Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added 2026/06/30 6:36 p.m.7 views

CefSharp.Common: `FolderSchemeHandlerFactory` path boundary check can expose files outside the configured root folder

Summary FolderSchemeHandlerFactory was intended to restrict served files to a configured rootFolder, but its path validation used a raw string prefix check. A request could escape to a sibling directory whose full path starts with the root folder path, allowing files outside the configured root t...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:34 p.m.9 views

@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754

Summary The fix for GHSA-f5x2-vj4h-vg4c / CVE-2026-25754 introduced in commit 40e1c71 is incomplete and can be bypassed through nested prototype pollution payloads. The original patch replaced the internal FormFields storage object with Object.createnull, preventing direct payloads such as...

7.2CVSS6AI score0.00364EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:33 p.m.6 views

oban_web missing authorization check on `save-job` event handler

Summary obanweb 2.12.0 through the current unpatched release exposes a save-job LiveView event handler that performs no authorization check, allowing any authenticated user including those with :readonly access to overwrite a queued job's worker field with any other Oban.Worker module present in...

5.3CVSS6AI score0.0041EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:32 p.m.7 views

oban_web: Unbounded range expansion in cron describe causes memory exhaustion

Summary obanweb 2.12.0 introduced a cron expression parser that expands --separated ranges without validating the endpoints. An attacker with access to schedule cron jobs can submit a malicious expression; when any user with dashboard access views the cron job list, Oban.Web.CronExpr.describe/1 i...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:31 p.m.7 views

Probo has an open redirect bypass via path normalization

Impact Probo's saferedirect package validates redirect URLs used across authentication flows OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the...

5.8AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:20 p.m.7 views

Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation

Summary A follow-up bypass of the round-4 PodSpec hardening GHSA-gx55-f84r-v3r7, GHSA-wmgg-3p4h-48x7, GHSA-v455-mv2v-5g92. Those advisories validate and sanitize the PodSpec spec.runtime.podSpec / spec.builder.podSpec / function.spec.podSpec, but the Environment CRD also exposes...

9.9CVSS5.8AI score0.0029EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:20 p.m.9 views

Fission builder pods auto-mount the fission-builder ServiceAccount token in the user-supplied builder container

Summary Fission builder pods were created with ServiceAccountName: fission-builder and no AutomountServiceAccountToken: false, so the kubelet auto-mounted the service-account token into every container in the pod — including the user-supplied builder image. Details The user controls the builder...

4.9CVSS5.8AI score0.00255EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:19 p.m.9 views

Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape

Summary Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podsp...

9.9CVSS5.8AI score0.00274EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:18 p.m.7 views

Fission Container Executor Function PodSpec Injection Leading to Node Escape

Summary Fission's Container Executor path lets a tenant supply Function.spec.podspec directly; the executor merges it into the executor-built podspec and creates a Deployment whose pods run the user's container image. Details Two flaws compounded: 1...

9.9CVSS5.9AI score0.00274EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:18 p.m.9 views

Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover

Summary A stronger framing of the same root cause as GHSA-gx55-f84r-v3r7: the Environment.spec.runtime.podSpec / spec.builder.podSpec passthrough lacked validation, and MergePodSpec propagated dangerous fields into the generated pods. Details Three independent flaws compounded: 1. Validate gap...

9.9CVSS5.8AI score0.003EPSS
Exploits0References8Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:17 p.m.8 views

Fission: Cross-namespace Environment reference via unvalidated EnvironmentRef in Function admission webhook

Summary The Fission Function admission webhook pkg/webhook/function.go validated that spec.secrets.namespace and spec.configmaps.namespace equalled the function's own namespace but performed no equivalent check on spec.environment.namespace. Details An attacker with permission to create Functions...

8.5CVSS5.8AI score0.00223EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:16 p.m.7 views

Fission: Cross-namespace Package read via unvalidated PackageRef in Function admission webhook

Summary A Fission Function spec carries three reference types — Secret, ConfigMap, and Package. The first two were namespace-validated by the admission webhook; PackageRef.Namespace was not. Details A tenant with functions.fission.io/create in their own namespace could set...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:16 p.m.6 views

Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance

Summary A low-privilege developer who could create a KubernetesWatchTrigger KWT in their own namespace was able to establish a persistent surveillance channel over any other namespace. Details Two independent flaws compounded: 1. pkg/kubewatcher/kubewatcher.go::createKubernetesWatch used...

7.7CVSS5.8AI score0.00231EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:15 p.m.8 views

Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration

Summary Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace. Details An attacker with packages.fission.io/create in their own namespace could set spec.environment.namespace to any other tenant's...

7.7CVSS5.9AI score0.00231EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:12 p.m.9 views

Fission: MessageQueueTrigger scaler manager materializes Secret values into Deployment envvars and accepts arbitrary user PodSpec

Summary The Fission MessageQueueTrigger MQT scaler controller exposed two privilege-escalation primitives to any subject able to create MQTs in a namespace. Details 1. Secret materialization. getEnvVarlist in pkg/mqtrigger/scalermanager.go read the Secret named in Spec.Secret using the controller...

5.9AI score
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:10 p.m.9 views

Sigstore Java has a vulnerability with bundle verification of integratedTime

Summary Regression: Verification of integratedTime from Rekor V1 Log Entry against Fuclio Certificate validity was missing Details - PR 1008 erroneously removed verification of the integrated Rekor entry time against the Fulcio certificate. - PR 1185 re-added this verification with enhancements...

5.7AI score
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:9 p.m.7 views

@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation

Summary @cedar-policy/authorization-for-expressjs is an open-source Express.js middleware that integrates Cedar authorization into Express applications by mapping HTTP requests to Cedar actions and evaluating authorization policies before allowing requests to proceed. An issue exists where, under...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 6:7 p.m.8 views

Kahi has privilege-drop and socket/log permission issues

Kahi releases up to and including v0.1.0-alpha.8 contain three privilege/permission issues, all fixed in v0.1.0-alpha.9. They were identified in a full-codebase security review on 2026-05-26. Affected versions All releases = v0.1.0-alpha.8. Patched version v0.1.0-alpha.9. Details 1. Per-process...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 4:44 p.m.11 views

Paymenter has URL parameter injection that bypasses paid plan limits at checkout

Summary The checkout component improperly filters URL-writable properties, allowing authenticated users to inject arbitrary key-value pairs into server provisioning parameters. Because bundled server extensions prioritize these user-supplied properties over administrator-defined configurations, a...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 4:39 p.m.10 views

RabbitMQ vulnerable to Denial of Service by publishing large messages over the HTTP API

Summary Responsibly disclosed by @NSEcho. HTTP API did not enforce an HTTP request body limit, making it vulnerable for DoS attacks with very large messages. Details An authenticated user with sufficient credentials can publish a very large messages over the HTTP API and cause target node to be...

4.9CVSS6.1AI score0.01077EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 4:15 p.m.8 views

RabbitMQ has predictable credential obfuscation seed value used in Shovel and Federation plugins

Impact Shovel and Federation plugins perform URI obfuscation in their worker link state. The encryption key used to encrypt the URI was seeded with a predictable secret. This means that in case of certain exceptions related to Shovel and Federation plugins, reasonably easily deobfuscatable data...

7.5CVSS7.1AI score0.00307EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/30 3:56 p.m.11 views

Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing

Impact A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. Affect...

7.5CVSS6.2AI score0.00695EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/29 10:53 p.m.12 views

Dgraph Vulnerable to DQL Injection via checkUserPassword GraphQL Query

Summary The checkUserPassword GraphQL query in Dgraph is vulnerable to DQL Dgraph Query Language injection. User-supplied password values are interpolated directly into a DQL checkpwd query via fmt.Sprintf without any escaping or parameterization. An attacker can inject a password containing a...

9.1CVSS6.2AI score0.00424EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/29 5:46 p.m.9 views

OpenAM OAuth Authorization Bypass via PKCE Challenge

Summary Description An Improper Authorization CWE-285 issue in OpenAM's OAuth2 authorization-code grant allows a PKCE-protected authorization code to be redeemed without the required codeverifier. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1. The...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/29 5:44 p.m.8 views

OpenAM OAuth Client Impersonation via JWKS Resolver Cache

Summary Description An Improper Authentication CWE-287 issue in OpenAM's OAuth2 privatekeyjwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwksuri, without knowing the victim's signing key. This affects...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/29 5:43 p.m.6 views

OpenAM Authenticated RCE via Groovy Sandbox Escape

Summary Description A Protection Mechanism Failure CWE-693 in OpenAM's server-side scripting sandbox allows an authenticated script author execute operating-system commands from the OpenAM JVM with the default class allow and deny lists. This impacts OpenAM Community Edition through version 16.0....

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/29 4:10 p.m.21 views

Inside the Advisory Database and what happens when vulnerability volume breaks records

In May 2026, the GitHub Advisory Database published 1,560 reviewed advisories --more than five times our typical monthly output and the highest in its history. And it still wasn't enough to keep up. Over the past few months, the vulnerability ecosystem has shifted in a fundamental way. Input acro...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/06/27 12:13 a.m.8 views

pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config

Summary pnpm accepts package names from the env lockfile configDependencies section and uses those names directly when creating config dependency symlinks under nodemodules/.pnpm-config. A malicious repository can commit a crafted pnpm-lock.yaml whose env-lockfile document contains a...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/27 12:12 a.m.11 views

pnpm: `patch-remove` could delete project-selected files outside the patches directory

Summary The patch-remove deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This patch validates the...

5.9AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/27 12:2 a.m.15 views

pnpm: Hoisted install imports lockfile alias outside node_modules

Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases suc...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:55 p.m.27 views

Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

Summary The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — withou...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:54 p.m.7 views

pnpm: `stage download` writes outside its destination directory via manifest name/version traversal

Summary The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on main by pnpm/pnpm12303, merged as 65443f4bdf1f0db9c8c7dc58fee25252607e9234. Before the fix, pnpm stage download derived a local filename from registry-controlled package name and version...

7.1CVSS5.8AI score0.00267EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:46 p.m.9 views

pnpm: Reserved bin name deletes PNPM_HOME during global remove

Maintainer Action Plan Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-085 / GHSA-4gxm-v5v7-fqc4...

6.5CVSS5.8AI score0.00286EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:34 p.m.14 views

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-063 / GHSA-w466-c33r-3gjp - Advisory URL:...

8.8CVSS6.4AI score0.00193EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:33 p.m.11 views

Subsonic API: any authenticated user can delete or read any other user's playlist (IDOR)

Summary In gonic, the Subsonic API endpoints /rest/deletePlaylist.view and /rest/getPlaylist.view perform no per-resource authorization. Once authenticated as any user admin or not, an attacker can: 1. Delete any playlist owned by any other user including admin by passing its id. 2. Read the full...

7.1CVSS5.8AI score0.00168EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:32 p.m.13 views

gonic: Path Traversal in playlist `id` bypasses ownership check, enabling any user to read/delete other users' playlists

Summary The maintainer's recent fix in 6dd71e6a3c966867ef8c900d359a7df75789f410 fixsubsonic: enforce playlist ownership on getPlaylist/deletePlaylist added an ownership check based on playlist.UserID. However, playlist.UserID is derived from the first path segment of the attacker-controlled...

7.1CVSS5.9AI score0.00262EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:21 p.m.10 views

gonic has arbitrary file write in createPlaylist: any authenticated user can write playlist M3U content to attacker-controlled path on the host

Summary A logic error in ServeCreateOrUpdatePlaylist allows any authenticated Subsonic user including non-admin to write playlist M3U content to an attacker-controlled absolute filesystem path on the gonic host, and to create intermediate directories with 0o777 permissions. The bug is independent...

8.1CVSS5.8AI score0.00269EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:20 p.m.17 views

pnpm: Repository-controlled configDependencies can select a pacquet native install engine

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-097 / GHSA-gj8w-mvpf-x27x - Advisory URL:...

8.8CVSS6.1AI score0.00127EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:18 p.m.27 views

pnpm: Manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

Summary Keep build approval for opaque dependency sources byte-exact for GHSA-5wx6-mg75-v57r / CAND-PNPM-123. Merged upstream commit bf1b731ee6 fixed the original name-only approval bypass by making build policy consume the resolved dependency identity. One collision remained: the generic...

8.8CVSS5.8AI score0.00118EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:12 p.m.10 views

pnpm: Repository config can expand victim environment secrets into registry requests before scripts run

Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r - Advisory URL:...

6.5CVSS6.4AI score0.00212EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:11 p.m.9 views

ImageMagick has a Heap Buffer Over-Write in SF3 encoder when writing multi-frame image

An crafted multi-frame can result in a heap buffer over-write when encoding it with the SF3 encoder...

6.2CVSS5.9AI score0.00112EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/26 11:11 p.m.10 views

ImageMagick: Memory Leak in wand option parser when providing invalid arguments

When providing invalid options to the wand option parser a small memory leak will occur...

4CVSS5.8AI score0.0011EPSS
Exploits0References4Affected Software17
Github Security Blog
Github Security Blog
added 2026/06/26 11:10 p.m.8 views

Statamic CMS's incorrect authorization lets view-only users submit Live Preview content reserved for editors

Impact The Live Preview endpoint for existing entries and terms only checked view authorization, but it accepts and renders caller-supplied field values. A Control Panel user with view but not edit permission could therefore submit content they were not authorized to author and generate a shareab...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:5 p.m.11 views

Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection

Description The getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header: go func getRedirectURLc gin.Context string scheme := "http://" referer := c.Request.Referer if...

6.8CVSS5.8AI score0.00234EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:4 p.m.10 views

Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS

Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - POST /api/v1/terminal → createTerminal terminal.go:27-67 - POST /api/v1/file → createFM fm.go:28-67 Both call rpc.NezhaHandlerSingleton.CreateStreamstreamId, ... which inserts a...

6.5CVSS6.1AI score0.00289EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:3 p.m.10 views

Statamic Vulnerable to CSV formula injection in form submission exports

Impact Form submission values were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character e.g. = , + , - , @ could be interpreted as a live formula when a Control Panel user opens the export in a...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:3 p.m.10 views

Statamic Vulnerable to Server-Side Request Forgery via Glide (DNS rebinding)

Impact The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validatio...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:3 p.m.9 views

Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key

Summary fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves...

9.1CVSS5.9AI score0.00451EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:2 p.m.8 views

Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context

Summary PATCH /server/id accepts and persists nonexistent ddnsprofiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the contex...

6.4CVSS5.8AI score0.00227EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 11:0 p.m.8 views

Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing

Summary An authenticated non-admin user who owns any server can create or update a NAT profile whose domain is equal to the dashboard's own HTTP Host for example, dashboard.example:8008. The dashboard's top-level HTTP/gRPC multiplexer checks NATShared.GetNATConfigByDomainr.Host before dispatching...

6.5CVSS5.8AI score0.00282EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities33100