Lucene search
K
GithubRecent

33367 matches found

Github Security Blog
Github Security Blog
added yesterday3 views

ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)

Security Advisory: SSRF in remote MCP server authentication discovery Severity: High. CWE: CWE-918. Affected: ToolHive through the latest release v0.29.3 and current main HEAD b672d82f, 2026-06-12; re-verified 2026-06-14. FetchResourceMetadata and the discovery clients remain unguarded; no commit...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files

Impact adawolfa/isdoc reads ISDOC invoices from ISDOCX ZIP archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes: -...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default

Summary @andrea9293/mcp-documentation-server v1.13.0 documents that a Web UI starts automatically on port 3080. However, the Web UI/API appears to bind to all network interfaces by default :3080 / 0.0.0.0:3080 instead of localhost-only, and its document-management API endpoints do not require...

6.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux

Summary On Linux, systeminformation's networkInterfaces is vulnerable to OS command injection through the Debian/Ubuntu interfaces5 source directive. While collecting per-interface DHCP state, the library reads /etc/network/interfaces and, for every source line it encounters, extracts the path...

6.3AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback

Summary The HPKE V2 URL decode path in pkg/hpke/url.go decompresses attacker-controlled zstd data without any size limit. On Pomerium deployments using the stateless authentication flow Pomerium Zero / hosted authenticate, the proxy's /.pomerium/callback endpoint is reachable without credentials...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added yesterday4 views

dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added yesterday6 views

dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS

Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...

6.1AI score0.00106EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

ViewComponent: Reused Component Instances Retain Stale Render Context

Reused Component Instances Retain Stale Render Context Summary ViewComponent::Base instances retain multiple render-scoped objects across calls to renderin. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use...

6.1AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

ViewComponent: around_render HTML-Safety Bypass

Summary ViewComponent::Basearoundrender can return HTML-unsafe strings that bypass the escaping behavior applied to normal call return values. This creates an XSS risk when downstream applications use aroundrender to wrap, replace, instrument, or conditionally return content that includes...

6AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters

Summary A namespaced FeatureFlagSource or InProcessConfiguration resource can be referenced cross-namespace via the openfeature.dev/featureflagsource annotation using the documented NAMESPACE/NAME syntax. The operator resolves the referenced resource cluster-wide and materializes its contents env...

6.3CVSS6.7AI score0.09274EPSS
Exploits3References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization

Remote Code Execution via eval in Elasticsearch Result Deserialization Summary The Elasticsearch backend in django-haystack calls eval on raw field values returned from Elasticsearch when a SearchField is declared with an indexfieldname alias that differs from the logical field name. During resul...

6.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday8 views

serde_with: KeyValueMap serialization panics on empty sequence or map entries

Summary The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through serdeasas =...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

websocket-driver: Resource limit bypass via message compression

Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

websocket-driver: Message corruption via abuse of protocol length headers

Impact The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server pars...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

websocket-driver: Memory exhaustion in HTTP header parser

Impact If this library is used to implement a WebSocket server on top of a TCP server rather than an HTTP server or framework using the WebSocket::Driver.server method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memo...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

websocket-driver: Resource limit bypass via message compression

Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...

6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

websocket-driver: Memory exhaustion via abuse of protocol length headers

Impact The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a server or client can make the...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Pixeldrain API key shared with unverified thirdparty sites

Summary When processing Pixeldrain URLs, cyberdrop-dl-patched could send an Authorization header that includes the user's API key to unverified hosts. Details Pixeldrain offers several alternative domains in case the user's ISP blocks the primary domain. To support this, requests made by...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint

Impact The /internal/objectstorage endpoint accepts a caller-supplied JSON storagepath parameter that dynamically overrides the TensorZero objectstorage configuration. By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

safeurl is Missing IPv6 CIDR Ranges in Blocklist

The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked: - 64:ff9b:1::/48: NAT64 local-use prefix RFC 8215 - 5f00::/16: Segment Routing SRv6 SIDs RFC 9602 - 3fff::/20: documentation prefix RFC 9637 -...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data

Impact The FiftyOne App/API server fiftyone/server/app.py and the /media route fiftyone/server/routes/media.py unconditionally set a permissive CORS header Access-Control-Allow-Origin: on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

obsidian-local-rest-api: Authenticated path traversal via URL-encoded %2F in /vault/{path} — arbitrary host file read/write/delete

Summary The Local REST API's /vault/path endpoints GET/PUT/PATCH/POST/DELETE percent-decode the request path inside the handler — after Express has already routed and normalized it, then hand it to the Obsidian vault adapter with no confinement check. A literal ../ is resolved/rejected at the...

6.2AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

ToolHive: SSRF guard misses IPv6 NAT64 ranges (64:ff9b::/96, 64:ff9b:1::/48), allowing metadata/internal access behind a NAT64 gateway

Summary ToolHive's hand-rolled private/reserved-IP SSRF guard networking.IsPrivateIP in pkg/networking/utilities.go does not recognize the IPv6 NAT64 address ranges — the well-known prefix 64:ff9b::/96 RFC 6052 and the RFC 8215 local-use prefix 64:ff9b:1::/48. As a result, an address such as...

6.1AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

MantisBT: Stored XSS in print_all_bug_page_word.php

A missing output encoding call in printallbugpageword.php allows any authenticated user to inject arbitrary HTML into an IMG tag's alt attribute via an image attachment with a crafted filename such as probe." onload="alert1. When any user views the HTML export page...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs

Unvalidated notetype Parameter in mcissueupdate SOAP Endpoint Allows creation of TIMETRACKING and REMINDER Notes. The SOAP path passes the user-supplied notetype integer directly to bugnoteadd without validating that the user is authorized to create that type of note. If the user's access level i...

6.2AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters

Impact Users below reportissuesforunreleasedversionsthreshold can assign unreleased product versions. Patches - https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f Workarounds None Resources - https://mantisbt.org/bugs/view.php?id=37065 Credits MantisBT thanks...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

MantisBT: Reflected XSS in admin/install.php via unescaped printf

MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via an unescaped printf format string. No authentication is required. A Content Security Policy script-src 'self' prevents inline JavaScrip...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

MantisBT: Reflected XSS in admin/install.php

MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via printtestresult. No authentication is required. A Content Security Policy script-src 'self' prevents inline JavaScript execution, but t...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Koel: Full-read SSRF via podcast enclosure URL: isPublicHost() filter_var guard does not reject NAT64 (64:ff9b::/96) or 6to4 (2002::/16) IPv6-transition wrappers of internal IPv4

Summary Koel's outbound-URL guard App\Helpers\Network::isPublicHost classifies an IP as "public" using PHP's filtervar$ip, FILTERVALIDATEIP, FILTERFLAGNOPRIVRANGE | FILTERFLAGNORESRANGE. That flag set does not recognise IPv6 transition-address forms that embed a private/loopback/link-local IPv4:...

6.2AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail

Summary Koel v9.5.0 contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL —...

6.3CVSS6.2AI score0.0016EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths

Summary The fix for CVE-2026-47260 v9.3.5 added an initial isSafeUrl check to several fetchers synchronizeEpisodes, getStreamableUrl, AddRadioStation, EpisodePlayable, but the redirect-target validation — the per-hop Guzzle onredirect callback added in follow-up commit be1e867 — was applied to on...

7.7CVSS6.1AI score0.00263EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

Protobuf: Unbounded recursion depth in embedded-message decoding

Summary Unbounded recursion depth in Protobuf.Decoder Hex package protobuf, versions = 0.8.0, 0.16.1 lets an unauthenticated attacker crash any service that decodes untrusted protobuf messages whose schema contains a self-referential or cyclic message type. A small request body a few KB to a few ...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday7 views

LangBot: Authenticated RCE Via MCP Configuration

Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. Details The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open...

6.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added yesterday8 views

garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store

Insecure Permission Assignment for Garmin OAuth Token Store Summary garminconnect ≤ 0.3.4 wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask 022 the token file garmintokens.json was created world-readable 0o644. The file contains the DI...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday6 views

Koel has SSRF through Authenticated Subsonic podcast feed URLs

Summary Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the fee...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations

Summary Koel v9.6.0 validates radio station URLs on the regular web API, but the Subsonic-compatible radio endpoints do not apply the same SSRF protections. An authenticated user can create or update a radio station with a private URL and then use Koel's radio streaming feature to make the server...

6.1AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday2 views

Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation

Summary Koel v9.6.0 protects the regular podcast subscription API with SafeUrl, but the Subsonic-compatible createPodcastChannel.view route does not apply the same protection. An authenticated user can supply a private URL and cause Koel to fetch it server-side during podcast parsing. This was...

6.2AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added yesterday5 views

MantisBT: REST API unauthorized Issue status change

A MantisBT user having $gupdatebugthreshold UPDATER by default can change an Issue's Status via REST and SOAP API, even if the $gsetstatusthreshold config is set to a higher level DEVELOPER by default. Impact Unauthorized change in Issue workflow. Patches...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php

MantisBT 2.28.3 and earlier contains a remote code execution vulnerability in the admin "Manage Configuration" feature admconfigset.php. When setting a configuration value with a non-string type integer, float, complex, the value is passed through ConfigParser - Tokenizer, which calls eval with a...

6.6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday4 views

MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator

MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mcichecklogin function. Any user knowing any valid cookiestring can authenticate as any other user knowing their username, including the administrator, without knowing the target's password. The vulnerability ...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added yesterday3 views

MantisBT: SQL Injection via history_order Configuration Value

MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/historyapi.php. The historyorder configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist. An administrator can set this...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE

Summary FacturaScripts\Core\UploadedFile::move$destiny, $destinyName concatenates $destiny and $destinyName without normalizing the resulting path. Every caller in the codebase passes UploadedFile::getClientOriginalName — the unsanitized client-supplied filename — as $destinyName, so an...

6.5AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago7 views

NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode

Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode Summary When netlicensing-mcp is run in HTTP transport mode, the ApiKeyMiddleware fails to enforce authentication: requests that carry no client API key are unconditionally forwarded to the next handler server.py:1427. The...

6.1AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago6 views

Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend

Impact A privilege escalation vulnerability affects Woodpecker instances using the Kubernetes backend. The pipeline option backendoptions.kubernetes.serviceAccountName was passed directly to the pod spec without any admin gating. Who is impacted: any operator running the Kubernetes backend. Any...

6.2AI score
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2 days ago7 views

Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`

Summary Non-admin operators role user can set allowprivate: true on their own managed webhook subscription POST/PATCH /api/v1/webhook-subscriptions. No admin check exists on this field. At delivery time, allowprivate switches the dispatcher to an unguarded HTTP client, bypassing the...

6.2AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2 days ago8 views

nebula-mesh: Certificate revocation is never enforced at the mesh

Summary nebula-mesh revokes a host by adding its certificate fingerprint to a per-CA blocklist and shipping that list to every other agent on each poll. Slack's Nebula enforces certificate revocation ONLY through the pki.blocklist list in config.yml no CRL/OCSP. The project's own code states this...

6.1AI score
Exploits0References4Affected Software1
Total number of security vulnerabilities33367