Lucene search
K
GithubRecent

33181 matches found

Github Security Blog
Github Security Blog
added yesterday3 views

GoBGP confederation validation panics on empty AS_PATH attribute

Found through variant analysis based on CVE-2026-41643 Summary GoBGP accepts a zero-length ASPATH during UPDATE decoding and later panics while validating that attribute for a confederation eBGP peer. The vulnerable path is in the BGP UPDATE validator: a malformed UPDATE that should be rejected a...

7.5CVSS6.5AI score0.00503EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

GoBGP: BGP OPEN capability parser may read capability values outside declared CapLen boundaries

Summary GoBGP contains a BGP OPEN capability parsing issue where several concrete capability decoders may parse data from the full remaining capability buffer instead of the slice bounded by the declared capability length, CapLen. A malformed BGP OPEN message can cause bytes from a following...

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

psd-tools vulnerable to arbitrary file write via smart-object filename

psd-tools: arbitrary file write/read via smart-object path traversal Summary In psd-tools all releases exposing the SmartObject API through v1.17.0, SmartObject.save writes an embedded smart object to a path taken verbatim from the PSD file. Because that name is attacker-controlled and unsanitise...

6.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

sigstore-go has a multi-log threshold bypass via single compromised log

Impact What kind of vulnerability is it? Who is impacted? A verifier configured with WithTransparencyLogN1 or WithSignedCertificateTimestampsN1 expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Rattler vulnerable to package cache path traversal via conda package build string

rattlercache and py-rattler were vulnerable to package-cache path traversal when handling package metadata from conda channels. During cache materialization, the rattercache code used the package record build string as part of a cache key that was joined into a filesystem path. A malicious or...

6AI score0.00033EPSS
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added yesterday3 views

OpenRun: Redirect URL validation bypass using  //host  paths leads to Open Redirect

Summary The restrictions on redirect URLs in openrun can be bypassed by attackers, leading to open redirect attacks. Details In the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

mint: Unbounded streams map growth via PUSH_PROMISE without follow-up HEADERS

Summary Mint's HTTP/2 client accepts PUSHPROMISE frames from any server it connects to and inserts every promised stream into a per-connection map without consulting maxconcurrentstreams. A malicious or compromised HTTP/2 server can flood the client with PUSHPROMISE frames and withhold the matchi...

8.2CVSS6AI score0.00384EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

mint: Unbounded CONTINUATION/HEADERS frame accumulation (CONTINUATION flood)

Summary Mint's HTTP/2 client accumulates CONTINUATION header-block fragments into a per-connection buffer with no cap on size or frame count. A malicious or compromised HTTP/2 server can drive the client's memory to arbitrary size by streaming an endless chain of CONTINUATION frames after a HEADE...

8.2CVSS6.2AI score0.00384EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday1 views

mint: Content-Length header accepts non-RFC "+" sign prefix

Summary Mint's HTTP/1 client accepts Content-Length header values with a leading + sign e.g. +0, +123, which RFC 7230 forbids Content-Length = 1DIGIT. On a connection shared with a strict fronting proxy or load balancer, this parser disagreement is a response-smuggling primitive: the proxy frames...

6.3CVSS6.1AI score0.00301EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

mint has potential CRLF injection in its HTTP request line via unvalidated `method`/`target`

Summary Mint's HTTP/1 request encoder splices the caller-supplied method and target directly into the request line without character validation. An application that forwards attacker-controlled input as the HTTP method or the target to Mint.HTTP.request/5 is exposed to request-line CRLF injection...

2.1CVSS6AI score0.00166EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

pypdf: Possible infinite loop when processing threads/articles in writer

Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. Patches This has been fixed in pypdf==6.13.1. Workarounds If users cannot upgrade yet, consider applying the changes from PR 3839...

6.9CVSS5.8AI score0.00111EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Sylius: IDOR on Shop Payment Request API endpoints

Impact The GET /api/v2/shop/payment-requests/hash and PUT /api/v2/shop/payment-requests/hash endpoints look up the payment request solely by the hash from the URL. No ownership check is performed against the authenticated customer or the underlying order. An attacker who obtains a payment request...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Sylius: Channel-based payment method restriction bypass on shop account orders API endpoint

Impact An authorization bypass vulnerability exists in the shop account API. The PATCH /api/v2/shop/account/orders/tokenValue/payments/paymentId endpoint, used by an authenticated shop customer to change the payment method of an order that has been placed but not yet paid state STATENEW, does not...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Sylius: Cart FormComponent allows modification or deletion of an already-completed order

Impact A user opens the cart page in the browser. In the background, the order gets completed, e.g. an admin changes the status, or the user finalizes payment in another tab. The browser still displays the old cart: the LiveComponent is unaware the underlying order state has changed. If the user...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki has Unsafe eval() in its Formula Calculato, Leading to Remote Code Execution & Denial of Service

Summary An unsafe execution vulnerability exists in the Bazar form field calculator CalcField.php of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passing them to the PHP eval function. This implementation is...

9.8CVSS6.3AI score0.00561EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki Vulnerable to Authenticated PHP Object Injection in BazarImportAction via unserialize

Details Sink tools/bazar/services/CSVManager.php line 372-399: public function importEntryarray $importedEntries, string $formId: ?array if !$this-importdone // ... foreach $importedEntries as $entry $entry = unserializebase64decode$entry; // false argument; arbitrary classes are instantiated. Th...

6.7AI score0.00379EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki has Authenticated SQL Injection via ReactionManager

Summary YesWiki through the latest development branch contains a SQL injection vulnerability in ReactionManager::deleteUserReaction that allows any authenticated user to inject arbitrary SQL via the idreaction and id URL path parameters. The parameters are concatenated directly into a SQL LIKE...

6.2AI score0.0004EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

YesWiki Vulnerable to Reflected XSS via Unescaped `id` Parameter in Bazar Widget HTML Attributes

Summary YesWiki's Bazar widget handler reflects the id GET parameter into HTML attributes using striptags only. Because striptags does not escape double quotes, an attacker can break out of the attribute value, inject an event handler such as onmouseover, and execute arbitrary JavaScript in the...

6AI score0.00039EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

YesWiki Vulnerable to Reflected XSS via Unescaped Archived-Revision `time` Parameter in `handlers/page/show.php`

Summary YesWiki's archived-revision view reflects the time GET parameter into a hidden HTML input in handlers/page/show.php without escaping. Because MySQL coerces malformed DATETIME strings, an attacker can append HTML or JavaScript to a valid archived revision timestamp, still load that archive...

6.2AI score0.00031EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki has stored XSS in Bazar form-field templates via unescaped field.label / field.hint (|raw('html'))

Bazar form-field templates still apply |raw'html' to field.label / field.hint in attribute and label-body contexts — stored XSS in form renders sibling class of commit e6b66aa CWE: CWE-79 Improper Neutralization of Input During Web Page Generation, "Cross-site Scripting" via CWE-116 Improper...

6.2AI score0.00034EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

YesWiki: Second-Order SQL Injection in Page Delete API via Unescaped Page Tag (`ApiController::deletePage`)

Summary ApiController::deletePage interpolates a page tag retrieved from the database into a DELETE FROM …links WHERE totag = '$tag' query without escaping. The page tag is attacker-controlled — the POST /api/pages/tag API accepts arbitrary URL-encoded values, including single quotes, and stores...

6.2AI score0.00033EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki: SQL Injection possible through public Bazar entry-listing APIs via numeric `query`/`queries` filters

Summary YesWiki’s public Bazar entry-listing APIs are vulnerable to unauthenticated SQL injection in numeric query / queries filters. For Bazar fields whose value structure is numeric, YesWiki escapes the attacker-controlled filter value but inserts it into SQL without quotes or numeric validatio...

6AI score0.00047EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

YesWiki has Unauthenticated Server-Side Request Forgery via ActivityPub `Signature.keyId`

Summary The POST /api/forms/formId/actor/inbox route - exposed publicly with acl:"public" - accepts an HTTP Signature header whose keyId parameter is a URL. HttpSignatureService::verifySignature parses the header and immediately makes a server-side HTTP GET to that URL, before any cryptographic...

6.2AI score0.00066EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

YesWiki Vulnerable to Unauthenticated ActivityPub Signature-Verification Bypass via `!openssl_verify(...)` accepting `int(-1)`

Summary HttpSignatureService::verifySignature checks the result of PHP's opensslverify with a loose boolean negation - if !opensslverify... throw ... . PHP's opensslverify has four possible return values: | return | meaning | !return | | ------ | ------------------------------------------------ |...

6AI score0.00022EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki vulnerable to unauthenticated arbitrary page deletion via `{{erasespamedcomments}}` action

Summary The erasespamedcomments wiki action actions/EraseSpamedCommentsAction.php accepts a suppr array from POST and deletes every wiki page whose tag appears in that array, with no authorization check anywhere in the action body or in the page-deletion path it invokes. Combined with YesWiki's...

6AI score0.00052EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki: SQL injection via the `recentchanges` action `period` argument leads to arbitrary DB read

Summary The recentchanges action actions/recentchanges.php accepts a period argument from two disjoint parameter spaces: the URL query string $GET'period' and the action invocation recentchanges period="...". A whitelist at line 17 validates only the URL form against 'day','week','month'. The...

6.2AI score0.00044EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

YesWiki: Authenticated (Admin) Server-Side Template Injection to Remote Code Execution via Bazar Semantic Templates

Summary YesWiki Bazar contains a stored Server-Side Template Injection SSTI vulnerability in the semantic template feature that can be escalated to confirmed Remote Code Execution RCE. An authenticated administrator can place arbitrary Twig expressions into the Semantic template Twig field...

6.5AI score0.00109EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Avo: Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy

Summary Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as uploadFIELDID?. An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

laravel-backup-restore has an OS Command Injection during database restore

Summary A crafted backup archive can trigger OS command injection during database restore. The restore workflow extracts a ZIP archive, enumerates files under db-dumps, converts the dump path to an absolute path, and passes that path into database import commands that are built as shell command...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

nebula-mesh: Host revocation is not durable - blocked/offboarded hosts can regain a valid certificate

Summary Two related authorization gaps let a host that should no longer be trusted obtain a fresh, valid Nebula certificate, because nebula-mgmt does not re-evaluate revocation/authorization state at certificate issuance time — only at poll time. 1. Blocklist not enforced at sign / re-enroll time...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

How GitHub gave every repository a durable owner

GitHub has over 14,000 repositories across our primary internal GitHub organization. As of early 2025, there were over 11,000 non-archived repositories, the vast majority of which with no clear owner. For repositories attached to production services, we have historically had robust durable...

6AI score
Exploits0
Github Security Blog
Github Security Blog
added yesterday5 views

Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data

Summary GET /v1/contributors/:login/profile and the gittensorygetcontributorprofile MCP tool skip the contributor-scoped access check that every sibling endpoint enforces. Any authenticated session/API/MCP token holder can read any contributor's profile; for confirmed Gittensor miners that expose...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Admidio: CSRF on Plugin Install, Uninstall, and Update via Unprotected GET Requests

Summary The modules/plugins.php endpoint handles plugin installation, uninstallation, and update operations via GET requests without CSRF token validation. Because these are top-level navigations, browsers include SameSite=Lax session cookies. An attacker crafts a malicious page that, when an...

6.2AI score0.00013EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Craft CMS: RCE via missing cleanseConfig in FieldsController::actionRenderCardPreview

The actionRenderCardPreview method in FieldsController passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig. This allows Yii2 event handler injection via on eventName keys in the config array, leading to arbitrary code execution. Th...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Craft CMS has authenticated path traversal in `assets/icon`, allowing local `.svg` file read

Summary An authenticated path traversal in assets/icon allows local SVG file read by passing traversal sequences in the extension parameter. The issue is caused by file existence checks happening before extension validation. Details The endpoint: - src/controllers/AssetsController.php:1115-1123 -...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Ruby CSS Parser: SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

Summary CssParser::Parserreadremotefile and therefore loaduri!, and the @import-following branch of addblock! issues HTTP/HTTPS requests against any host, port and URI it is handed, with no scheme allowlist, no host / IP filtering, and no protection against link-local, loopback or RFC‑1918...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

Summary All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...

6.3AI score
Exploits0References2Affected Software8
Github Security Blog
Github Security Blog
added yesterday5 views

pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small

Impact The argon2i32 implementation does not check the nbblocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i32 will write past the end of the buffer and possibly corrupt the heap. Patches Fixed in 4.0.2.8, which now verifies that nbblock...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Note Mark: Path traversal via unsanitized book/note slug in migrate export (sibling of GHSA-g49p)

Summary Note Mark validates book and note slug values with the OpenAPI/huma tag pattern:"a-z0-9-+". huma compiles this with regexp.MustCompiles.Pattern and tests it with patternRe.MatchStringstr, an UNANCHORED match. Because the pattern is not anchored ^...$, any string that merely CONTAINS one...

6.5AI score0.00059EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books

Summary GET /api/books/bookID/notes is an unauthenticated endpoint that accepts a "deleted" query parameter. When the request is ?deleted=true, the service runs the query with Unscoped bypassing GORM's soft-delete scope but keeps the read-authorization clause as "ownerid = ? OR ispublic = ?". As ...

5.9CVSS6AI score0.00409EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser

Summary The CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the VALUE regex pattern in cssparser.py enters exponential...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists

Summary The CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile or Beautiful Soup's .select / .selectone can caus...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Phantom: Arbitrary file write and decode-bomb DoS via unconfined MCP tool paths

Impact In Phantom = 1.3.0, when PHANTOMOUTPUTDIR was unset the default, the MCP tools accepted arbitrary absolute output paths with no confinement. Anything able to send tool calls e.g. an AI agent driving the MCP interface could write or overwrite arbitrary files the process user can write —...

8.2CVSS7.6AI score0.00504EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Micronaut: DefaultHttpClient follows redirects, forwarding Authorization, Cookie, and Proxy-Authorization headers

Impact DefaultHttpClient follows redirects and forwards Authorization, Cookie, and Proxy-Authorization headers to redirect targets across domain boundaries. The blocklist only filters Host/Connection/TE/CT/CL. Additionally, no maximum redirect count exists, enabling infinite loop DoS. Affected:...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS

The Netty-based Micronaut HTTP Client does not impose a limit on HTTP redirections, potentially allowing an infinite redirect loop that could lead to a denial-of-service attack. Patches The following versions are patched: - For Micronaut 5, versions equal or greater than 5.0.1 = - For Micronaut 4...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager

Description: The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the getevents API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean method available in the...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs

Summary isglobaladdress in src/pyload/core/utils/web/check.py is the central guard against SSRF-style outbound connections in pyload-ng. It tests whether a given IP is "globally routable" via Python's ipaddress.ipaddressvalue.isglobal, and callers treat not isglobal as "deny": python def...

6AI score0.00039EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...

8.3CVSS6.7AI score0.00237EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

NL Portal: IDOR allows any authenticated user to complete and tamper with another user's taak

Impact In versions from 1.5.0 up to and including 3.0.0, any authenticated portal user could complete and tamper with another user's open task by submitting it on their behalf. The task submission endpoint accepted a task ID and a payload, but it never checked whether the task actually belonged t...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

NL Portal: Missing per-user authorization on document and decision GraphQL queries in nl-portal-backend-libraries

Impact In versions up to and including 3.0.0, two parts of the GraphQL API returned data without checking whether the data belonged to the logged-in user: - Document content. A logged-in user could download the raw content of any document by its ID, regardless of who owned it. The resolver has...

5.8AI score
Exploits0References2Affected Software2
Total number of security vulnerabilities33181