Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/04/23 6:30 a.m.8 views

Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w5hq-g745-h8pq. This link is maintained to preserve external references. Original Advisory uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6...

3.2CVSS5.7AI score0.00181EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/23 12:31 a.m.9 views

copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The explo...

5.3CVSS4.7AI score0.00257EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/23 12:31 a.m.9 views

verl's math_equal() Vulnerable to Arbitrary Code Execution via Unsafe eval()

A vulnerability was identified in ByteDance verl up to 0.7.1. Affected is the function mathequal of the file primemath/grader.py. The manipulation leads to a sandbox issue. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be...

6.3CVSS5.1AI score0.00333EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:22 p.m.14 views

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

4.6CVSS6.1AI score0.002EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:22 p.m.12 views

OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames

Summary OpenC3 COSMOS contains a design flaw in the savetoolconfig function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path...

4.3CVSS5.9AI score0.00313EPSS
Exploits1References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:13 p.m.10 views

OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

Summary The OpenC3 password change functionality allows a user to change their password without providing the old password, by accepting a valid session token instead. In assumed breach scenarios, this behaviour can be exploited by an attacker who has already obtained a valid session token, to ga...

8.1CVSS5.8AI score0.00305EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:9 p.m.26 views

OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle

Summary OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary CFB document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries and Storage.OpenStream to loop indefinitely, consuming the calling thre...

6.2CVSS5.8AI score0.00187EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:6 p.m.15 views

Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write

Summary A path traversal vulnerability in the skill download fetch command allows attackers to write files to arbitrary locations on the filesystem. The --out= flag accepts user-provided paths without validation, enabling directory traversal attacks that can overwrite critical system files or...

8.1CVSS6AI score0.00567EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:6 p.m.12 views

Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

9.8CVSS6.8AI score0.01305EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:5 p.m.10 views

Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations

Summary A prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all JavaScript objects by injecting malicious properties into Object.prototype. The vulnerability exists in the applyUpdate and updateRecord functions which use Object.assign to merg...

5.2CVSS6.5AI score0.00109EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 10:3 p.m.16 views

NornicDB has Improper Network Binding in its Bolt Server, allowing unauthorized remote access

Summary The --address CLI flag and NORNICDBADDRESS / server.host config key is plumbed through to the HTTP server correctly but never reaches the Bolt server config. The Bolt listener therefore always binds to the wildcard address all interfaces, regardless of what the user configures. On a LAN,...

9.8CVSS5.9AI score0.0044EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:25 p.m.8 views

justhtml has sanitization bypass in custom policies and programmatic DOM

Summary justhtml 1.17.0 fixes multiple security issues in sanitization, serialization, and programmatic DOM handling. Most of these issues affected advanced or custom configurations rather than the default safe path. Affected versions - justhtml , MathML , SVG / , and MathML text integration poin...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:22 p.m.17 views

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Deriver::derive and PkeyCtxRef::derive sets len = buf.len and passes it as the in/out length to EVPPKEYderive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming keylen, unconditionally writing the full shared secret 32/56/prime-size bytes. A...

9.8CVSS5.8AI score0.00298EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:20 p.m.16 views

rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length

The frompemcallback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this...

9.1CVSS5.9AI score0.00294EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:17 p.m.19 views

rust-openssl has incorrect bounds assertion in aes key wrap

Summary aes::unwrapkey has an incorrect bounds assertion on the out buffer size, which can lead to out-of-bounds write. Details aes::unwrapkey contains an incorrect assertion: it checks that out.len + 8 = in.len - 8, ensuring the output buffer is large enough. Because of the inverted check, the...

9.8CVSS6AI score0.00294EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:5 p.m.13 views

rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check

EVPDigestFinal always writes EVPMDCTXsizectx to the out buffer. If out is smaller than that, MdCtxRef::digestfinal writes past its end, usually corrupting the stack. This is reachable from safe Rust...

9.8CVSS5.8AI score0.00373EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:0 p.m.13 views

rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer

The FFI trampolines behind SslContextBuilder::setpskclientcallback, setpskservercallback, setcookiegeneratecb, and setstatelesscookiegeneratecb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut u8 that was handed to the closure. This can lead to...

9.8CVSS6AI score0.00412EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:53 p.m.1068 views

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

Summary The v3, v5, and v6 API methods not uuid release versions accept external output buffers but do not reject out-of-range writes small buf or large offset. By contrast, v4, v1, and v7 API methods explicitly throw RangeError on invalid bounds. This inconsistency allows silent partial writes...

9.3CVSS5.9AI score0.00337EPSS
Exploits1References11Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:51 p.m.7 views

SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)

Summary The fix for CVE-2026-30869 in SiYuan v3.5.10 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding %252e%252e to traverse directories and read arbitrary...

9.8CVSS5.8AI score0.01028EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:50 p.m.9 views

MCPHub has Path Traversal via Malicious MCPB Manifest Name

MCPB File Upload Handler extracts a ZIP file and reads manifest.json from it. The name field in the manifest is directly concatenated into a file path line 107 without any sanitization or path traversal character validation. An attacker can craft a malicious MCPB file where manifest.name is set t...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:46 p.m.108 views

pgx: SQL Injection via placeholder confusion with dollar quoted string literals

Impact SQL Injection can occur when: 1. The non-default simple protocol is used. 2. A dollar quoted string literal is used in the SQL query. 3. That string literal contains text that would be would be interpreted as a placeholder outside of a string literal. 4. The value of that placeholder is...

9.8CVSS5.9AI score0.00356EPSS
Exploits0References5Affected Software3
Github Security Blog
Github Security Blog
added 2026/04/22 8:37 p.m.15 views

Gitea has insecure default SSH settings

Summary The built-in SSH server currently advertises a number of key exchange, MAC, and host key algorithms that are considered weak or broken. The defaults should be tightened so a fresh installation passes a baseline SSH security audit out of the box. Details Running ssh-audit against a default...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:34 p.m.15 views

Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)

Summary Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for example themeprimarycolor and themesecondarycolor, as well as any key...

6.6CVSS5.9AI score0.00851EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:32 p.m.17 views

locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor

Summary Versions of the locize client SDK the browser module that wires up the locize InContext translation editor prior to 4.0.21 register a window.addEventListener"message", … handler that dispatches to registered internal handlers editKey, commitKey, commitKeys, isLocizeEnabled,...

7.5CVSS5.7AI score0.00101EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:28 p.m.10 views

i18next-locize-backend has URL Injection via Unsanitized Path Parameters

Summary Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:25 p.m.15 views

i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

8.6CVSS5.9AI score0.00327EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:23 p.m.44 views

xmldom: Uncontrolled recursion in XML serialization leads to DoS

Summary Seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DOM tree causes a RangeError: Maximum call stack size exceeded, crashing the application. Reported operations: - Node.prototype.normalize — reported by @praveen-kv email 2026-04-05 and...

8.7CVSS6.1AI score0.00643EPSS
Exploits0References14Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/22 8:19 p.m.21 views

xmldom has XML injection through unvalidated DocumentType serialization

Summary The package serializes DocumentType node fields internalSubset, publicId, systemId verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is...

8.7CVSS6AI score0.00457EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/22 8:17 p.m.10 views

xmldom has XML node injection through unvalidated processing instruction serialization

Summary The package allows attacker-controlled processing instruction data to be serialized into XML without validating or neutralizing the PI-closing sequence ?. As a result, an attacker can terminate the processing instruction early and inject arbitrary XML nodes into the serialized output. ---...

8.7CVSS5.9AI score0.00408EPSS
Exploits0References6Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/22 8:16 p.m.17 views

xmldom has XML node injection through unvalidated comment serialization

Summary The package allows attacker-controlled comment content to be serialized into XML without validating or neutralizing comment breaking sequences. As a result, an attacker can terminate the comment early and inject arbitrary XML nodes into the serialized output. --- Details The issue is in t...

8.7CVSS5.8AI score0.00365EPSS
Exploits0References8Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/22 8:9 p.m.16 views

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

8.8CVSS5.9AI score0.01875EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:7 p.m.12 views

@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call

Summary The checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions...

7.2CVSS6.1AI score0.01833EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 8:4 p.m.34 views

fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters

fast-xml-parser XMLBuilder: Comment and CDATA Injection via Unescaped Delimiters Summary fast-xml-parser XMLBuilder does not escape the -- sequence in comment content or the sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data...

6.1CVSS5.9AI score0.00238EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:59 p.m.8 views

Nuclei: Environment variable disclosure via Response-Derived DSL Expressions

A vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is...

5.3CVSS5.9AI score0.00344EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:58 p.m.25 views

Nuclei: Local File Read via require() Module Loader Bypass

A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file access restriction. Affected Component The issue is in the JavaScript runtime's module loading system. The goja...

5.5CVSS6AI score0.00114EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:57 p.m.11 views

monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

8.3CVSS6.1AI score0.00331EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:55 p.m.15 views

Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping

Summary When dynamic text is interpolated into a or tag the Marko runtime failed to prevent tag breakout when the closing tag used non-lowercase casing. An attacker able to place input inside a or block could break out of the tag with , , etc. and inject arbitrary HTML/JavaScript, resulting in...

6.4CVSS5.8AI score0.00195EPSS
Exploits0References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/22 7:54 p.m.8 views

free5GC AMF: Missing default case in Content-Type switch in HTTPUEContextTransfer

Summary The HTTPUEContextTransfer handler in internal/sbi/apicommunication.go does not include a default case in the Content-Type switch statement. When a request arrives with an unsupported Content-Type, the deserialization step is silently skipped, err remains nil, and the processor is invoked...

6.9CVSS5.8AI score0.00282EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:49 p.m.9 views

free5GC PCF: Memory Leak via CORS Middleware Registration in HTTP Handler Leads to Denial of Service

Summary A memory leak vulnerability in the free5GC PCF Policy Control Function allows any unauthenticated attacker with network access to the PCF SBI interface to cause uncontrolled memory growth by sending repeated HTTP requests to the OAM endpoint. The root cause is a router.Use call inside an...

7.5CVSS5.8AI score0.00515EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:43 p.m.7 views

OpenFGA has Improper Policy Enforcement

Description In OpenFGA, in specific scenarios, models using conditions with caching enabled can result in two different check requests producing the same cache key. This could result in OpenFGA reusing an earlier cached result for a subsequent request. Am I Affected? Users are affected if their...

5CVSS5.8AI score0.00145EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:24 p.m.6 views

RustFS: Missing admin authorization on notification target endpoints allows unauthenticated configuration of event webhooks

Missing Admin Auth on Notification Target Endpoints in RustFS Finding Summary All four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any admin-action...

8.3CVSS5.7AI score0.00293EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:23 p.m.8 views

nimiq-blockchain: Peer-triggerable panic during history sync

Impact HistoryStore::puthistorictxns uses an assert! to enforce invariants about HistoricTransaction.blocknumber must be within the macro block being pushed and within the same epoch. During history sync, a peer can influence the history: &HistoricTransaction input passed into...

5.3CVSS5.7AI score0.00242EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:22 p.m.6 views

nimiq-transaction: UpdateValidator transactions allows voting key change without proof-of-knowledge

Impact The staking contract accepts UpdateValidator transactions that set newvotingkey=Some... while omitting newproofofknowledge. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block...

6.8CVSS5.8AI score0.00201EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:20 p.m.11 views

nimiq-transaction: Panic via `HistoryTreeProof` length mismatch

Impact HistoryTreeProof::verify panics on a malformed proof where history.len != positions.len due to asserteq!history.len, positions.len. The proof object is derived from untrusted p2p responses ResponseTransactionsProof.proof and is therefore attacker-controlled at the network boundary until...

6.5CVSS5.8AI score0.00318EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:19 p.m.11 views

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

Impact An untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashing an election macro header hashes validators and reaches Validators::votingkeys, which calls validator.votingkey.uncompress.unwrap...

7.5CVSS5.8AI score0.00372EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:18 p.m.10 views

nimiq-account: Vesting insufficient funds error can panic

Impact VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is attacker-reachable because the vesting contract creation data 32-byte format allows encoding totalamount...

8.2CVSS5.8AI score0.00275EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:13 p.m.9 views

nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation

Impact SkipBlockProof::verify computes its quorum check using BitSet.len, then iterates BitSet indices and casts each usize index to u16 slot as u16 for slot lookup. If an attacker can get a SkipBlockProof verified where MultiSignature.signers contains out-of-range indices spaced by 65536, these...

9.6CVSS5.8AI score0.00217EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 7:6 p.m.8 views

DDEV has ZipSlip path traversal in tar and zip archive extraction

Summary The DDEV local dev tool has unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. This flaw allows users to download and extract archives from remote sources without path validation. Vulnerable Code pkg/archive/archive.go:235 Untar: go fullPath :=...

9.1CVSS5.9AI score0.00418EPSS
Exploits3References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:50 p.m.15 views

Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode

Description String fields from eBPF events in columns output mode are rendered to the terminal without any sanitization of control characters or ANSI escape sequences. Therefore, a maliciously forged – partially or completely – event payload, coming from an observed container, might inject the...

9.8CVSS5.9AI score0.0056EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:31 p.m.10 views

uutils coreutils has an Incorrect Short Circuit Evaluation Issue

A logic error in the expr utility of uutils coreutils causes the program to evaluate parenthesized subexpressions during the parsing phase rather than at the execution phase. This implementation flaw prevents the utility from performing proper short-circuiting for logical OR | and AND & operation...

3.3CVSS5.5AI score0.00156EPSS
Exploits1References5Affected Software1
Total number of security vulnerabilities33225