Lucene search
K
GithubRecent

33225 matches found

Github Security Blog
Github Security Blog
added 2026/04/22 5:34 p.m.19 views

DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

There is an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214: / FORBIDATTR must always win, even if ADDATTR predicate would allow it / if FORBIDATTRlcName return false; The same fix was not...

6.1CVSS5.7AI score0.00263EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 5:32 p.m.13 views

DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode

Summary | Field | Value | |:------|:------| | Severity | Medium | | Affected | DOMPurify main at 883ac15, introduced in v1.0.10 7fc196db | SAFEFORTEMPLATES strips ... expressions from untrusted HTML. This works in string mode but not with RETURNDOM or RETURNDOMFRAGMENT, allowing XSS via...

6.8CVSS5.8AI score0.00217EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 5:31 p.m.10 views

DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

Summary DOMPurify versions 3.0.1 through 3.3.3 latest are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype pollution gadget can inject permissive tagNameCheck and...

6.9CVSS7.4AI score0.00225EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 5:29 p.m.6 views

CI4MS Theme::upload is vulnerable to Zip Slip leading to RCE

Summary ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the theme create permission to write files to arbitrary filesystem locations Zip Slip and achieve remote code execution by dropping a PHP file under the publ...

9.4CVSS6.5AI score0.00484EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 5:28 p.m.34 views

CI4MS Backup::restore is vulnerable to Zip Slip leading to RCE

Summary ci4ms Backup::restore extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user with the backup create permission to write files to arbitrary filesystem locations Zip Slip and achieve remote code execution by dropping a PHP file under the...

9.4CVSS6.4AI score0.00528EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 5:27 p.m.12 views

CI4MS: Backup Management Full Account Takeover for All Roles & Privilege Escalation via Stored DOM Blind XSS

An attacker can achieve Full Account Takeover and Privilege Escalation via Stored DOM XSS in the backup module's filename field, which is manipulated through an SQL file that tampers with the filename field to contain a hidden XSS payload...

9.1CVSS5.5AI score0.00331EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 3:31 p.m.6 views

InstructLab Includes Functionality from Untrusted Control Sphere

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

8.8CVSS6.2AI score0.00417EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 3:31 p.m.10 views

camel-infinispan Vulnerable to Deserialization of Untrusted Data

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to...

7.5CVSS6.2AI score0.00667EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 3:31 p.m.10 views

InstructLab vulnerable to Path Traversal

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

7.1CVSS5.5AI score0.00164EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:56 p.m.7 views

PHPUnit: Argument injection via newline in PHP INI values forwarded to child processes

Impact PHPUnit forwards PHP INI settings to child processes used for isolated/PHPT test execution as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newli...

7.8CVSS6.2AI score0.00343EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:52 p.m.8 views

engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection

Summary The local HTTP server started by engram server binding 127.0.0.1:7337 by default was exposed to any browser origin with no authentication unless ENGRAMAPITOKEN was explicitly set. Combined with Access-Control-Allow-Origin: on every response and a body parser that did not require...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:45 p.m.10 views

RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Summary The RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs... supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend,...

9.8CVSS6.1AI score0.09199EPSS
Exploits2References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:44 p.m.8 views

Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Summary The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with...

9.8CVSS6.2AI score0.34734EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:38 p.m.8 views

OpenRemote has Improper Access Control via updateUserRealmRoles function

Summary A user who has write:admin in one Keycloak realm can call the Manager API to update Keycloak realm roles for users in another realm, including master. The handler uses the realm path segment when talking to the identity provider but does not check that the caller may administer that realm...

7CVSS5.7AI score0.00285EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:37 p.m.6 views

actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length. Severit...

5.8AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:35 p.m.11 views

Poetry has Path Traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

Summary The extractall function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python versions where tarfile.datafilter is unavailable. Considering only Python versions which are still supported by Poetry, these are 3.10.0 - 3.10.12 and 3.11.0 ...

8.7CVSS5.9AI score0.00294EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:31 p.m.13 views

@saltcorn/data: Tenant user role is used for tenant creation role check

Summary When a tenant admin is logged out of the root domain e.g., saltcorn.com but logged in to their own tenant space as admin, they can simply append /tenant/create to their tenant URL. The system reads the role from the tenant context admin, and a new tenant is created on the root domain in...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 2:28 p.m.10 views

openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access

Summary When openvpn-auth-oauth2 is deployed in the experimental plugin mode shared library loaded by OpenVPN via the plugin directive, clients that do not support WebAuth/SSO e.g., the openvpn CLI on Linux are incorrectly admitted to the VPN despite being denied by the authentication logic. The...

10CVSS5.8AI score0.00438EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 9:31 a.m.11 views

Apache HttpClient accepts SCRAM-SHA-256 authentication without proper mutual authentication verification

Missing critical step in authentication in Apache HttpClient 5.6 allows an attacker to cause the client to accept SCRAM-SHA-256 authentication without proper mutual authentication verification. Users are recommended to upgrade to version 5.6.1, which fixes this issue...

7.3CVSS5.2AI score0.00456EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.6 views

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of HttpSecurity#securityMatchers

Vulnerability in Spring Spring Security. If an application is using securityMatchersString and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the...

7.5CVSS5.2AI score0.00248EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.12 views

Spring Security has Potential Security Misconfiguration when Using withIssuerLocation

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator separately, for example by calling setJwtValidator. This issue affects Spring Security: from 6.3.0 through 6.3.14, from...

6.5CVSS5.1AI score0.00203EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.8 views

Spring Security Doesn't Correctly Include Servlet Path in Path Matching of XML Authorization Rules

Vulnerability in Spring Spring Security. If an application uses to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass. This issue affects Spring Security: from...

7.5CVSS5.2AI score0.00266EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.6 views

Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider

Vulnerability in Spring Spring Security. If an application is using the UserDetailsisEnabled, isAccountNonExpired, or isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, o...

3.7CVSS5.1AI score0.00215EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/22 6:30 a.m.10 views

Spring Security Vulnerable to Unauthorized User Impersonation when Using X.509 Client Certificates

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user...

8.1CVSS5.2AI score0.00296EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 9:31 p.m.10 views

Bagisto affected by Cross-site Scripting

A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may...

5.1CVSS4.4AI score0.00191EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 9:31 p.m.13 views

Bagisto affected by Server-Side Request Forgery

A vulnerability was found in Bagisto up to 2.3.15. Affected is the function copy of the component Downloadable Link Handler. The manipulation results in server-side request forgery. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted...

6.5CVSS6.2AI score0.00201EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 9:31 p.m.5 views

Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use TOCTOU race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0....

4.8CVSS5.2AI score0.00124EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:39 p.m.13 views

Astro: XSS in define:vars via incomplete </script> tag sanitization

Summary The defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex //g to sanitize values injected into inline tags via the define:vars directive. HTML parsers close elements case-insensitively and also accept whitespace or / before the closing , allowing ...

6.1CVSS6AI score0.00189EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:38 p.m.51 views

lxml: Default configuration of iterparse() and ETCompatXMLParser() allows XXE to local files

Impact Using either of the two parsers in the default configuration with resolveentities=True allows untrusted XML input to read local files. Patches lxml 6.1.0 changes the default to resolveentities='internal', thus disallowing local file access by default. Workarounds Setting the resolveentitie...

7.5CVSS5.8AI score0.00324EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:28 p.m.14 views

Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Summary The git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack...

8.5CVSS6.5AI score0.00788EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:27 p.m.10 views

Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Summary The HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response...

6.5CVSS5.8AI score0.00318EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:26 p.m.10 views

Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Summary A validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but...

5.4CVSS5.8AI score0.0022EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 8:19 p.m.59 views

Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability

Abstract Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. Vulnerability Details - Version tested: 3.0.13 - Installer file: https://github.com/FlowiseAI/Flowise - Platform tested: Ubuntu 25.10 Analysis This vulnerability allows remote attackers to execu...

9.8CVSS6.2AI score0.01028EPSS
Exploits3References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/04/21 8:16 p.m.12 views

Brillig: Heap corruption in foreign call results with nested tuple arrays

Description Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in BrilligBlock::compileblock. When the compiler encounters an Instruction::Call with a Value::ForeignFunction target, it invokes...

9.3CVSS5.8AI score0.00395EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 7:5 p.m.14 views

free5GC UDR: Fail-open handling in PolicyDataSubsToNotifyPost allows unintended subscription creation

Summary A fail-open request handling flaw in the UDR service causes the /nudr-dr/v2/policy-data/subs-to-notify POST handler to continue processing requests even after request body retrieval or deserialization errors. This may allow unintended creation of Policy Data notification subscriptions wit...

6.9CVSS6AI score0.09955EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:53 p.m.14 views

OpenMage LTS: Customer File Upload Extension Blocklist Bypass → Remote Code Execution

The product custom option file upload in OpenMage LTS uses an incomplete blocklist forbiddenextensions = php,exe to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as .phtml, .phar, .php3, .php4, .php5, .php7, and .pht...

8.8CVSS6.1AI score0.00691EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:52 p.m.11 views

Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Summary The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token GitHub PAT, GitLab token, etc. by...

7.7CVSS5.8AI score0.0026EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:51 p.m.11 views

Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace...

10CVSS6.3AI score0.00518EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:27 p.m.12 views

OpenBao's Token Store Allows Cross-Namespace Renewal, Revocation

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who leaks token accessors can have their token revoked or renewed by a privileged administrator in another tenant. Patches This was addressed in v2.5.3...

2.7CVSS5.8AI score0.00301EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:26 p.m.9 views

OpenBao's SQL Injection in PostgreSQL database secrets engine

Impact When OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use proper database quoting on schema names provided by PostgreSQL. This could lead to role revocation failures, or more rarely, SQL injection as the management user. This vulnerability w...

4.9CVSS5.8AI score0.00235EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 6:24 p.m.9 views

OpenBao: Decompression Bomb via Unbounded Copy in OCI Plugin Extraction (DoS)

Summary ExtractPluginFromImage in OpenBao's OCI plugin downloader extracts a plugin binary from a container image by streaming decompressed tar data via io.Copy with no upper bound on the number of bytes written. An attacker who controls or compromises the OCI registry referenced in the victim's...

6.5CVSS5.8AI score0.00218EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:26 p.m.10 views

OpenBao's Certificate Authentication Allows Token Renewal With Different Certificate

Background OpenBao's Certificate authentication method, when a token renewal is requested and disablebinding=true is set, attempts to verify the current request's presented mTLS certificate matches the original. Token renewals for other authentication methods do not require any supplied login...

3.1CVSS5.6AI score0.00101EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:24 p.m.10 views

Neko has a Self-service Privilege Escalation for Authenticated Users

Impact Any authenticated user can immediately obtain full administrative control of the entire Neko instance member management, room settings, broadcast control, session termination, etc.. This results in a complete compromise of the instance. Patches The vulnerability has been patched in the...

8.8CVSS5.7AI score0.00437EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:18 p.m.10 views

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

Summary When HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. Patches Upgrade to...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:18 p.m.10 views

nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames

Arbitrary File Write via Path Traversal in Cell Attachment Filenames Summary nbconvert allows arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment...

6.5CVSS5.9AI score0.00266EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:17 p.m.10 views

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

Summary The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service ReDoS attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's...

7.5CVSS5.8AI score0.00427EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:15 p.m.10 views

October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations

Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cmsassets or editor.tailorblueprints specifically withheld, an uncommon...

3.3CVSS5.7AI score0.00144EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 5:15 p.m.12 views

October CMS: Reflected XSS via DataTable Form Widget

A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...

3.1CVSS5.7AI score0.00144EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 4:44 p.m.17 views

October CMS has Safe Mode Bypass via Twig Database Write Operations

A vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query...

6.6CVSS5.8AI score0.00229EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/21 4:43 p.m.10 views

October CMS has Safe Mode Bypass via CSS Preprocessor Compilers

A server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files. Backend users with Editor permissions could craft .less, .sass, or .scss files that leverage the compiler's import functionality to read arbitrary files from the server. This worked even...

4.9CVSS5.8AI score0.00246EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities33225