Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added 2026/07/01 7:58 p.m.6 views

sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced

Summary The documented certificateOIDs option in sigstore.verify is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked. Details The public verify options include certificateOIDs and the documentation says those OID/value pairs...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:57 p.m.8 views

sigstore-js has Insufficient Verification of Data Authenticity

sigstore-js derives a transparency-log timestamp from tlogEntries.integratedTime and uses it to validate certificate validity windows and satisfy timestampThreshold. For bundle v0.2, a tlog entry can be inclusionProof-only no signed inclusionPromise/set, and the inclusion proof path does not...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:55 p.m.5 views

CrateDB's Blob HTTP handler bypasses authorization

Component: io.crate.protocols.http.HttpBlobHandler Affected: verified against CrateDB 6.2.7 latest at time of report; the bug has existed since the blob HTTP handler was introduced Impact: any authenticated user can read or delete any blob whose SHA-1 digest they know, and can plant new blobs...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:49 p.m.6 views

Kimai Password Reset Link Remains Valid After Password Change

Summary The LoginLink signature used for password reset URLs covers only the user's id — it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who...

5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:1 p.m.13 views

repomix: attach_packed_output can bypass file-read secret scanning for supported local files

attachpackedoutput can register arbitrary .json/.txt/.md/.xml files and bypass the MCP file-read safety check Summary Repomix's MCP server exposes a normal filesystemreadfile tool that reads absolute paths only after running the project's secret check. However, the attachpackedoutput plus...

6.1AI score0.00028EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:1 p.m.6 views

Concourse login flow has an open redirect issue

Impact An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials. Patches This has been fixed in 8.2.3 Workarounds None. Exploit Vulnerable code was in:...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 7:0 p.m.5 views

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

Vulnerability Metadata | Field | Detail | | --- | --- | | Affected Component | src/core/git/gitCommand.ts execGitShallowClone | | Impact | Arbitrary Command Execution / Security Control Bypass | Summary The --remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied...

6.2AI score0.00066EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:57 p.m.6 views

pay-rails/pay: non-constant-time HMAC comparison in Paddle Billing webhook signature verifier

Summary Pay::Webhooks::PaddleBillingControllervalidsignature? app/controllers/pay/webhooks/paddlebillingcontroller.rb verifies the Paddle Billing webhook signature by computing OpenSSL::HMAC.hexdigest... and comparing it to the attacker-supplied header value using Ruby's String==. Ruby's == is...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:55 p.m.6 views

Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`

Description The per-template filter, tag and function allow-list check is compiled into the checkSecurity method of each Template subclass and was invoked once from the constructor, gated by SandboxExtension::isSandboxed$source. Template instances are then cached on the Environment in...

5.7AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:47 p.m.4 views

Constrata's coordinator transit engine `ciphertextContainer.UnmarshalJSON` panics on attacker-controlled short ciphertexts

Summary ciphertextContainer.UnmarshalJSON decodes the third :-separated component of a vault:vX:base64... ciphertext and then unconditionally takes a 12-byte prefix slice for the AES-GCM nonce: c.nonce = fullCiphertext:aesGCMNonceSize. If the decoded blob is shorter than 12 bytes, the slice...

5.7AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:43 p.m.4 views

Contrast's Imagepuller registryFor uses unanchored suffix matching, leaking auth credentials and trusted CA configuration to sibling-domain registries

Summary Config.registryFor selected a per-registry credential / CA / mirror block by checking strings.HasSuffixname, fqdn after stripping a single trailing dot. The match has no boundary between the configured FQDN and any preceding characters in the request hostname. A registry configured as...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:41 p.m.8 views

Cortex has Untrusted Project Bootstrap Code Execution via `CLAUDE_PROJECT_DIR`

Untrusted Project Bootstrap Code Execution via CLAUDEPROJECTDIR Summary The Cortex MCP server neuro-cortex-memory treats the CLAUDEPROJECTDIR environment variable — automatically set by Claude Code to the currently open project directory — as a trusted Cortex developer checkout. When the...

6.6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:32 p.m.10 views

Schema.org has cross-site scripting (XSS) via script break-out in toScript() output

Schema.org has a cross-site scripting XSS vulnerability via script break-out in toScript output...

5.6AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:19 p.m.8 views

wetty vulnerable to DOM XSS via file-download filename

Summary The wetty client decodes a base64 filename from the file-download escape sequence and interpolates it raw into a Toastify HTML string escapeMarkup: false. Any output the victim renders - a cat'd file, a tailed log, an SSH MOTD, a curl response - that contains \x1b5i...:...\x1b4i runs scri...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:18 p.m.5 views

EasyAdminBundle has path traversal and reflected XSS in Flag and Icon Twig components

EasyAdminBundle ships two public Twig components — and — that load SVG files from disk using a path built directly from a public component property, and then render the resulting markup with the Twig |raw filter. When an application binds either of those properties to data that is influenced by a...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:16 p.m.6 views

auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback

SSRF Protection Bypass via IPv4-mapped IPv6 Loopback Summary auth-fetch-mcp v3.0.1 implements SSRF protection in assertSafeUrl src/security.ts to block requests to private and loopback addresses. However, the isPrivateV6 function fails to detect IPv4-mapped IPv6 loopback addresses in their...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 6:14 p.m.5 views

@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization

Summary The network domain has a central SSRF authorization policy that blocks private, loopback, link-local, and reserved targets unless an explicit authorization object allows private network access. The policy is enforced by raw HTTP/TCP/TLS RTT tools, but the ICMP probe and traceroute tools...

6.3AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:57 p.m.5 views

GeoNetwork has ACL bypass on Elasticsearch search when request body omits query field

Summary GeoNetwork's Elasticsearch-backed search API is responsible for injecting access-control and visibility filters into every request before it reaches the underlying Elasticsearch index. Under certain request conditions, that filtering step does not run, allowing an unauthenticated user to...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:56 p.m.6 views

GeoNetwork has reflected XSS through client-side template injection

Summary It is possible to craft a URL that causes GeoNetwork to reflect attacker-controlled content into an error page in a way that gets evaluated as a client-side template expression. Combined with known AngularJS sandbox-escape techniques, this can be used to execute arbitrary JavaScript in th...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:54 p.m.4 views

Open Babel has out-of-bounds write in MSI translationVectors[]

Summary A memory-safety vulnerability in Open Babel's MSI parser allowed an out-of-bounds write into the translationVectors array when reading a crafted input file. Details The MSI reader stored cell translation vectors into a fixed-size translationVectors array. A malformed input could push more...

9.8CVSS6.7AI score0.00863EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:54 p.m.5 views

Open Babel has out-of-bounds write in MOPAC IN translationVectors[] (Tv atom)

Summary A memory-safety vulnerability in Open Babel's MOPAC input parser allowed an out-of-bounds write into the translationVectors array when reading Tv translation-vector atoms from a crafted input file. Details The MOPAC IN reader stored Tv-atom translation vectors into a fixed-size...

9.8CVSS7.1AI score0.00863EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:53 p.m.6 views

Open Babel has out-of-bounds write in MOPAC translationVectors[] (FINAL POINT)

Summary A memory-safety vulnerability in Open Babel's MOPAC output parser allowed an out-of-bounds write into the translationVectors array when reading the "FINAL POINT" block of a crafted input file. Details The MOPAC output reader stored translation vectors from the FINAL POINT block into a...

9.8CVSS7.1AI score0.00863EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:51 p.m.15 views

Open Babel has out-of-bounds write in Gaussian translationVectors[]

Summary A memory-safety vulnerability in Open Babel's Gaussian output parser allowed an out-of-bounds write into the translationVectors array when reading a crafted input file. Details The Gaussian reader stored periodic-cell translation vectors into a fixed-size translationVectors array. A...

9.8CVSS6.7AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:50 p.m.5 views

Open Babel has out-of-bounds write in ORCA nAtoms parser (second variant)

Summary A memory-safety vulnerability in Open Babel's ORCA parser allowed an out-of-bounds write when reading a crafted input file. Details A second variant of the nAtoms out-of-bounds write in the ORCA reader: a different malformed-input path produced the same class of write past the end of the...

9.8CVSS7.1AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:49 p.m.4 views

Open Babel has out-of-bounds write in ORCA nAtoms parser

Summary A memory-safety vulnerability in Open Babel's ORCA parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the nAtoms handling of the ORCA reader. A malformed input caused the parser to write past the end of its destination buffer. Impact Open Babe...

9.8CVSS7.1AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:48 p.m.4 views

Open Babel has uninitialized pointer dereference in PQS pFormat

Summary A memory-safety vulnerability in Open Babel's PQS parser caused an uninitialized pointer dereference when reading a crafted input file. Details The flaw was in the pFormat handling of the PQS reader. A malformed input caused the parser to dereference a format pointer that had never been...

9.8CVSS6.6AI score0.00843EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:48 p.m.5 views

Open Babel has uninitialized pointer dereference in MSI atom parser

Summary A memory-safety vulnerability in Open Babel's MSI parser caused an uninitialized pointer dereference when reading a crafted input file. Details The flaw was in the atom handling of the MSI reader. A malformed record caused the parser to dereference an atom pointer that had never been...

9.8CVSS7.1AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:47 p.m.4 views

Open Babel has out-of-bounds write in MOL2 attribute/value parser

Summary A memory-safety vulnerability in Open Babel's MOL2 parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the attribute/value parsing path of the MOL2 reader. An over-long attribute or value caused the parser to write past the end of a fixed-size...

8.1CVSS7.1AI score0.00796EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:46 p.m.8 views

Open Babel has out-of-bounds write in PQS coord_file parser

Summary A memory-safety vulnerability in Open Babel's PQS parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the coordfile parsing path of the PQS reader. A malformed coord file specifier caused the parser to write past the end of its destination...

9.8CVSS6.8AI score0.00843EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:45 p.m.5 views

Open Babel has uninitialized pointer dereference in GRO residue parser

Summary A memory-safety vulnerability in Open Babel's GRO parser caused an uninitialized pointer dereference when reading a crafted input file. Details The flaw was in the residue handling of the GRO reader. A malformed record caused the parser to use a residue pointer that had never been...

9.8CVSS7.1AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:45 p.m.7 views

Open Babel has out-of-bounds write in CSR PadString (title field)

Summary A memory-safety vulnerability in Open Babel's CSR parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the PadString helper used to handle the CSR title field. A title longer than the fixed destination buffer caused the parser to write past the...

9.8CVSS7.3AI score0.00816EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:44 p.m.4 views

Open Babel has out-of-bounds write in Gaussian coords_type orientation parser

Summary A memory-safety vulnerability in Open Babel's Gaussian output parser allowed an out-of-bounds write when reading a crafted input file. Details The flaw was in the coordstype orientation parser inside the Gaussian output reader. A malformed orientation block caused the parser to write past...

7.8CVSS6.7AI score0.00704EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:42 p.m.4 views

Open Babel has out-of-bounds read in PQS lowerit (pre-buffer read)

Summary A memory-safety vulnerability in Open Babel's PQS parser caused an out-of-bounds pre-buffer read when reading a crafted input file. Details The flaw was in the lowerit helper used by the PQS parser. A malformed input caused the helper to read one or more bytes before the start of its inpu...

5.5CVSS5.8AI score0.00189EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:41 p.m.6 views

Open Babel has NULL pointer dereference in CACAO CacaoFormat::SetHilderbrandt

Summary A memory-safety vulnerability in Open Babel's CACAO parser caused a NULL pointer dereference when reading a crafted input file. Details The flaw was in CacaoFormat::SetHilderbrandt. A malformed input caused the parser to dereference a NULL pointer while applying the Hilderbrandt...

5.5CVSS5.8AI score0.00188EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:40 p.m.5 views

Open Babel has NULL pointer dereference in ChemKinFormat::ReadReactionQualifierLines

Summary A memory-safety vulnerability in Open Babel's ChemKin parser caused a NULL pointer dereference when reading a crafted input file. Details The flaw was in ChemKinFormat::ReadReactionQualifierLines. A malformed reaction qualifier record caused the parser to dereference a NULL pointer. Impac...

5.5CVSS5.8AI score0.00187EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 5:39 p.m.8 views

Open Babel has heap buffer overflow in ChemKin ChemKinFormat::CheckSpecies

Summary A memory-safety vulnerability in Open Babel's ChemKin parser caused a heap buffer overflow when reading a crafted input file. Details The flaw was in ChemKinFormat::CheckSpecies. A malformed species record caused the parser to write past the end of a heap-allocated buffer. Impact Open Bab...

7.8CVSS6.5AI score0.00224EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/07/01 3:59 p.m.11 views

6 security settings every GitHub maintainer should enable this week

At GitHub Security Lab, we spend a lot of our week talking to maintainers. Some find the settings page dense and the docs sprawl. Most maintainers we talk to weren't hired to be security engineers. While this is true, ignoring a project's security settings completely will lead into leaving a lot ...

5.9AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/30 9:27 p.m.7 views

Open Babel has heap buffer overflow in SMILES OBSmilesParser::ParseSmiles

Summary A memory-safety vulnerability in Open Babel's SMILES parser caused a heap buffer overflow when reading a crafted input string. Details The flaw was in OBSmilesParser::ParseSmiles. A malformed SMILES input caused the parser to write past the end of a heap-allocated buffer. Impact Open Babe...

7.8CVSS6.5AI score0.00224EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 9:25 p.m.8 views

Open Babel has out-of-bounds write (overlapping memcpy) in zipstream basic_unzip_streambuf::underflow

Summary A memory-safety vulnerability in Open Babel's bundled zipstream decompression code caused an out-of-bounds write via overlapping memcpy when reading a crafted gzip-compressed chemistry file. Details The flaw was in basicunzipstreambuf::underflow. The decompression buffer refill path invok...

7.8CVSS6.4AI score0.00202EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 7:11 p.m.8 views

Paymenter has race condition in payWithCredit() that enables credit double-spend

Summary The credit payment implementation in app/Livewire/Invoices/Show.php executes a pessimistic row lock lockForUpdate outside of an active database transaction. Because MySQL/MariaDB requires an enclosing transaction to enforce row-level locks, the guard is ineffective. Concurrent payment...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:48 p.m.10 views

Open Babel has Use-after-free in GAMESS GAMESSOutputFormat::ReadMolecule

Summary A memory-safety vulnerability in Open Babel's GAMESS output parser caused a use-after-free when reading a crafted input file. Details The flaw was in GAMESSOutputFormat::ReadMolecule. A malformed input caused the parser to dereference a stale pointer after the underlying object had been...

7.8CVSS6AI score0.00196EPSS
Exploits1References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:47 p.m.6 views

Open Babel has a NULL pointer dereference in CDXML OBAtom::GetExplicitValence

Summary A memory-safety vulnerability in Open Babel's CDXML file format parser caused a NULL pointer dereference when reading a crafted input file. Details The flaw was in OBAtom::GetExplicitValence as called from the CDXML parser. A malformed fragment caused the parser to invoke the method on a...

6.5CVSS5.7AI score0.00394EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:47 p.m.9 views

Open Babel has NULL pointer dereference in MOL2 OBAtom::SetFormalCharge

Summary A memory-safety vulnerability in Open Babel's MOL2 file format parser caused a NULL pointer dereference when reading a crafted input file. Details The flaw was in OBAtom::SetFormalCharge as called from the MOL2 parser. A malformed atom record caused the parser to call the method on a NULL...

8.1CVSS5.8AI score0.007EPSS
Exploits1References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:46 p.m.8 views

Open Babel has an out-of-bounds read in CIF transform3d::DescribeAsString

Summary A memory-safety vulnerability in Open Babel's CIF file format parser allowed an out-of-bounds read when reading a crafted input file. Details The flaw was in OpenBabel::transform3d::DescribeAsString. A malformed symmetry-operation string caused the parser to read past the end of its...

8.1CVSS5.9AI score0.00759EPSS
Exploits1References14Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:43 p.m.8 views

Twig: Sandbox property allowlist bypass via the `column` filter under `SourcePolicyInterface`

Description This is a residual bypass of CVE-2026-46635 / GHSA-vcc8-phrv-43wj that only affects sandboxing enabled through SourcePolicyInterface and not the regular global sandbox mode. CoreExtension::column receives the active sandbox state via the needsissandboxed channel as a boolean...

5.7AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:43 p.m.8 views

Twig: Sandbox `__toString()` policy bypass via `Traversable` in `join` and `replace` filters

Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. It covers two related coercion points that were not caught by the original patch. Traversable in join and replace filters. SandboxExtension::ensureToStringAllowed...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:42 p.m.7 views

Twig: Sandbox `__toString()` policy bypass via dynamic mapping keys

Description This is a residual bypass of CVE-2026-47732 / GHSA-pr2w-4gpj-cpq4 left after the initial fix for unguarded toString calls. In 3.26.0 the sandbox visitor was extended to wrap every child node that its parent will string-coerce at runtime with CheckToStringNode, gated by the new...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:41 p.m.7 views

Twig: Sandbox state regression in deprecated internal wrappers in `src/Resources/core.php`

Description The 3.26.0 source-policy hardening changed the signature of CoreExtension::checkArrow to take a boolean $isSandboxed instead of an Environment, and added the same $isSandboxed argument to CoreExtension::arraySome and CoreExtension::arrayEvery. Compiled templates were updated to pass t...

5.8AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:40 p.m.7 views

Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

Impact An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server. This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency a...

6AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/30 6:38 p.m.7 views

Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage

Impact Three security vulnerabilities were identified in the OIDC Discovery client: 1. Blind Server-Side Request Forgery SSRF via Cross-Host Redirects: Fulcio uses an HTTP client to fetch OIDC discovery metadata /.well-known/openid-configuration. Prior to this fix, if a configured issuer returned...

5.5AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities33100