows Bypass of the Admin-Only Listing Restriction

Summary objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin caller including unauthenticated visitors, which defeats the admin-only guard...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:57 p.m.8 views

OpAMP client reads unbounded HTTP response bodies

Summary When receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server i...

7.5CVSS6AI score0.00311EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:56 p.m.9 views

AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address

Summary objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The...

5.3CVSS5.9AI score0.00229EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:53 p.m.8 views

Prometheus vulnerable to stored XSS via crafted histogram bucket label values in the old web UI heatmap display

Impact In the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them into the HTML for use as axis tick mark labels. An attacker who can inject crafted metrics e.g. via a...

6.1CVSS6AI score0.00182EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:51 p.m.27 views

GraphQL-Ruby's Ruby lexer does not count comment tokens for the purposes of max_query_string_tokens

GraphQL-Ruby's maxquerystringtokens configuration didn't count comment tokens against the limit, allowing strings to be processed even after the configured maximum had actually been reached. In patched versions, the Ruby lexer does count these tokens. GraphQL-CParser is not affected by this...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:50 p.m.20 views

ip-address has XSS in Address6 HTML-emitting methods

Summary Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6 constructor for invalid input can contain unescaped attacker-controlled content in one branch. An...

8.1CVSS5.4AI score0.00471EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:49 p.m.10 views

AVideo has Blind SSRF in YPTWallet Donation Webhook via Missing isSSRFSafeURL() Check and CURLOPT_FOLLOWLOCATION Redirect Bypass

Summary An authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metadata hosts e.g. http://127.0.0.1:8080/..., http://169.254.169.254/latest/..., RFC1918 addresses. When any other user including a second account owned by the same attacker...

5.4CVSS6AI score0.00165EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:49 p.m.7 views

Kubewarden vulnerable to RBAC Reconnaissance via unchecked can_i host capability call

Impact Kubewarden is a policy engine for Kubernetes. Kubewarden cluster operators can grant permissions to users to deploy namespaced AdmissionPolicies and AdmissionPolicyGroups in their Namespaces. One of Kubewarden promises is that configured users can deploy namespaced policies in a safe manne...

4.3CVSS5.8AI score0.00171EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:48 p.m.17 views

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that...

7.5CVSS5.8AI score0.00274EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:46 p.m.13 views

rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs

X509Ref::ocspresponders returns OCSP responder URLs from a certificate's AIA extension as OpensslString, whose Deref wraps the raw bytes with str::fromutf8unchecked. OpenSSL does not enforce that the underlying IA5String is ASCII, so a certificate with non-UTF-8 bytes in its OCSP accessLocation...

8.7CVSS5.9AI score0.00211EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:46 p.m.15 views

Plug.Cowboy vulnerable to unauthenticated remote DoS via HTTP/2 `:scheme` atom-table exhaustion

Summary An unauthenticated remote denial-of-service vulnerability in Plug.Cowboy.Conn allows any attacker who can reach an HTTPS Plug.Cowboy listener via HTTP/2 to permanently exhaust the BEAM atom table and crash the entire Erlang VM. Am I Affected? All users running plugcowboy with HTTP/2 may b...

8.7CVSS5.9AI score0.00545EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:36 p.m.24 views

Grav is Vulnerable to Stored XSS via Tag Injection

Summary A low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visits the page; which can further be chained with the...

8.9CVSS5.8AI score0.003EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:35 p.m.15 views

Grav is Vulnerable to XXE via SVG Upload

Dear Grav Security Team, A security vulnerability was discovered in Grav CMS that allows authenticated attackers to read arbitrary files from the server through XML External Entity XXE injection. Vulnerability Summary | Field | Details | |-------|---------| | Vulnerability Type | XML External...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:34 p.m.11 views

Grav has Unauthenticated Path Traversal & Arbitrary File Write in its FormFlash component

Vulnerability Report: Grav CMS Unauthenticated Path Traversal & Arbitrary File Write ZERO-DAY Unauthenticated Path Traversal leading to Arbitrary Directory Creation and Configuration Injection Summary Grav CMS v1.7.49.5 and latest development source is vulnerable to a Zero-Day Path Traversal...

9.3CVSS5.9AI score0.00521EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:31 p.m.17 views

OpenStack Ironic has an Incorrect Resource Transfer Between Spheres

An issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token which provides access to all OpenStack services Ironic is authorized for; o...

7.7CVSS5.8AI score0.0044EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.9 views

Grav Vulnerable to Administrative Account Disruption and Privilege De-escalation via User Overwrite Logic

Summary A business logic vulnerability in the Grav Admin Panel allows a low-privileged user with only user creation permissions to overwrite existing accounts, including the primary administrator. By creating a new user with a username that already exists, the system updates the existing account'...

8.1CVSS5.8AI score0.00463EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.7 views

Grav has Insecure Deserialization in File Cache

Insecure Deserialization in File Cache - Severity: High - CWE: CWE-502 - Location: system/src/Grav/Framework/Cache/Adapter/FileCache.php - Sink: unserialize$value, 'allowedclasses' = true Affected versions - Affected: = 1.7.44 and true allows object instantiation and does not constrain classes. P...

5CVSS5.8AI score0.00224EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:29 p.m.6 views

Grav has multiple RCE vectors: unsafe unserialize (x3), command injection in git clone, SSTI blocklist bypass

Multiple RCE vectors were found in Grav CMS. Three are critical, two are high. 1. Unsafe unserialize in JobQueue — direct RCE gadget Critical system/src/Grav/Common/Scheduler/JobQueue.php:465 calls unserializebase64decode... without restricting allowedclasses. The Job class has...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:27 p.m.17 views

Grav Vulnerable to Publisher-Level Stored XSS via Unquoted Event Attributes

Summary A stored Cross-Site Scripting XSS vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue arises from a blacklist bypass in the detectXss function when handling unquoted HTML event attributes. Details The detectXss function relies on a...

8.5CVSS6.1AI score0.00238EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:26 p.m.11 views

Grav Vulnerable to Sensitive Information Disclosure via Accounts Service Bypass

Summary Information disclosure exists in Grav CMS v1.8.0-beta.29. Despite previous security patches notably in v1.8.0-beta.27/28 aimed at restricting sensitive object access within the Twig environment, the Accounts Service remains exposed. A low-privileged user EX: Content Editor with only...

6.5CVSS5.8AI score0.0029EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:26 p.m.21 views

Grav Vulnerable to Privilege Escalation via Missing Server-Side Validation of groups/access

Bug Report: Registration Privilege Escalation via Missing Server-Side Validation of groups/access Summary The Login::register method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without server-side validation. When registration is enable...

9.4CVSS5.8AI score0.00939EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:24 p.m.11 views

Grav Vulnerable to XSS via Taxonomy Field Values in Admin Panel

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the global autoescape protection. An editor-level user can inject arbitrary...

5.4CVSS6AI score0.0015EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:24 p.m.13 views

Grav CMS vulnerable to stored XSS via Markdown media attribute() action

Summary An authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters being converted into callable media actions. The...

6.9CVSS5.8AI score0.00397EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 9:21 p.m.14 views

Grav Vulnerable to Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature

Summary An authenticated user with administrative privileges can achieve Remote Code Execution RCE by uploading a specially crafted ZIP file through the "Direct Install" tool. While the system attempts to block direct .php file uploads, it fails to inspect the contents of uploaded ZIP archives...

9.1CVSS6.2AI score0.03934EPSS
Exploits4References4Affected Software1
Total number of security vulnerabilities33227