33426 matches found
Skipper: Incomplete fix for CVE-2026-50197: an oversized body can bypass OPA deny-on-presence Rego policies
Summary A wrong policy can be an open door. You have to check input.attributes.request.http.truncatedbody in your policy. Description Incomplete fix for CVE-2026-50197: an oversized declared-Content-Length body still hands OPA an empty parsedbody, so deny-on-presence Rego policies fail OPEN while...
Skipper's routesrv-no-auth component: All routesrv API Endpoints Lack Authentication
Description The routesrv component exposes the full cluster route topology Ingress/RouteGroup configurations, backend URLs, filter chains, OAuth/OIDC callback paths and cache-cluster topology Redis/Valkey shard addresses over plain HTTP with zero authentication. Any pod in the Kubernetes cluster...
CloudTAK: Authenticated full-read SSRF in the /api/esri* routes — user-controlled URL fetched with no IP-classification guard
Authenticated full-read SSRF in CloudTAK /api/esri routes — user-controlled URL fetched with no IP-classification guard Summary Every route in the ESRI helper family api/routes/esri.ts takes a fully attacker-controlled URL from the request POST /api/esri body url, and the portal / server / layer...
PocketSphinx: Buffer overflows in language and acoustic model loading code
Impact The trie language model code introduced in PocketSphinx 5prealpha failed to check various boundary conditions when reading the headers of ARPA, DMP, and binary format language model files. In the case of invalid, corrupted or malicious input files, this could lead to stack and heap buffer...
AngleSharp HTML5 Spec Compliance: mXSS via annotation-xml HTML Integration Point Bypass
Summary The HTML specification requires that a MathML element with encoding="text/html" or encoding="application/xhtml+xml" is treated as an HTML integration point. Content inside it must be parsed as HTML, not MathML. AngleSharp does not implement this correctly. As a result, the parser produces...
PRoot-Distro has Path Traversal in proot-distro copy — Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs
Path Traversal in proot-distro copy — Arbitrary Read, Write, and Persistent Code Execution Outside Container Rootfs Repository https://github.com/termux/proot-distro Maintainer: @sylirre Affected Component Package: proot-distro Affected command: copy Attack surface: Host-side Termux CLI — this is...
ExifReader HEIC/AVIF ISO-BMFF parser throws uncaught RangeError on truncated boxes
Summary ExifReader 4.40.0 can throw an uncaught RangeError: Offset is outside the bounds of the DataView while parsing crafted HEIC/AVIF files. The file only needs a valid leading ftyp box with a HEIC/AVIF major brand followed by a malformed ISO-BMFF box, such as an empty 8-byte free box or a...
Flask-Reuploaded: Extension-denylist bypass via case-folding asymmetry in name-override path (incomplete-fix variant of CVE-2026-27641)
Header | Field | Value | |---|---| | Title | Extension-denylist bypass via case-folding asymmetry in name-override path incomplete-fix variant of CVE-2026-27641 | | Project | Flask-Reuploaded flaskuploads | | Affected | extension"shell.php" = "php" - extensionallowed"php" - DENY correct...
Prompty: Arbitrary code execution via JavaScript frontmatter in TypeScript loader
Summary The TypeScript Prompty loader used gray-matter without overriding executable frontmatter engines. gray-matter supports JavaScript frontmatter blocks such as ---js and evaluates them while parsing. An attacker-controlled .prompty file could therefore execute arbitrary JavaScript during...
Prompty: Arbitrary file read via file reference expansion
Summary Prompty loaders expanded $file:... references in .prompty frontmatter without enforcing that the resolved path stayed within an authorized directory. An attacker-controlled prompt file could use path traversal or an absolute path to cause the host application to read files accessible to t...
mcp-memory-keeper: Arbitrary local file read in context_import via unvalidated filePath
Impact contextimport passed the caller-supplied filePath directly to fs.readFileSync with no path confinement. A malicious MCP client — or an LLM agent that is prompt-injected into calling the tool — could point filePath at any file readable by the server process, outside any session or export...
Formie: Missing authorization in administrative settings allows low-privileged CP users to modify plugin configuration
Formie contains a missing authorization vulnerability in administrative settings routes. An authenticated, non-admin Craft CMS control panel user with limited Formie access could directly access Formie settings pages and modify global plugin configuration. In affected versions, Formie...
Gitea has insufficient permission checks for Composer package source links
CVE Description Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information. Summary A critical vulnerability has been discovered in Gitea. It was already reported via...
TAK-PS-Stats Web UI: Authenticated full-read SSRF in CloudTAK basemap import (PUT /api/basemap) — no IP-classification guard
Summary PUT /api/basemap the basemap import endpoint fetches an attacker-supplied URL server-side with no SSRF protection whatsoever. Any authenticated user can submit a JSON body "type": "...", "url": "" ; the server calls fetchurl against that URL and then reflects the response body name,...
oapi-codegen: OpenAPI Server Description Escapes Generated Go Comment and Injects Executable Code
Summary The vulnerability in oapi-codegen seems to be similar with CVE-2026-22785, which is a generated-code injection issue where untrusted OpenAPI summary text is embedded into generated TypeScript MCP server source without proper escaping. oapi-codegen has a similar vulnerability in its server...
meta-ads-mcp: X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token
X-Pipeboard-Token Header Auth Bypass Reuses Operator Meta Token Summary AuthInjectionMiddleware in meta-ads-mcp rejects HTTP MCP requests only when both authtoken and pipeboardtoken are absent. Because extracttokenfromheaders does not recognise the X-Pipeboard-Token header, an attacker who sends...
meta-ads-mcp: Server-Side Request Forgery (SSRF) in `upload_ad_image` via Unrestricted `image_url` Fetch
Server-Side Request Forgery SSRF in uploadadimage via Unrestricted imageurl Fetch Summary The uploadadimage MCP tool in meta-ads-mcp v1.0.113 passes an attacker-controlled imageurl parameter directly to an HTTP fetch helper httpx.AsyncClientfollowredirects=True.geturl without any scheme, host, or...
sh _uid does not drop supplementary groups (incomplete privilege drop)
Impact The uid option performed an incomplete privilege drop on Linux/Unix-like systems. When sh was run from a process with elevated privileges, such as root, and a command was launched with uid=, the child process changed its UID and primary GID but did not reset its supplementary groups. As a...
AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Aurora PostgreSQL is a fully managed relational database engine that's compatible with PostgreSQL. The team has identified CVE-2026-11400, an issue in Aurora PostgreSQL using the AWS Advanced JDBC Wrapper Impact An issue in AWS Wrappers for Amazon Aurora PostgreSQL will allow for privilege...
plone.restapi: Stored XSS by spoofing mime type
Impact A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type text/x-html-safe is the type that signifies "already sanitized", any value whose stored mimeType...
plone.app.textfield: Stored XSS by spoofing mime type
Impact A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type text/x-html-safe is the type that signifies "already sanitized", any value whose stored mimeType...
Skipper: Unbounded Request Body Read in Admission Webhook Causes Memory Exhaustion DoS
Summary The Kubernetes admission webhook handler reads the entire request body using io.ReadAllr.Body without any size limit. Any client that can reach the webhook port within the cluster can send a multi-GB payload, causing the skipper process to exhaust memory and be OOM-killed. This disrupts a...
vLLM: Speech-to-text upload size limit is enforced after full UploadFile read
Summary Current-head vLLM documents VLLMMAXAUDIOCLIPFILESIZEMB as the maximum audio file size accepted by the speech-to-text APIs. The default is 25 MB. vllm/envs.py also describes files larger than this value as rejected. The /v1/audio/transcriptions and /v1/audio/translations routes call await...
vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
Summary The structuredoutputs.regex API parameter passes a user-supplied regex string directly to grammar compiler backends with no compilation timeout. In the xgrammar backend, the string reaches compileregex with no guard. In the outlines backend, validateregexisbuildable blocks structural issu...
vLLM has Remote DoS via Invalid Recovered Token Reinjection
Summary A frontend-legal multi-request speculative workload can make vLLM produce an out-of-vocabulary recovered token equal to vocabsize, convert that value to -1 when choosing the next live token for a request, and then feed that -1 back into the next drafter input ids. On Qwen3 GPTQ this reach...
vLLM: Processing differential in multi-channel audio downmixing enables hidden-input/moderation bypass for audio models
Issue Description Librosa defaults to using numpy.mean for mono downmixing tomono, while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in: - Inconsistency between audio heard by humans e.g., through headphones/regular speakers and...
ArcadeDB has cross-database IDOR: /ts/*, /batch/*, Prometheus and Grafana handlers bypass authorization
About 14 HTTP handlers resolve the database path param and call getDatabase... WITHOUT user.canAccessToDatabase... and without setting the engine principal, because they extend AbstractServerHttpHandler directly instead of DatabaseAbstractHandler which holds the only per-database gate at...
ArcadeDB: Scripting authorization gate (GHSA-48qw-824m-86pr) bypassed via SQL DEFINE FUNCTION ... LANGUAGE js
The GHSA-48qw-824m-86pr hardening added a checkPermissionsOnDatabaseUPDATESECURITY gate on the polyglot engine PolyglotQueryEngine.java:112-114,126,176,199, but only there. The SQL route to JavaScript never touches it: DefineFunctionStatement.executeSimple DefineFunctionStatement.java:37-100,...
ArcadeDB: Trigger scripts run with java.lang.* allowed, enabling OS command execution (RCE)
ScriptTriggerExecutor sets allowedPackages to java.lang., java.util., java.time., java.math. ScriptTriggerExecutor.java:56; trigger creation is gated only at UPDATESCHEMA LocalSchema.createTrigger:636. Permitting java.lang. host-class lookup lets a trigger script do...
MCP Python SDK: WebSocket server transport does not support Host/Origin validation
Summary In affected versions, the deprecated WebSocket server transport mcp.server.websocket.websocketserver accepted the WebSocket handshake without applying any Host or Origin header validation. The TransportSecuritySettings mechanism that the SSE and Streamable HTTP transports use for this...
ArcadeDB: Privilege escalation via reader role in /api/v1/command JS scripting language — arbitrary host file read
Impact A user holding only reader read-only privileges on a single database could execute arbitrary JVM code by sending a "language": "js" command to the POST /api/v1/command/database HTTP endpoint, and use it to read arbitrary files on the host filesystem e.g. /etc/passwd, configuration files,...
Pheditor: Hardcoded default password 'admin' with no forced change enables full application compromise
Summary Pheditor ships with a hardcoded default password admin SHA-512 hash stored at pheditor.php:11. There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal feature...
Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection
Summary The terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to shellexec. After the fix for GHSA-9643-6xjp-vx57 which added $ to the blocklist, the characters | single pipe, backtick, and the newline byte 0x0A remain...
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured
When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection Impact An on-path attacker can intercept the dataplane...
ArcadeDB: Read-only users can mutate database schema (incomplete fix of CVE-2026-44221)
Impact The fix for CVE-2026-44221 GHSA-fxc7-fm93-6q77 added an UPDATESCHEMA authorization check to a single schema-mutating method LocalDocumentType.createProperty. The remaining public schema mutators were left unchecked, so an authenticated identity including a read-only API token that lacks th...
ArcadeDB: IMPORT DATABASE allows SSRF and arbitrary local file read by authenticated users
Impact The SQL IMPORT DATABASE statement did not require administrative privileges and passed its source URL to the importer without validation. Any authenticated user with SQL command access not only root/administrators could therefore: - Server-Side Request Forgery CWE-918: cause the server to...
nimiq-primitives: Out-of-bounds panic in KeyNibbles::Add from oversized child suffix in a deserialized proof
Impact A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add primitives/src/keynibbles.rs:332 / :34...
nimiq-primitives: Panic in TrieProof::verify via child_index unwrap on equal-length keys
Impact A malicious peer acting as a state-sync source can crash a syncing node by sending a crafted TrieChunk whose proof contains two TrieProofNodes with identical keys. TrieProof::verify calls TrieProofNode::childindex primitives/src/trie/trieproofnode.rs:94, which unconditionally unwraps...
Pheditor has an authenticated terminal command whitelist bypass
Summary Pheditor 2.0.4 has an authenticated terminal command whitelist bypass. The terminal feature checks whether the submitted command starts with one of the configured TERMINALCOMMANDS values, then passes the full command string to shellexec. Shell command substitution such as $ is not blocked...
MCP Python SDK: HTTP transports serve session requests without verifying the authenticated principal
Summary In affected versions, the SSE and Streamable HTTP server transports routed incoming requests to an existing session based only on the session identifier, without verifying that the request was authenticated as the same principal that created the session. Anyone who learned or guessed a...
MCP Python SDK: Experimental task handlers allow any client to access and cancel other clients' tasks
Summary In affected versions, the default request handlers installed by the experimental tasks feature server.experimental.enabletasks did not check which session created a task before acting on it. On a server with more than one connected client, any client could observe, read results from, and...
Nuclio: Unauthenticated path traversal in spec.handler allows arbitrary file write in Dashboard container
Summary Nuclio Dashboard exposes POST /api/functions without authentication by default NOP auth mode. The spec.handler field e.g., mymodule:myfunction is parsed by functionconfig.ParseHandler which splits on : only — no path validation is applied to the module portion. During function build,...
Nuclio: Unsanitized runtimeAttributes.repositories injected into Groovy build.gradle leads to build-time RCE
Summary Nuclio's Java runtime generates a build.gradle file during function builds using Go's text/template package. The template renders runtimeAttributes.repositories values with the . action, which performs no escaping. An attacker can embed a closing brace to break out of the repositories blo...
Envoy Gateway: xDS Control Plane Information Disclosure when operating in GatewayNamespaceMode
Impact When Envoy Gateway runs in GatewayNamespaceMode provider.kubernetes.deploy.type=GatewayNamespace, the xDS gRPC server is configured with a StreamInterceptor for JWT authentication but no UnaryInterceptor. The go-control-plane xDS server exposes both streaming and unary Fetch RPC methods fo...
Diesel has possible use after free when deserializing a SQLite database via `SqliteConnection::deserialize_readonly_database`
Diesel allows loading a SQLite database from a byte buffer, represented as &u8, at runtime via the SqliteConnection::deserializereadonlydatabase function. In previous versions of Diesel, this buffer was passed directly to libsqlite3. Since libsqlite3 requires the buffer to remain alive for as lon...
Envoy Gateway: Authentication Bypass via Improper Input Validation in EnvoyExtensionPolicy Lua Allows Secret Disclosure
Impact The toabsolutenormalizedpath function security.lua:28-43 does not collapse redundant path separators // → /. On Linux, //etc/passwd is equivalent to /etc/passwd POSIX path semantics, but iscriticalpath fails to match the double-slash variant because //etc/passwd does not start with /etc/...
Envoy Gateway: Wasm cache ServeHTTP reads mappingPath2Cache without lock
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Pod-network reachability to :18002 no auth - Tenant can create EnvoyExtensionPolicy baseline - Attacker pod floods GET while churning EnvoyExtensionPolicy with distinct Wasm URLs -...
Envoy Gateway: OCI layer extraction allocates make([]byte, h.Size) from untrusted tar header
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Controller has egress to attacker-controlled OCI registry - No registry allowlist none exists in code - Layer presents Docker/OCI...
Envoy Gateway: Nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant has SecurityPolicy + TCPRoute RBAC baseline - Tenant namespace permitted to attach TCPRoute to a Gateway listener - spec.authorization omitted the trigger - No admission...
Envoy Gateway: Wasm HTTP fetch decompresses gzip without output-size limit
Vulnerability report without repro case. Repro case may be added later after harness is complete. Preconditions 4: - Tenant can create EnvoyExtensionPolicy baseline - Attacker hosts a gzip-bomb at a reachable URL - sha256 unset optional field; check is post-decompression anyway - No operator...