Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/05 9:31 a.m.14 views

Apache Thrift vulnerable to Path Traversal, HTTP Request/Response Splitting, Uncontrolled Resource Consumption

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting', Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift:...

7.3CVSS5.8AI score0.00394EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:40 a.m.11 views

Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Summary The FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker who controls the .type property of a Blob/File-like object e.g., via a user-uploaded fil...

5.3CVSS6AI score0.0024EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:40 a.m.12 views

Axios: no_proxy bypass via IP alias allows SSRF

The fix for noproxy hostname normalization bypass 10661 is incomplete.When noproxy=localhost is set, requests to 127.0.0.1 and ::1 still route through the proxy instead of bypassing it. The shouldBypassProxy function does pure string matching — it does not resolve IP aliases or loopback...

7.5CVSS5.8AI score0.00301EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:34 a.m.11 views

Axios: unbounded recursion in toFormData causes DoS via deeply nested request data

Summary toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. Details lib/helpers/toFormData.js:210 defines an inner buildvalue, path that recurses into every object/array child line 225:...

7.5CVSS5.9AI score0.00744EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:33 a.m.12 views

Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0

Summary For stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits. Details Relevant flow in lib/adapters/http.js: - 556-564: maxBodyLength check applie...

5.3CVSS5.8AI score0.00327EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:30 a.m.10 views

Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes

Boundary Community Edition and Boundary Enterprise "Boundary" workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

7.5CVSS5.8AI score0.002EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:26 a.m.12 views

Axios: HTTP adapter streamed responses bypass maxContentLength

Summary When responseType: 'stream' is used, Axios returns the response stream without enforcing maxContentLength. This bypasses configured response-size limits and allows unbounded downstream consumption. Details In lib/adapters/http.js: - 786-789: for responseType === 'stream', Axios immediatel...

5.3CVSS5.8AI score0.00421EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:26 a.m.12 views

Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking

Summary When Object.prototype has been polluted by any co-dependency with keys that axios reads without a hasOwnProperty guard, an attacker can a silently intercept and modify every JSON response before the application sees it, or b fully hijack the underlying HTTP transport, gaining access to...

7.4CVSS6.9AI score0.00838EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:25 a.m.9 views

Axios: Header Injection via Prototype Pollution

Summary A prototype pollution gadget exists in the Axios HTTP adapter lib/adapters/http.js that allows an attacker to inject arbitrary HTTP headers into outgoing requests. The vulnerability exploits duck-type checking of the data payload, where if Object.prototype is polluted with getHeaders,...

7.4CVSS5.8AI score0.00394EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:25 a.m.12 views

Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Vulnerability Disclosure: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion Summary The Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. Whe...

5.4CVSS5.8AI score0.00228EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:21 a.m.14 views

Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy

Vulnerability Disclosure: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500,...

8.2CVSS5.9AI score0.00611EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:20 a.m.13 views

Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0

Executive Summary This report documents an incomplete security patch for the previously disclosed vulnerability GHSA-3p68-rc4w-qgx5 CVE-2025-62718, which affects the NOPROXY hostname resolution logic in the Axios HTTP library. Background — The Original Vulnerability The original vulnerability...

10CVSS6.3AI score0.01186EPSS
Exploits2References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:19 a.m.18 views

Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`

Vulnerability Disclosure: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver Summary The Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical...

9.1CVSS5.9AI score0.00586EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:18 a.m.15 views

Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking

Summary Five config properties in the HTTP adapter are read via direct property access without hasOwnProperty guards, making them exploitable as prototype pollution gadgets. When Object.prototype is polluted by another dependency in the same process, axios silently picks up these polluted values ...

9.1CVSS5.9AI score0.00715EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:18 a.m.15 views

Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Vulnerability Disclosure: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams Summary The encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00'...

3.7CVSS5.9AI score0.00217EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 12:3 a.m.11 views

ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

Summary Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release. What was leaked |...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:28 p.m.11 views

sequoia-git has broken hard revocation handling

Before sq-git checks if a commit can be authenticated, it first looks for hard revocations. Because parsing a policy is expensive and a project's policy rarely changes, sq-git has an optimization to only check a policy if it hasn't checked it before. It does this by maintaining a set of policies...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:22 p.m.29 views

webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments

Summary OverlappingFieldsCanBeMerged validation rule has On^2 x m^2 worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query 200 outer x 100 inner inline fragments consumes 117 seconds of CPU per request, with no comparison...

5.3CVSS6.6AI score0.01198EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:11 p.m.12 views

livewire-markdown-editor has arbitrary file upload that allows stored XSS via attachment handler

Impact All versions of mckenziearts/livewire-markdown-editor prior to v1.3 contain a critical arbitrary file upload vulnerability in the MarkdownEditor::updatedAttachments Livewire handler. The handler calls $file-store with no server-side validation of MIME type, extension, or file content. Any...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:8 p.m.8 views

pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains "proxy", "username" and "proxy", "password" — which protect the proxy credentials — but i...

8.3CVSS6AI score0.00396EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:7 p.m.8 views

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general", "sslverify" is not on that allowlist. Any authenticated user with the non-admin SETTINGS...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:4 p.m.10 views

net-imap vulnerable to command Injection via "raw" arguments to multiple commands

Summary Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. Details Net::IMAP's...

9.8CVSS5.6AI score0.00429EPSS
Exploits0References12Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:4 p.m.8 views

net-imap vulnerable to command Injection via unvalidated Symbol inputs

Summary Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. Details Symbol arguments represent IMAP "system flags", which are formatted as "atoms" with no quoting with a "" prefix. Vulnerable versions of Net::IMAP...

7.1CVSS5.9AI score0.00813EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:3 p.m.6 views

net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication

Summary When authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. Details A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:2 p.m.9 views

net-imap has quadratic complexity when reading response literals

Summary Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. Details For each literal in a response, ResponseReader...

7.5CVSS5.8AI score0.0041EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 10:1 p.m.6 views

net-imap vulnerable to STARTTLS stripping via invalid response timing

Summary A man-in-the-middle attacker can cause Net::IMAPstarttls to return "successfully", without starting TLS. Details When using Net::IMAPstarttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sendi...

7.6CVSS5.9AI score0.00324EPSS
Exploits0References14Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:43 p.m.14 views

`mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:42 p.m.7 views

`sui-execution-cut` was removed from crates.io for malicious code

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:30 p.m.19 views

IKUS Rdiffweb allows an attacker with any valid or stolen access token to act as other users

IKUS Rdiffweb version 2.10.5 and below have an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify...

8.1CVSS5.8AI score0.00245EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:30 p.m.11 views

OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality

OpenSTAManager versions 2.10 and earlier contain an arbitrary file upload vulnerability in the module update functionality modules/aggiornamenti/uploadmodules.php...

7.2CVSS5.9AI score0.00372EPSS
Exploits5References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:30 p.m.9 views

ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

The /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. When PUBLICADDVIEW=True comm...

9.8CVSS6.6AI score0.00404EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:27 p.m.19 views

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:26 p.m.18 views

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

Impact A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the...

7.5CVSS7.2AI score0.00352EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:25 p.m.9 views

apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g. EC, the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK...

6.5CVSS5.8AI score0.00252EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:24 p.m.15 views

Pelican Web UI Affected by a Privilege Escalation Attack

Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface WebUI for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any...

9CVSS5.7AI score0.0032EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:20 p.m.16 views

phpVMS has an /importer authorization bypass causing full database wipe

Security Advisory: Unauthenticated Access to Legacy Import Feature Severity: Critical Affected versions: phpVMS 7.x up to 7.0.5 Fixed in: v7.0.6 Component: Legacy importer Summary A critical vulnerability in phpVMS 7.x allowed unauthenticated access to a legacy import feature. Although this featu...

9.4CVSS5.9AI score0.01173EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:19 p.m.15 views

AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field

Summary The cleanUpString method in ConfigWriter.php uses an ungreedy regex to strip Liquidsoap string interpolation patterns ... from user input. This regex can be bypassed via nested interpolation syntax EXPR, allowing injection of arbitrary Liquidsoap code. Commit ff49ef4 migrated most...

6.4AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:19 p.m.11 views

AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration

Summary The GET /api/station/stationid/file/id/play endpoint, handled by PlayAction, is missing the Middleware\Permissions check that protects all sibling routes in the same /file/id route group. Any authenticated user can download media files from any station, regardless of whether they have...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:18 p.m.46 views

AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

Summary The /api/internal/stationid/liquidsoap/action endpoint is accessible from the public web interface because it lacks the RequireInternalConnection middleware that protects other internal endpoints /sftp-auth, /sftp-event. Combined with a logic flaw where the $asAutoDj flag is set based on...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:17 p.m.15 views

AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass

Summary The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When th...

8.8CVSS5.9AI score0.00476EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:16 p.m.13 views

AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload

Summary The currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem storage backend the default, an authenticated user with media management permissions ca...

8.8CVSS6.7AI score0.00832EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:15 p.m.15 views

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

6.3CVSS5.8AI score0.004EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:15 p.m.10 views

Sandboxed Thymeleaf expressions vulnerable to improper recognition of unauthorized syntax patterns

Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.4.RELEASE. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed restricted contexts, it fails to...

9CVSS5.8AI score0.00427EPSS
Exploits0References3Affected Software3
Github Security Blog
Github Security Blog
added 2026/05/04 9:14 p.m.19 views

OpenClaw's Gateway Control UI bootstrap config required Gateway auth

Summary Gateway Control UI bootstrap config required Gateway auth. Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.21 - Fixed version: 2026.4.22 Impact When Gateway authentication was enabled, the Control UI bootstrap config endpoint could still be read without ...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 9:7 p.m.12 views

OpenClaw: OpenShell FS bridge reads pin and verify the opened file before returning bytes

Summary OpenShell FS bridge reads pin and verify the opened file before returning bytes Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.21 - Fixed version: 2026.4.22 Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem reads could let a...

8.3CVSS5.8AI score0.00208EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 8:57 p.m.12 views

OpenClaw: OpenShell FS bridge writes stay pinned to the sandbox mount root

Summary OpenShell FS bridge writes stay pinned to the sandbox mount root Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.21 - Fixed version: 2026.4.22 Impact A time-of-check/time-of-use race around OpenShell sandbox filesystem writes could let a symlink swap...

9.6CVSS5.8AI score0.02442EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 8:56 p.m.15 views

changedetection.io project has an XXE vulnerability

changedetection.ioXXE01 Vulnerability Report: We discovered a XXE vulnerability in the changedetection.io project While analyzing the code logic, it was determined that an area may lead to unintended behavior under specific conditions. With the project's security in mind, see the analysis results...

8.2CVSS5.8AI score0.00266EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 8:52 p.m.13 views

Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

Summary The HTTP login endpoints POST /login and POST /signalk/v1/auth/login are protected by express-rate-limit default: 100 attempts per 10-minute window, configurable via HTTPRATELIMITS. The WebSocket login path — sending login: username, password messages over an established WebSocket...

8.7CVSS5.9AI score0.00327EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 8:50 p.m.8 views

CI4MS has a Deactivated User Session Bypass (active=0)

Summary The auth filter has the deactivated/banned user check commented out. Details CodeIgniter Shield's loggedIn re-checks the status field catching status='banned', but does not re-check the active field for existing sessions. When an admin deactivates a user active=0 after they have already...

5.3CVSS5.9AI score0.00269EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/04 8:50 p.m.9 views

CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess

Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...

6.9CVSS5.9AI score0.00344EPSS
Exploits0References5Affected Software1
Total number of security vulnerabilities33227