Lucene search
K
GithubRecent

33312 matches found

Github Security Blog
Github Security Blog
added yesterday4 views

FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE

Summary FacturaScripts\Core\UploadedFile::move$destiny, $destinyName concatenates $destiny and $destinyName without normalizing the resulting path. Every caller in the codebase passes UploadedFile::getClientOriginalName — the unsanitized client-supplied filename — as $destinyName, so an...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode

Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode Summary When netlicensing-mcp is run in HTTP transport mode, the ApiKeyMiddleware fails to enforce authentication: requests that carry no client API key are unconditionally forwarded to the next handler server.py:1427. The...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend

Impact A privilege escalation vulnerability affects Woodpecker instances using the Kubernetes backend. The pipeline option backendoptions.kubernetes.serviceAccountName was passed directly to the pod spec without any admin gating. Who is impacted: any operator running the Kubernetes backend. Any...

6.2AI score
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added yesterday5 views

Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`

Summary Non-admin operators role user can set allowprivate: true on their own managed webhook subscription POST/PATCH /api/v1/webhook-subscriptions. No admin check exists on this field. At delivery time, allowprivate switches the dispatcher to an unguarded HTTP client, bypassing the...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

nebula-mesh: Certificate revocation is never enforced at the mesh

Summary nebula-mesh revokes a host by adding its certificate fingerprint to a per-CA blocklist and shipping that list to every other agent on each poll. Slack's Nebula enforces certificate revocation ONLY through the pki.blocklist list in config.yml no CRL/OCSP. The project's own code states this...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

n8n-MCP: Incorrect authorization can expose default-scope workflow version backups in multi-tenant HTTP mode

Summary In multi-tenant HTTP mode ENABLEMULTITENANT=true, an authenticated tenant could, under certain conditions, reach n8n-mcp's local default-scope workflowversions backups instead of being confined to its own tenant scope. This affects n8n-mcp's own local workflow-version storage, not a norma...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

nebula-mesh: Web UI host creation ignores configured enrollment token TTL and mints 24-hour bearer enrollment tokens

Summary The nebula-mgmt Web UI host-creation path ignores both the server-wide enrollmenttokenttl security setting and per-network networkconfig.enrollmenttokenttl overrides. API host creation and token-regeneration paths use the configured TTL resolver, but POST /ui/hosts hardcodes now.Add24...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

nebula-mesh: Unauthenticated OIDC login endpoint allocates unbounded in-memory state entries without rate limiting

Summary When OIDC is enabled, GET /ui/oidc/login is reachable without authentication and is registered outside the Web UI rate-limited auth routes. Every request creates a fresh random OIDC state value and stores it in an in-memory map for 10m. Expired states are swept lazily, but there is no rat...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Anyquery: Local File Read (LFR) via Unrestricted SQLite Virtual Table Modules in Server Mode

Summary Anyquery's server mode lacks input sanitization and access control over its built-in SQLite virtual table modules e.g., csvreader, logreader. Unauthenticated attackers connecting to the MySQL-compatible server port can create virtual tables pointing to local files on the system e.g.,...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

nebula-mesh: Operator session tokens stored in plaintext in the database

Impact Operator session tokens are stored in plaintext in the operatorsessions table the token column is the PRIMARY KEY. The session token is a 32-byte random hex value sent directly in a cookie and valid for 24 hours. - internal/models/operator.go:61 — OperatorSession.Token holds the plaintext...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Netty: Denial of Service via Unbounded Headers in StompSubframeDecoder

Summary The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service. Details io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

nebula-mesh: CA private key not zeroized on web mobile-bundle error paths

Impact The web handler renderMobileBundle internal/web/handlers.go:1325 passes the real pki.CAResolver directly into mobilebundle.Build. Inside Build internal/mobilebundle/builder.go:54, resolver.LoadByID decrypts the CA's ed25519 private key into a pki.CAManager, but Build never calls...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Anyquery: Server-Side Request Forgery (SSRF) via Unrestricted SQLite Virtual Table Modules in Server Mode

Summary Anyquery's server mode does not restrict outbound HTTP requests initiated by its built-in SQLite virtual table modules e.g., jsonreader, logreader. Unauthenticated attackers connecting to the MySQL-compatible server port can create virtual tables pointing to internal network endpoints or...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Umbraco.AI discloses sensitive application configuration values

Impact Under certain configurations, a user with elevated privileges may be able to cause sensitive application configuration values, potentially including secret material such as credentials, to be disclosed. Successful exploitation could expose confidential information and, depending on what th...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Ech0: ParseAcceptLanguage `_` separator bypass enables ~70x CPU amplification via Accept-Language header in i18n.Middleware

Summary Ech0's i18n middleware runs on every HTTP request and constructs a fresh goi18n.Localizer from the raw Accept-Language header without imposing any size or shape filter. goi18n.NewLocalizer calls golang.org/x/text/language.ParseAcceptLanguage on the value internally. The underlying parser...

7.5CVSS6.9AI score0.01428EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

TidGi Desktop Remote Code Execution via Malicious TiddlyWiki Repository Import — Tiddler Startup Module Auto-Execution

Description TidGi Desktop through 0.13.0 contains a critical remote code execution vulnerability exploitable via a single Git repository import. The vulnerability leverages TiddlyWiki's module system, which automatically discovers and executes JavaScript code embedded in .tid files placed in the...

6.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser

Summary When Trivy scans a Helm chart archive .tgz, its custom tar unpacker reads each entry with io.ReadAlltr and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to b...

6.9CVSS6.1AI score0.0025EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

EasyAdmin: Stored Cross-Site Scripting (XSS) via uploaded files served inline in FileField and ImageField

EasyAdmin's FileField and ImageField accept browser-executable file types by default FileField applies no MIME/extension restrictions; ImageField's default Image constraint accepts SVG. When the upload directory is configured inside the public web root — as shown in the documentation — EasyAdmin...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

TsDProxy: X-Forwarded-For header injection allows IP spoofing in proxied requests to backend services

Description The HTTP reverse proxy handler in tsdproxy does not strip the X-Forwarded-For or X-Real-IP header from incoming requests before calling r.SetXForwarded. This allows an authenticated Tailscale user to inject arbitrary X-Forwarded-For values that are forwarded verbatim to backend...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Prototype pollution in @feathersjs/commons _.merge via JSON-parsed __proto__

Impact The .mergetarget, source utility exported by @feathersjs/commons recursively merges source into target by iterating Object.keyssource. When source was produced by JSON.parse and contains a proto or constructor / prototype key, that key is returned as an own-enumerable property. The recursi...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

yutu: Arbitrary File Write via MCP `caption-download` Tool

Arbitrary File Write via MCP caption-download Tool Summary The caption-download MCP tool in yutu passes the caller-supplied file parameter directly to os.Create at pkg/caption/caption.go:272 without any path validation, canonicalization, or confinement to the pkg.Root boundary YUTUROOT. A local...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Auth0 Symfony SDK Accepted Bearer Tokens via URL Query Parameter

Description Applications built with the Auth0 Symphony SDK, using the Authorizer security authenticator to protect HTTP routes may accept OAuth 2.0 bearer access tokens provided through a URL query parameter, in addition to the standard Authorization header, which may increase the risk of access...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

n8n-MCP: Cross-tenant access to workflow version backups in multi-tenant HTTP deployments

Impact In multi-tenant HTTP deployments — where a single n8n-mcp server serves several tenants — the locally stored workflow version history the automatic backups taken before workflow updates was not isolated per tenant. An authenticated tenant could read workflow version snapshots belonging to...

6.1AI score0.00043EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

Impact A vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctly verified the JWT token but then discarded the verified agent identity in fav...

7.1CVSS6.1AI score0.00246EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Anyquery: Arbitrary File Write (AFW) which could lead to Remote Code Execution (RCE) via Unrestricted ATTACH DATABASE in Server Mode

Summary Anyquery's server mode does not disable or restrict native SQLite disk manipulation commands. Unauthenticated attackers connecting to the MySQL-compatible server port can use the ATTACH DATABASE command to write arbitrary SQLite databases to any path on the victim's filesystem where the...

6.3AI score0.00416EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges

Summary Fedify previously addressed SSRF/internal network access in GHSA-p9cg-vqcc-grcx by adding public URL validation before runtime document and media fetching. However, the current IPv4 validation logic appears incomplete. The validatePublicUrl protection relies on isValidPublicIPv4Address to...

8.6CVSS6.1AI score0.00269EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added yesterday4 views

MKP: Unbounded Pod Log Read via Attacker-Controlled `limitBytes`/`tailLines` Causes Memory Exhaustion

Unbounded Pod Log Read via Attacker-Controlled limitBytes/tailLines Causes Memory Exhaustion Summary The MKP Model Context Protocol for Kubernetes server exposes a getresource MCP tool that proxies Kubernetes pod log requests. User-supplied limitBytes and tailLines parameters are parsed as...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Hoverfly: Denial of Service via Goroutine Leak in Remote Post-Serve Actions

Summary: Remote post-serve actions use http.DefaultClient without any timeout configuration. When the remote endpoint is unreachable or intentionally slow accepts TCP connection but never responds, each triggered proxy request spawns a goroutine that blocks indefinitely on http.DefaultClient.Do. ...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Hoverfly: Process Crash via Concurrent Map Write Race Condition in Diff Mode

Summary: When Hoverfly is running in Diff mode, the AddDiff function writes to the shared responsesDiff map without any synchronization no mutex. When multiple proxy requests are processed concurrently the normal case for any proxy, the concurrent map writes trigger Go's built-in race detector...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

K3s: ZIP Archive Path Traversal Vulnerability in etcd Snapshot Decompression

Summary A path traversal vulnerability exists in K3s's etcd snapshot decompression functionality. Zip files containing archive members with maliciously crafted names e.g., ../../../../etc/password can be written to arbitrary locations on the filesystem when an administrator restores the archive a...

5.8CVSS6.2AI score0.00122EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Wasmtime: Memory leak in C API with `externref` and `anyref` types

Impact Wasmtime 37.0.0 and 37.0.1 have memory leaks in the C/C++ API when using bindings for the anyref or externref WebAssembly values. This is caused by a regression introduced during the development of 37.0.0 and all prior versions of Wasmtime are unaffected. If anyref or externref is not used...

3.3CVSS6AI score0.00178EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added yesterday7 views

FacturaScripts: Stored XSS in WidgetVariante and WidgetSubcuenta modal lists via HTML-attribute decoding of `Tools::noHtml`-escaped quotes inside `onclick=`

Summary WidgetVariante::renderVariantList Core/Lib/Widget/WidgetVariante.php:298-330 and WidgetSubcuenta::renderSubaccountList Core/Lib/Widget/WidgetSubcuenta.php:290-321 build the row for each modal hit by concatenating the user-controlled referencia / codsubcuenta field directly into a...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday8 views

FacturaScripts: CSV formula injection in CSVExport allows authenticated low-priv users to plant payloads that execute when an admin opens the export

Summary Live PoC verified 2026-04-30 against a stock FacturaScripts master at 127.0.0.1:8081. A low-privilege user lowpriv created a customer with nombre = "=SUM1+1cmd|/c calc!A1". An admin then exported ListCliente to CSV via ?action=export&option=CSV. The downloaded file contains the raw payloa...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

FacturaScripts: Unauthenticated Path Traversal in Static File Controllers Reads Private MyFiles Documents

Summary The static file controllers in FacturaScripts decide whether a request is authorized by looking at the URL string instead of the canonical filesystem path. A request that starts with an allow-listed folder name but contains a ../ segment in the middle ends up serving a file from a differe...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

FacturaScripts: Authenticated SQL injection in the FacturaScripts REST API filter parameter via parenthesis bypass in `Where::sqlColumn`

Summary Live PoC verified 2026-04-30 against a stock FacturaScripts master at 127.0.0.1:8081. A scoped ApiKey with fullaccess=0 and an ApiAccess row granting allowget=1 on the clientes resource only no other rights, no UI session, no admin issued one GET /api/3/clientes?filter0UNION%20SELECT%20.....

6.4AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

OpenCost ServiceKey Endpoint Unauthorized Credential Overwrite/Injection

Summary OpenCost contains an unauthenticated file write vulnerability in the /serviceKey endpoint that allows remote attackers to overwrite the GCP service account key file without authentication. This can lead to service disruption, credential theft, and potential privilege escalation within...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

Kimai: ExportTemplate CRUD Missing Authorization Check Allows Unauthorized TEAMLEAD Access

Summary The ExportController web routes for creating and editing export templates are gated only by the class-level createexport permission, which is granted to ROLETEAMLEAD by default. The corresponding API routes and UI button visibility correctly require the stricter createexporttemplate...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Kimai: Pre-2FA KIMAI_SESSION cookie grants full authenticated REST API access, bypassing TOTP

Summary Two-factor authentication TOTP can be fully bypassed for the REST API. The KIMAISESSION cookie returned in the response to the login request; issued after only the password is verified, before the TOTP step; is already accepted as authenticated by every /api/ endpoint. So after submitting...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Kimai: Improper Authorization in Project, Customer, and Activity Rate Edit Endpoints Allows Cross-Scope Rate Manipulation

Summary Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the Web rate editing flows for projects, customers, and activities. A user who can edit one authorized parent object can combine that authorized parent ID with the rate ID of a different, unauthorized parent...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

Kimai has Improper Authorization in Team Member and Team Activity Assignment APIs Which Allows Expansion of Team Scope Beyond Authorized Visibility

Summary Kimai contains an authenticated improper authorization vulnerability in Team-related assignment APIs. A Teamlead who can edit their own team can use backend API endpoints to add users or activities that fall outside their intended visible or manageable scope, even when the frontend...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Kimai: Default APP_SECRET in Docker Image Enables Cookie Forgery and Account Takeover

Summary The official Kimai Docker image ships with APPSECRET=changethistosomethingunique as the default environment variable. The Docker entrypoint does not override or validate this value. Any Kimai instance deployed using the Docker image without explicitly setting APPSECRET runs with a...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Kimai: Login CSRF in the Timesheet Stop and Restart API Endpoints Allows Unauthorized State Changes

Summary Kimai 2.56.0 contains authenticated cross-site request forgery issues in its timesheet state-changing API endpoints. The application reuses the browser's existing session for /api/ requests, and both the stop and restart operations are exposed through GET and PATCH routes that directly...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Improper Authorization in Kimai Timesheet Restart and Duplicate Allows New Timesheets After Project Access Revocation

Summary Kimai 2.56.0 contains an authenticated authorization bypass in the timesheet restart and duplicate workflows. After a user loses access to a project, the user can still derive a new timesheet from one of their historical entries and create a new record under that now-unauthorized project...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Kimai: Improper Authorization Through Activity Creation with Preset Project Allows Creation Under Unauthorized Projects

Summary Kimai 2.56.0 contains an authenticated improper authorization vulnerability in the preset-project activity creation flow. A user with the generic createactivity permission, but without access to a target project, can still create a new Activity under that unauthorized project by visiting...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Kimai: Timesheet PATCH/POST allows assigning to project outside user's team via query_builder OR-bypass

Summary The Timesheet API PATCH /api/timesheets/id and POST /api/timesheets endpoints accept a user-supplied project ID and resolve it through a Symfony EntityType whose querybuilder allows the submitted ID to satisfy the access predicate via an unconditional OR branch. As a result, any...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Kimai: Teamlead authorization bypass in GET /api/timesheets allows reading other users' timesheet records without being teamlead of the target

Summary GET /api/timesheets?user= and users= returns the targeted user's timesheet records to any caller that has the viewothertimesheet permission, without verifying that the caller is teamlead of any team containing the target user. The per-record endpoint GET /api/timesheets/id correctly...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Kimai: Login CSRF in Default Team Creation Endpoints Allows Unauthorized Team and Permission Structure Changes

Summary Kimai 2.56.0 contains authenticated cross-site request forgery issues in its default team creation shortcuts for projects, customers, and activities. These endpoints are exposed through GET routes and directly create or reuse a Team, add the current user as teamlead, and bind the target...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

Apple App Store Server Python Library: SignedDataVerifier accepts stale OCSP GOOD responses and can bypass certificate revocation checks

Summary SignedDataVerifier attempts to perform online revocation checking when enableonlinechecks=True, but its OCSP validation logic accepts stale GOOD responses as valid indefinitely. In appstoreserverlibrary/signeddataverifier.py, ChainVerifier.checkocspstatus verifies the OCSP response...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

json_repair: Circular JSON Schema `$ref` causes unbounded CPU DoS

Circular JSON Schema $ref causes unbounded CPU DoS in jsonrepair Summary SchemaRepairer.resolveschema in jsonrepair follows JSON Schema $ref pointers in an unbounded while loop without any cycle detection. An attacker who can supply a schema containing a self-referencing $ref e.g., via the demo...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago10 views

FacturaScripts: Account takeover of any 2FA-enabled user

Authentication bypass in FacturaScripts: /login?action=two-factor-validation accepts brute-forceable TOTP without password or CSRF protection Summary Core/Controller/Login.php::twoFactorValidationAction accepts an unauthenticated POST containing only fsNick and fsTwoFactorCode. If the TOTP value...

6.2AI score
Exploits0References3Affected Software1
Total number of security vulnerabilities33312