Lucene search
K
GithubRecent

33255 matches found

Github Security Blog
Github Security Blog
added yesterday6 views

FacturaScripts: Account takeover of any 2FA-enabled user

Authentication bypass in FacturaScripts: /login?action=two-factor-validation accepts brute-forceable TOTP without password or CSRF protection Summary Core/Controller/Login.php::twoFactorValidationAction accepts an unauthenticated POST containing only fsNick and fsTwoFactorCode. If the TOTP value...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

DIRAC: SQL injection and lack of access control in PilotManager service

Details A number of the functions in PilotManager pass parameters directly through to the database layer, which then does not do any escaping on the parameters. For example setPilotStatus:...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

DIRAC: Pilot code downloaded over unverified HTTPS connection

Summary The second stage pilot pilot.tar is downloaded by the initial wrapper script without any verification of the webservers' SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated...

6.4AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

DIRAC is vulnerable to RCE in FileCatalog DatasetManager via SQL injection + eval

Summary The FileCatalog DatasetManager runs a query on the database and passes the result to eval. The SQL query contains an injection vulnerability which allows an authenticated user to control the parameter returned to the eval resulting in remote code execution. Details The FileCatalog...

6.2AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Apollo ConfigService access key authentication bypass via raw config file appId parsing

Summary Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint. Details Requests under /configfiles/raw/appId/clusterName/namespace...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching

Summary Apollo ConfigService may allow unauthorized access to configuration data when AccessKey / management key authentication is enabled and ConfigService accepts a non-canonical appId variant during authentication while downstream request handling resolves it to the protected app. Details...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

NukeViet: Pre-authentication SSRF via X-Forwarded-Host

Summary An unauthenticated attacker can coerce the server into issuing HTTP requests to an attacker-chosen host by spoofing the X Forwarded-Host and X-Forwarded-Proto request headers. The forwarded host is used, without validation, to build the URL that serverinfoupdate fetches with cURL, resulti...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

NukeViet: Path Traversal to Arbitrary File Deletion in Edit Comment Function

Summary Path Traversal to Arbitrary File Deletion in the Edit Comment admin function. An authenticated administrator can delete arbitrary files within the application root e.g., config.php by injecting a crafted attach parameter, rendering the application inoperable. Affected Component...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module

Summary Two filter-bypass techniques in NukeViet\Core\Request::filterAttr and NukeViet\Core\Request::unhtmlentities allow a low-privileged user any account with news post permission to store and serve arbitrary JavaScript to any visitor of the affected page. Affected Component...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

NukeViet: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Summary A stored cross-site scripting XSS vulnerability exists in NukeViet CMS versions 4.x through 4.5.08. A low-privileged authenticated user can store a JavaScript payload in their profile's display name fields. The payload executes in the browser of any visitor — including administrators — wh...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

NukeViet: Unauthenticated Reflected XSS in Comment Module

Summary Reflected XSS in the Comment module via the statuscomment URL parameter. The parameter accepts attacker-controlled base64-encoded HTML/JavaScript that is decoded server-side and rendered unescaped into the page. Compounded by a second flaw: the checkss anti-forgery token was derived from ...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input

Summary An remote code execution vulnerability exists in RequestManager due to the use of eval on untrusted input that allows any authenticated user to run code/commands on the DIRAC server as the system user running the DIRAC services. Details The exportgetRequestCountersWeb function is callable...

6.5AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Decidim: Push subscriptions can be abused for server-side requests

Description The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request sink when VAPID delivery is enabled. The practical result is an authenticated, stored, mostly blind SSRF primitive to arbitrary HTTPS endpoints reachab...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Decidim: HTML content blocks allow stored script execution

Description A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with htmlsafe and no output escaping. Technical description This issue lets any admin who can edit an affected landing page store arbitrar...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Decidim: CSV census record endpoints improper authorization

Description A participant manager can access and modify the CSV census record admin forms. Technical description The CSV census admin record-management surface under /admin/csvcensus/censuslogs does not enforce admin-only authorization before rendering or mutating Decidim::Verifications::CsvDatum...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Decidim: JWT-backed authentication can be replayed across organizations

Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Decidim: Verification documents can be downloaded through reusable links

Description Scanned identity-document images provided by participants and shown in the verification admin workflow are exposed through signed /rails/activestorage/disk/ URLs that can be fetched without any authenticated session. Anyone who obtains one of those URLs can retrieve the document until...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Decidim: Private exports can be downloaded through reusable links

Description The normal downloadyourdata flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it. Technical description This private export flow turns an authenticated,...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Decidim: Admin user search allows SQL injection through similarity-based sorting

The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression. Technical description The vulnerable...

6.3AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Decidim: Verification admins can access supplied IDs from other organizations

Description The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant. Technical description The verification admin controllers loads pendingauthorizationid with a raw Authorization.find... and then authorizes the record without...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Decidim: Forms admin question editor lacks authorization

Description A participant can load the demographics questionnaire admin editor and make changes. Technical description The demographics questionnaire editor should require admin access, but the route under /admin/demographics/questions renders the editor interface without checking whether the...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center

Summary Apollo Portal versions before 2.5.0 do not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/env/releases/releaseId. When configView.memberOnly.envs is enabled for the requested environment, a low-privileged Portal user can...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

GeoNode: Stored XSS to full account takeover

An issue exists within GEONODE where the current rich text editor is vulnerable to Stored XSS. The applications cookies are set securely, but it is possible to retrieve a victims CSRF token and issue a request to change another user's email address to perform a full account takeover. Due to the...

6.1CVSS6.1AI score0.00376EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago8 views

TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation

Description A vulnerability was discovered in TSDProxy where it forwards its internal per-process authentication token to all proxied backend services. When identityHeaders is enabled the default, tsdproxy injects x-tsdproxy-auth-token into every upstream HTTP request alongside user identity...

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago9 views

melange: Incomplete package integrity verification allows data section substitution

Previously, Apko verified the control section hash .PKGINFO etc. against the signed APKINDEX, but never verified the data section hash the actual package files that get installed. An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file...

6.2AI score0.00036EPSS
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 4 days ago7 views

Excon does not redact additional sensitive/risky headers when following redirects

Impact The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. What kind of vulnerability is it? Who is impacted? This could cause inadvertent leakage of sensitive data f...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago6 views

Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enabled is unset

Summary A Clauster instance bound to a non-loopback address e.g. 0.0.0.0 or a LAN IP can serve the entire dashboard and its API without any authentication — even when the operator has configured a password — if auth.enabled is left at its default false. The operator believes the instance is...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago7 views

Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when given untrusted input

Summary secureheaders builds the Content-Security-Policy value by stitching every configured directive together with ; separators. Three directive builders buildsandboxlistdirective, buildmediatypelistdirective, buildreporttodirective interpolate caller-supplied strings into that value without...

6.2AI score0.00031EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago7 views

SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content

SiYuan v3.6.5 and earlier versions contain a stored cross-site scripting XSS vulnerability in the Attribute View database asset cell renderer that escalates to remote code execution RCE in the Electron desktop client. This is a neighbor-bug of CVE-2026-44588: the fix for -44588 used escapeAriaLab...

9.9CVSS6.5AI score0.0044EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

prestashop/ps_facetedsearch: PHP Object Injection in faceted search cache allows unauthenticated RCE

Impact A PHP Object Injection vulnerability affects the PrestaShop module psfacetedsearch. The module rebuilds the selected search filters from the request URL. The value of a slider filter price or weight is taken from the URL without sufficient validation, then stored in an internal filter-bloc...

6.2AI score0.00092EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()

Summary The attribute-view database cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, url, phone, and mAsset. A cell value like or " breaks out of its surrounding tag and runs arbitrary JavaScript in the renderer when the victim opens the block-attribute...

9.9CVSS6.2AI score0.00289EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago8 views

mcp-atlassian: Arbitrary file read via missing path validation in confluence_upload_attachment

Summary confluenceuploadattachment passes filepath directly to openfilepath, "rb" with no path validation. Any authenticated MCP client — or an AI agent manipulated via prompt injection — can read any file the server process can access and exfiltrate it to Confluence as an attachment. Details Roo...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago9 views

mcp-atlassian: Arbitrary server-side file read via attachment upload

Summary A client that can invoke MCP tools can read arbitrary files from the server host and exfiltrate them as Atlassian attachments. The attachment-upload tools take a client-supplied filepath and open it on the server's filesystem. The upload tools are meant to attach a file from the caller's...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago11 views

SafeInstall agent guard shell parsing can miss raw package execution

Summary SafeInstall CLI through 0.10.1 can fail to recognize some package-manager and registry-runner commands in its agent guard. Case-variant launcher names, leading file-descriptor redirections, and supported shell wrappers with options can cause a raw install command to receive no guard...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

NotrinosERP: Authenticated arbitrary file upload leads to remote code execution via HRM employee "Documents" (doc_file)

Summary An authenticated user with the HR "Manage Employees" permission SAEMPLOYEE can upload a file with an arbitrary extension through the employee Documents tab. The handler writes the raw client-supplied filename — extension intact — into a web served directory with no extension, MIME, or...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py

Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py Summary BabelDOC's vendored PDF parser babeldoc/pdfminer/cmapdb.py deserializes untrusted pickle data when loading CMap files. The loaddata method strips only NUL bytes from a PDF-controlled CMap name, then...

6.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentication RCE)

Overview The Hook Authentication feature in File Browser allows administrators to delegate login verification to an external shell command. User-supplied credentials username and password are interpolated into this command string using os.Expand without sanitization. An unauthenticated remote...

9.3CVSS6.5AI score0.00533EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago11 views

`exploration` was removed from crates.io for malicious code

A method within the exploration crate attempted to download and execute a payload from a remote site. The malicious crate had 1 version published on 2026-06-02, approximately 1 hour before removal, and had no evidence of actual usage. This crate had no dependencies on crates.io. Rustsec to Kirill...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

Windmill: Resource-scoped API tokens can read script contents outside their allowed path via scripts/list_search

Summary A resource-scoped API token can read script contents outside its allowed path scope via GET /api/w/workspace/scripts/listsearch. This appears to be a remaining variant of the scoped-token authorization class previously addressed for other endpoints. The route-level scope middleware...

6.1AI score0.00022EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

SiYuan: Stored XSS in Bazaar marketplace via package README event handlers

Summary renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only attribute names present in a fixed eventAttrs map copied from the w3schoo...

7.1CVSS6.3AI score0.0018EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago11 views

File Browser: Authentication Bypass via Proxy Auth Header Forgery

Summary When FileBrowser is configured with proxy authentication auth.method=proxy, any unauthenticated attacker who can reach the server directly can impersonate any user - including admin - by sending a single forged HTTP header. No credentials are required. Additionally, specifying a...

9.1CVSS6.2AI score0.00337EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago9 views

SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist

Summary SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empty AccessAuthCode on desktop installs, any Chrome/Chromium extension --...

9.2CVSS6.1AI score0.00607EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon

Summary The /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint invokes RenderDynamicIconContentTemplate, which executes a Go template tha...

5.9CVSS6.3AI score0.00239EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago9 views

CredSweeper: Recursive archive size-limit bypass in deep scanner allows crafted compressed inputs to exhaust resources

Summary CredSweeper's deep scanner does not enforce recursivelimitsize as a hard limit. Several recursive scanners fully decompress or fully read attacker-controlled content before the remaining budget is validated, and AbstractScanner.recursivescan continues processing even when the residual...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago8 views

Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)

Unbounded Row Index Allocation in Worksheet Parser checkSheet OOM/Panic DoS Summary The checkSheet function in github.com/xuri/excelize/v2 uses an attacker-controlled XML attribute value directly as the length argument to makexlsxRow, row without validating it against the Excel row limit TotalRow...

7.5CVSS6.2AI score0.00575EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL

Summary The /authorize endpoint accepts any redirecturi without validating it against AllowedOrigins. When responsetype=token or responsetype=idtoken, the server appends accesstoken, idtoken, and refreshtoken as query parameters and issues a 302 redirect to the attacker-supplied URL. An...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()

Summary A CSS snippet body containing breaks out of its surrounding tag when renderSnippet interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer runs with nodeIntegration:true, so require'childprocess' is reachabl...

9.9CVSS6.2AI score0.00307EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago11 views

SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read), Incomplete fix of CVE-2026-41894

Summary The patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint, default port 6808, an unauthenticated remote attacker can read arbitrary...

7.5CVSS6.2AI score0.01892EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago10 views

MCP Atlassian: DNS-rebinding TOCTOU bypass of the SSRF fix (CVE-2026-27826)

Summary GHSA-7r34-79r5-rcc9's fix added validateurlforssrf, which resolves the attacker-controlled X-Atlassian-Jira,Confluence-Url header host once at middleware time and trusts the result. But the outbound request is later built with the raw hostname and re-resolves at connect time with no IP...

8.2CVSS6.2AI score0.14958EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 4 days ago9 views

tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies

Summary tarteaucitron provides a list of cookies and buttons to delete them. If an attacker can write HTML with data attributes, they could create an element that silently deletes a cookie when clicked and trick a user to delete this cookie. Details tarteaucitron.cookie.purge is called on any...

6.1AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities33255