33367 matches found
ToolHive: SSRF in remote MCP server authentication discovery (host-side, bypasses container isolation)
Security Advisory: SSRF in remote MCP server authentication discovery Severity: High. CWE: CWE-918. Affected: ToolHive through the latest release v0.29.3 and current main HEAD b672d82f, 2026-06-12; re-verified 2026-06-14. FetchResourceMetadata and the discovery clients remain unguarded; no commit...
adawolfa/isdoc: Uncontrolled resource consumption (decompression bomb) when reading untrusted ISDOCX or PDF files
Impact adawolfa/isdoc reads ISDOC invoices from ISDOCX ZIP archives and from PDF files with embedded ISDOC documents and supplements. Affected versions inflate ZIP entries and read embedded files without validating their uncompressed size, so a small crafted file can amplify into gigabytes: -...
@andrea9293/mcp-documentation-server: Web UI API binds to all interfaces without authentication by default
Summary @andrea9293/mcp-documentation-server v1.13.0 documents that a Web UI starts automatically on port 3080. However, the Web UI/API appears to bind to all network interfaces by default :3080 / 0.0.0.0:3080 instead of localhost-only, and its document-management API endpoints do not require...
systeminformation: OS command injection in networkInterfaces() via interfaces(5) source-directive path on Linux
Summary On Linux, systeminformation's networkInterfaces is vulnerable to OS command injection through the Debian/Ubuntu interfaces5 source directive. While collecting per-interface DHCP state, the library reads /etc/network/interfaces and, for every source line it encounters, extracts the path...
Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback
Summary The HPKE V2 URL decode path in pkg/hpke/url.go decompresses attacker-controlled zstd data without any size limit. On Pomerium deployments using the stateless authentication flow Pomerium Zero / hosted authenticate, the proxy's /.pomerium/callback endpoint is reachable without credentials...
dd-trace-rb: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-go: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-dotnet: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-js: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-py: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
dd-trace-java: Improper parsing of W3C baggage headers may lead to DoS
Impact Datadog tracing libraries that implement W3C baggage propagation parse incoming baggage HTTP headers without enforcing item-count or byte-size limits on the extract path. The DDTRACEBAGGAGEMAXITEMS default 64 and DDTRACEBAGGAGEMAXBYTES default 8192 limits were applied only to baggage...
ViewComponent: Reused Component Instances Retain Stale Render Context
Reused Component Instances Retain Stale Render Context Summary ViewComponent::Base instances retain multiple render-scoped objects across calls to renderin. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use...
ViewComponent: around_render HTML-Safety Bypass
Summary ViewComponent::Basearoundrender can return HTML-unsafe strings that bypass the escaping behavior applied to normal call return values. This creates an XSS risk when downstream applications use aroundrender to wrap, replace, instrument, or conditionally return content that includes...
open-feature-operator: Cross-namespace FeatureFlagSource and InProcessConfiguration resolution exposes spec contents on multi-tenant clusters
Summary A namespaced FeatureFlagSource or InProcessConfiguration resource can be referenced cross-namespace via the openfeature.dev/featureflagsource annotation using the documented NAMESPACE/NAME syntax. The operator resolves the referenced resource cluster-wide and materializes its contents env...
django-haystack: Remote Code Execution via `eval()` in Elasticsearch Result Deserialization
Remote Code Execution via eval in Elasticsearch Result Deserialization Summary The Elasticsearch backend in django-haystack calls eval on raw field values returned from Elasticsearch when a SearchField is declared with an indexfieldname alias that differs from the logical field name. During resul...
serde_with: KeyValueMap serialization panics on empty sequence or map entries
Summary The public KeyValueMap serializer assumes that each mapped element has at least one field or item to use as the map key, but it subtracts 1 from the caller-visible length before validating that assumption. An application that serializes attacker-controlled data through serdeasas =...
websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
websocket-driver: Message corruption via abuse of protocol length headers
Impact The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a client can make the server pars...
websocket-driver: Memory exhaustion in HTTP header parser
Impact If this library is used to implement a WebSocket server on top of a TCP server rather than an HTTP server or framework using the WebSocket::Driver.server method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memo...
websocket-driver: Resource limit bypass via message compression
Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...
websocket-driver: Memory exhaustion via abuse of protocol length headers
Impact The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a server or client can make the...
Pixeldrain API key shared with unverified thirdparty sites
Summary When processing Pixeldrain URLs, cyberdrop-dl-patched could send an Authorization header that includes the user's API key to unverified hosts. Details Pixeldrain offers several alternative domains in case the user's ISP blocks the primary domain. To support this, requests made by...
TensorZero Gateway: Arbitrary file read and SSRF in internal object storage endpoint
Impact The /internal/objectstorage endpoint accepts a caller-supplied JSON storagepath parameter that dynamically overrides the TensorZero objectstorage configuration. By abusing the filesystem storage type, a caller can read arbitrary files from the gateway filesystem, including files that may...
safeurl is Missing IPv6 CIDR Ranges in Blocklist
The privateNetworks blocklist was found to be missing newly added CIDR ranges. More specifically, the following CIDR ranges were not being blocked: - 64:ff9b:1::/48: NAT64 local-use prefix RFC 8215 - 5f00::/16: Segment Routing SRv6 SIDs RFC 9602 - 3fff::/20: documentation prefix RFC 9637 -...
FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data
Impact The FiftyOne App/API server fiftyone/server/app.py and the /media route fiftyone/server/routes/media.py unconditionally set a permissive CORS header Access-Control-Allow-Origin: on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website...
obsidian-local-rest-api: Authenticated path traversal via URL-encoded %2F in /vault/{path} — arbitrary host file read/write/delete
Summary The Local REST API's /vault/path endpoints GET/PUT/PATCH/POST/DELETE percent-decode the request path inside the handler — after Express has already routed and normalized it, then hand it to the Obsidian vault adapter with no confinement check. A literal ../ is resolved/rejected at the...
ToolHive: SSRF guard misses IPv6 NAT64 ranges (64:ff9b::/96, 64:ff9b:1::/48), allowing metadata/internal access behind a NAT64 gateway
Summary ToolHive's hand-rolled private/reserved-IP SSRF guard networking.IsPrivateIP in pkg/networking/utilities.go does not recognize the IPv6 NAT64 address ranges — the well-known prefix 64:ff9b::/96 RFC 6052 and the RFC 8215 local-use prefix 64:ff9b:1::/48. As a result, an address such as...
MantisBT: Stored XSS in print_all_bug_page_word.php
A missing output encoding call in printallbugpageword.php allows any authenticated user to inject arbitrary HTML into an IMG tag's alt attribute via an image attachment with a crafted filename such as probe." onload="alert1. When any user views the HTML export page...
MantisBT: Injection of TIME_TRACKING and REMINDER Notes via REST and SOAP APIs
Unvalidated notetype Parameter in mcissueupdate SOAP Endpoint Allows creation of TIMETRACKING and REMINDER Notes. The SOAP path passes the user-supplied notetype integer directly to bugnoteadd without validating that the user is authorized to create that type of note. If the user's access level i...
MantisBT: REST and SOAP API Issue Update Accepts Unreleased Product Versions From Updaters
Impact Users below reportissuesforunreleasedversionsthreshold can assign unreleased product versions. Patches - https://github.com/mantisbt/mantisbt/commit/17072d4c322c85f7135ebec3417a6d90b525d12f Workarounds None Resources - https://mantisbt.org/bugs/view.php?id=37065 Credits MantisBT thanks...
MantisBT: Reflected XSS in admin/install.php via unescaped printf
MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via an unescaped printf format string. No authentication is required. A Content Security Policy script-src 'self' prevents inline JavaScrip...
MantisBT: Reflected XSS in admin/install.php
MantisBT 2.28.3 and earlier contains six reflected XSS injection points in /admin/install.php. User-supplied parameters are echoed into HTML without escaping via printtestresult. No authentication is required. A Content Security Policy script-src 'self' prevents inline JavaScript execution, but t...
Koel: Full-read SSRF via podcast enclosure URL: isPublicHost() filter_var guard does not reject NAT64 (64:ff9b::/96) or 6to4 (2002::/16) IPv6-transition wrappers of internal IPv4
Summary Koel's outbound-URL guard App\Helpers\Network::isPublicHost classifies an IP as "public" using PHP's filtervar$ip, FILTERVALIDATEIP, FILTERFLAGNOPRIVRANGE | FILTERFLAGNORESRANGE. That flag set does not recognise IPv6 transition-address forms that embed a private/loopback/link-local IPv4:...
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail
Summary Koel v9.5.0 contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the HasAudioContentType rule — which issues HTTP requests to the supplied URL —...
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths
Summary The fix for CVE-2026-47260 v9.3.5 added an initial isSafeUrl check to several fetchers synchronizeEpisodes, getStreamableUrl, AddRadioStation, EpisodePlayable, but the redirect-target validation — the per-hop Guzzle onredirect callback added in follow-up commit be1e867 — was applied to on...
Protobuf: Unbounded recursion depth in embedded-message decoding
Summary Unbounded recursion depth in Protobuf.Decoder Hex package protobuf, versions = 0.8.0, 0.16.1 lets an unauthenticated attacker crash any service that decodes untrusted protobuf messages whose schema contains a self-referential or cyclic message type. A small request body a few KB to a few ...
LangBot: Authenticated RCE Via MCP Configuration
Summary Any authenticated user can achieve arbitrary command execution on the LangBot servers through changing the MCP Server Configuration by added an "STDIO" MCP with an arbitrary command. Details The repository uses StdioServerParameters which is based on Anthropic's modelcontextprotocol open...
garminconnect Has Insecure Permission Assignment for Garmin OAuth Token Store
Insecure Permission Assignment for Garmin OAuth Token Store Summary garminconnect ≤ 0.3.4 wrote its OAuth token store to disk without restricting file-system permissions. Under the default Linux umask 022 the token file garmintokens.json was created world-readable 0o644. The file contains the DI...
Koel has SSRF through Authenticated Subsonic podcast feed URLs
Summary Koel's Subsonic createPodcastChannel.view endpoint accepts a user supplied podcast feed URL and fetches it server-side before applying the safe URL checks that are used for podcast episode enclosure URLs. An authenticated Subsonic API user can provide a loopback or internal URL as the fee...
Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations
Summary Koel v9.6.0 validates radio station URLs on the regular web API, but the Subsonic-compatible radio endpoints do not apply the same SSRF protections. An authenticated user can create or update a radio station with a private URL and then use Koel's radio streaming feature to make the server...
Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation
Summary Koel v9.6.0 protects the regular podcast subscription API with SafeUrl, but the Subsonic-compatible createPodcastChannel.view route does not apply the same protection. An authenticated user can supply a private URL and cause Koel to fetch it server-side during podcast parsing. This was...
MantisBT: REST API unauthorized Issue status change
A MantisBT user having $gupdatebugthreshold UPDATER by default can change an Issue's Status via REST and SOAP API, even if the $gsetstatusthreshold config is set to a higher level DEVELOPER by default. Impact Unauthorized change in Issue workflow. Patches...
MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php
MantisBT 2.28.3 and earlier contains a remote code execution vulnerability in the admin "Manage Configuration" feature admconfigset.php. When setting a configuration value with a non-string type integer, float, complex, the value is passed through ConfigParser - Tokenizer, which calls eval with a...
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator
MantisBT 2.28.3 and earlier contains a critical authentication bypass in the SOAP API's mcichecklogin function. Any user knowing any valid cookiestring can authenticate as any other user knowing their username, including the administrator, without knowing the target's password. The vulnerability ...
MantisBT: SQL Injection via history_order Configuration Value
MantisBT 2.28.3 and earlier versions contains a SQL injection vulnerability in core/historyapi.php. The historyorder configuration value is concatenated directly into a SQL ORDER BY clause without any sanitisation, parameterization, or validation against a whitelist. An administrator can set this...
FacturaScripts: Path traversal in UploadedFile::move() via getClientOriginalName() — arbitrary file write outside MyFiles/ leading to RCE
Summary FacturaScripts\Core\UploadedFile::move$destiny, $destinyName concatenates $destiny and $destinyName without normalizing the resulting path. Every caller in the codebase passes UploadedFile::getClientOriginalName — the unsanitized client-supplied filename — as $destinyName, so an...
NetLicensing-MCP: Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode
Unauthenticated Use of Server-Side NetLicensing API Key in HTTP Mode Summary When netlicensing-mcp is run in HTTP transport mode, the ApiKeyMiddleware fails to enforce authentication: requests that carry no client API key are unconditionally forwarded to the next handler server.py:1427. The...
Woodpecker: Privilege escalation via unrestricted serviceAccountName in the Kubernetes backend
Impact A privilege escalation vulnerability affects Woodpecker instances using the Kubernetes backend. The pipeline option backendoptions.kubernetes.serviceAccountName was passed directly to the pod spec without any admin gating. Who is impacted: any operator running the Kubernetes backend. Any...
Nebula-mesh allows non-admin operators to disable webhook SSRF protection via `allow_private`
Summary Non-admin operators role user can set allowprivate: true on their own managed webhook subscription POST/PATCH /api/v1/webhook-subscriptions. No admin check exists on this field. At delivery time, allowprivate switches the dispatcher to an unguarded HTTP client, bypassing the...
nebula-mesh: Certificate revocation is never enforced at the mesh
Summary nebula-mesh revokes a host by adding its certificate fingerprint to a per-CA blocklist and shipping that list to every other agent on each poll. Slack's Nebula enforces certificate revocation ONLY through the pki.blocklist list in config.yml no CRL/OCSP. The project's own code states this...