Lucene search
K
GithubRecent

33100 matches found

Github Security Blog
Github Security Blog
added 2026/06/26 10:59 p.m.13 views

pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)

Summary pnpm's patch application pipeline @pnpm/patch-package performs no path validation on file paths extracted from .patch files. An attacker who contributes a malicious patch file via a pull request can write attacker-controlled content to or delete arbitrary files on the filesystem during pn...

7.3CVSS6AI score0.0027EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:59 p.m.8 views

pnpm binds unscoped user-level npm auth credentials to a repository-selected registry

Summary pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does not provide a token-bearing auth line. It only...

6.9CVSS6AI score0.00254EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:55 p.m.7 views

pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement

Summary pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can cause pnpm install - ignore-scripts to replace...

8.8CVSS5.9AI score0.00326EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:53 p.m.7 views

pnpm: Git Fetch Argument Injection via Lockfile resolution.commit

Summary pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected 40-character commit hash with a Git option such as...

7.3CVSS6AI score0.0018EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:53 p.m.7 views

pnpm Has an Integrity Check Bypass via Missing Lockfile Integrity Field

Summary pnpm's tarball extraction worker skips integrity verification when the integrity field is absent from the lockfile resolution. If an attacker can both modify pnpm-lock.yaml to remove the integrity: field and cause the referenced registry URL to serve altered package content, pnpm install...

8.1CVSS5.8AI score0.00126EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:52 p.m.6 views

pnpm: Unsafe default behavior breaks integrity check

While it is unclear whether this should be classified as a vulnerability, it is being reported through this channel because the current behavior may represent an unsafe default. Summary pnpm install in non-frozen mode can accept new remote package content after detecting that the downloaded tarba...

8.1CVSS5.7AI score0.00113EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:50 p.m.7 views

ex_aws_sns: Trusted-attacker `SigningCertURL` permits complete SNS signature bypass

Summary ExAws.SNS.verifymessage/1 fetches the signing certificate from the SigningCertURL field of the incoming SNS message without validating that the URL uses HTTPS or that its host is an AWS-owned SNS certificate domain. An unauthenticated attacker who can POST to any endpoint that calls...

8.7CVSS6AI score0.00226EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:49 p.m.7 views

js-toml has silent type confusion via falsy-primitive duplicate-key bypass

Summary js-toml's interpreter checks whether a key already exists in a parser-built container with if objectkey instead of if key in object. When the prior value is a falsy primitive — false, 0, 0n, 0.0, -0, or "" — the duplicate-key branch is skipped and the value is silently overwritten by a...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:43 p.m.6 views

regclient may leak authentication credentials to external blob stores

Credentials for a registry may be inadvertently leaked to external servers. A prerequisite for this attack is a malicious registry server, a malicious blob store, or a registry that does not restrict the external URLs for foreign blobs. Example attack A malicious registry serves an OCI image...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:32 p.m.5 views

Authelia has an Edge Case Access Control Rule Mismatch

Impact CVSSv4 Baseline Score: Low 2.4 CVSSv4 Weighted Score: Low 1.3 The full CVSSv4 Vector for this vulnerability is: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:P/CR:H/IR:L/AR:L/MAV:N/MAC:H/MAT:P/MPR:L/MVC:L/MVI:N/MVA:N/MSC:L/MSI:N/MSA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Amber...

2.3CVSS5.7AI score0.00283EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:31 p.m.6 views

Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check

Summary In nezha v1.14.13–v1.14.14 and v2.0.0–v2.0.9, the WebSocket endpoints GET /ws/terminal/:id and GET /ws/file/:id authenticate the caller only by the presence of a valid stream UUID, with no ownership check tying that UUID to the user who created the stream. Any authenticated dashboard user...

9.9CVSS6AI score0.00339EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:31 p.m.7 views

Blnk has an API key authorization bypass in owner and scope enforcement

Blnk API key endpoints had an authorization issue that allowed non-master API keys to perform key-management actions outside their intended authorization boundary. In affected versions, API key operations trusted caller-controlled request values for owner and scope decisions. As a result, a...

5.7AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:29 p.m.7 views

YARD static cache reads raw traversal paths before router sanitization

Summary YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static...

5.3CVSS6.1AI score0.00273EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:23 p.m.9 views

@microsoft/kiota-http-fetchlibrary: Bearer token and Cookie leak across origin on redirect due to case-mismatched scrub in fetchRequestAdapter

Summary @microsoft/kiota-http-fetchlibrary's RedirectHandler is documented as stripping Authorization and Cookie from cross-origin redirect targets, but the default scrubSensitiveHeaders callback in RedirectHandlerOptions uses case-sensitive property deletion delete headers.Authorization, delete...

6.9CVSS5.8AI score0.0065EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:21 p.m.6 views

js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals

Summary js-toml versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written parseBigInt loop that multiplies a BigInt accumulator by the radix once per input digit. Each iteration performs a BigInt BigInt operation on an accumulator that grows linearl...

7.5CVSS6AI score0.00415EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:20 p.m.6 views

SolidInvoice: IDOR in LiveComponent allows same-company cross-user access to API tokens and notification transport settings

Summary Four authorization bypass vulnerabilities in Symfony LiveComponent actions allow any authenticated user within a company to access, modify, or delete other users' API tokens and notification transport settings. The root cause is that LiveComponent actions accept entity IDs without verifyi...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:15 p.m.5 views

Statamic CMS's unsafe method invocation via collection sorting allows data destruction

Impact The fix for GHSA-4jjr-vmv7-wh4w was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could result in the loss of content and assets. This requires a front-end template that passes...

7.4CVSS5.7AI score0.0027EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:12 p.m.6 views

Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources

Impact An authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources. Depending on the resource, this could expose titles, custom field values, entry content,...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:11 p.m.20 views

PhpWeasyPrint vulnerable to SSRF and local file disclosure via the attachment option

Summary pontedilana/php-weasyprint fetches the content of option values server-side via filegetcontents when the value looks like a URL, without restricting the URL scheme. The attachment option of Pdf is the reachable sink: any value that passes isOptionUrl filtervar..., FILTERVALIDATEURL is...

6.5CVSS6AI score0.00242EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:10 p.m.9 views

PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles

Summary AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying that the path is contained within the temporary folder. Any code holding a reference to a generato...

3CVSS6AI score0.00112EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:10 p.m.7 views

PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)

Summary pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist: php if 0 === \strpos$filename, 'phar://' throw new \InvalidArgumentException'The output file cannot be a phar archive.'; PHP stream wrappers are case-insensitive, so...

9.8CVSS6.5AI score0.0276EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:1 p.m.6 views

Hackney vulnerable to atom-table exhaustion via unrecognized URL schemes

Summary CVE-2026-47067 is an atom table exhaustion vulnerability CWE-770 in hackney's URL parser src/hackneyurl.erl. hackneyurl:parseurl/1 converts every URL scheme it encounters into a BEAM atom via binarytoatom/2. Because BEAM atoms are never garbage-collected and the atom table has a hard limi...

8.7CVSS5.9AI score0.00703EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 10:0 p.m.8 views

Hackney has unbounded buffer accumulation in WebSocket

Summary The WebSocket client in src/hackneyws.erl imposes no upper bound on memory consumption across three distinct code paths. In each case, an attacker-controlled WebSocket server can exhaust the connecting process's memory without any authentication or special client configuration. Details 1...

8.7CVSS6AI score0.00825EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:59 p.m.7 views

Hackney has CRLF / header injection in WebSocket upgrade request

Summary CRLF injection in hackney's WebSocket upgrade request builder src/hackneyws.erl. init/1 copies the host, path, headers, and protocols options from the caller-supplied opts map verbatim into wsdata, and dohandshake/1 splices them directly into the raw HTTP/1.1 upgrade request by binary...

7.5CVSS5.9AI score0.00506EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:58 p.m.6 views

Hackney has CR/LF injection in query parameter

Summary hackneyurl:makeurl/3 passes the URL query component directly into the HTTP/1.1 request target without percent-encoding \r or \n. RFC 3986 §3.4 requires characters outside the query grammar to be percent-encoded, but no validation or escaping occurs. An attacker who controls any portion of...

7.5CVSS6AI score0.00421EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:57 p.m.6 views

Hackney: Per-chunk timeout with unbounded body accumulation enables slow-drip OOM

Summary hackneyh3:awaitresponseloop/6 in src/hackneyh3.erl accumulates the HTTP/3 response body in memory without any size cap. The after Timeout clause is a per-message inactivity timer, not a wall-clock deadline: every received streamdata chunk, housekeeping select message, or settings frame...

8.2CVSS5.9AI score0.00703EPSS
Exploits1References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:56 p.m.7 views

Hackney: Cross-origin Redirect Leaks Authorization, Cookie, and Request Body

Summary The HTTP/3 redirect handler in src/hackneyh3.erl forwards the original request headers Authorization, Cookie, Proxy-Authorization and, for 307/308 responses, the original request body to the redirect target without checking whether the target host matches the origin. When followredirect i...

6.1CVSS5.8AI score0.00348EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:54 p.m.4 views

Hackney has SSRF allowlist bypass in hackney_url:normalize/2 via percent-encoded host

Summary hackneyurl:normalize/2 URL-decodes the host component of a parsed URL, but the caller's SSRF allowlist runs before normalization using OTP's uristring:parse/1 and inet:parseaddress/1, neither of which decodes percent-escapes in hostnames. A URL like http://%31%32%37%2E%30%2E%30%2E%31/...

6.9CVSS5.8AI score0.00201EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:54 p.m.7 views

Hackney has CRLF / header injection via unvalidated `domain` and `path` options

Summary CRLF injection in hackneycookie:setcookie/3 src/hackneycookie.erl. The function validates Name and Value against CR/LF and control characters but concatenates the domain and path options verbatim into the output binary. If either option carries attacker-controlled data, a Host header...

5.3CVSS5.9AI score0.00374EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:53 p.m.5 views

Hackney: `ssl:connect/2` post-handshake upgrade has no timeout

Summary The SOCKS5 transport in src/hackneysocks5.erl correctly applies the caller-supplied timeout to the SOCKS5 negotiation phase, but then upgrades the tunnel to TLS using ssl:connect/2 the two-argument form, which defaults to infinity. The Timeout value is in scope at that call site but is...

8.2CVSS5.7AI score0.00703EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:53 p.m.7 views

Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry

Summary CVE-2026-47066 is an infinite loop CWE-835 in hackney's Alt-Svc response header parser src/hackneyaltsvc.erl. When an HTTP server returns an Alt-Svc header whose value begins with a non-token byte e.g. !, @, =, ;, the parser enters a tight tail-recursive loop that pins an Erlang scheduler...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:50 p.m.5 views

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication Summary line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to 0.0.0.0 and exposes the MCP /mcp endpoint without an MCP-layer...

8.8CVSS5.8AI score0.00323EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:50 p.m.5 views

Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy

Summary The administrative proxy route cmsproxy in Aimeos Pagible CMS is vulnerable to a Server-Side Request Forgery SSRF attack via DNS Rebinding. A Time-of-Check to Time-of-Use TOCTOU race condition exists between the URL validation phase and the actual HTTP request phase, allowing attackers to...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:49 p.m.7 views

pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile

Summary A malicious codeload.github.com server can serve whatever tarball it wants and pnpm will install it regardless of the lockfile. Details The lockfile does not store the hash of the dependencies from https://codeload.github.com This means that if this server was compromised or a person's...

7.5CVSS5.8AI score0.00116EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:48 p.m.6 views

Cargo crates in third party registries can override the cached source of other crates

The Rust Security Response Team was notified that Cargo incorrectly handled symlinks inside of crate tarballs downloaded from third-party registries, allowing a malicious crate to override the source code of another crate from the same registry. This vulnerability is tracked as CVE-2026-5223. The...

6.5CVSS5.8AI score0.00294EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:47 p.m.6 views

Cargo can be coerced to share credentials between registries

The Rust Security Response Team was notified that Cargo incorrectly normalized the URLs of third-party registries using the sparse index protocol1. If a hosting provider allowed multiple registries to be hosted with arbitrary names within the same domain, an attacker able to publish crates in a...

6.5CVSS5.9AI score0.00328EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:46 p.m.7 views

php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted is_executable() guard (mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc)

Summary pontedilana/php-weasyprint builds the shell command for WeasyPrint by passing the binary path through escapeshellarg first and then checking the quoted result with isexecutable. On POSIX escapeshellarg'/usr/local/bin/weasyprint' returns '/usr/local/bin/weasyprint' with the single-quote...

8.2CVSS5.8AI score0.00154EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:29 p.m.6 views

Nebula Mesh: Web UI lacks ownership checks, enabling cross-operator access to hosts and networks (read, block, delete)

Summary The web UI /ui/ does not apply the per-operator CA scoping the JSON API received for GHSA-598g-h2vc-h5vg. Any authenticated non-admin operator for example, one created via self-registration or OIDC can access resources belonging to other operators. Impact A non-admin operator can: - Block...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:23 p.m.27 views

phpMyFAQ has an incomplete fix for GHSA-xvp4-phqj-cjr3 — editUser() and updateUserRights() lack authorization guards

Advisory / Disclosure phpMyFAQ 4.1.3 — incomplete fix for the admin-API IDOR/privilege-escalation class Target: thorsten/phpMyFAQ composer: thorsten/phpmyfaq, phpmyfaq/phpmyfaq Affected: "Only SuperAdmins may change other users' attributes. Self-service is always allowed." and "a non-SuperAdmin...

6AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/26 9:8 p.m.5 views

@cardano402/mcp-server missing spending limits, LAN-exposed HTTP transport, and SSRF via catalog.server.url

Summary @cardano402/mcp-server versions = 0.1.1 ship three security gaps that can lead to unauthorized fund movement when the package is used as designed an MCP server exposing Cardano payment tools to an Impact 1. No spending limits on signed payments An LLM or prompt-injected LLM calling tools...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:5 p.m.5 views

mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

Resolution Fixed in v3.1.0, released 2026-05-25. The fix was merged in PR 95 at commit 1c7d3f9. The fix changes the default HTTP bind host to 127.0.0.1, refuses non-loopback HTTP/HTTPS exposure unless OAuth is enabled, makes Helm exposure opt-in and OAuth-gated, and adds parser-backed...

10CVSS6.1AI score0.00498EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:5 p.m.4 views

Relyra SAML SignatureValue not cryptographically verified -> authentication bypass

Summary Relyra 1.0.0 and 1.1.0 accept forged SAML signatures because SignatureValue was not cryptographically verified before the library returned a successful authentication result. Details In 1.0.0 and 1.1.0, the XMLDSig trust boundary was incomplete. :publickey.verify over the exclusive-C14N...

9.1CVSS5.9AI score0.00135EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:4 p.m.5 views

mcp-memory-service: OAuth read-only clients can write and delete memories through MCP tools/call

Summary The HTTP MCP JSON-RPC endpoint at /mcp requires only OAuth read scope for all requests, then dispatches tools/call directly to handlers that include mutating tools. A read-only OAuth client can call storememory and deletememory through MCP even though the corresponding REST endpoints...

8.1CVSS5.8AI score0.00264EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:3 p.m.4 views

deepstream is vulnerable to prototype pollution

Impact Prototype pollution in deepstream server v =10.0.4. Potential privilege escalation from any authenticated user with write permission to any record. Patches Yes, upgrade to v10.0.5 Workarounds Filter out all messages containing the path proto, constructor, prototype, before they reach the...

9.9CVSS5.8AI score0.0027EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:3 p.m.5 views

Dosage Vulnerable to Stored Cross-Site Scripting (XSS) in HTML/RSS Output Handlers

Summary The HTML and RSS output handlers in dosagelib/events.py write user-controlled content comic text and page URLs directly into generated files without proper HTML escaping. When a user scrapes a malicious webcomic and opens the generated HTML/RSS file, attacker-controlled JavaScript can...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:2 p.m.5 views

Scriban: ExpressionDepthLimit guard is non-enforcing — parser-recursion DoS in 6.6.0–7.2.0 (incomplete fix for GHSA-wgh7-7m3c-fx25 / GHSA-p6q4-fgr8-vx4p)

Summary The ExpressionDepthLimit parser guard in Scriban does not actually stop parsing — it only logs a non-fatal error and lets recursive descent continue. As a result, a template containing a deeply nested expression parentheses, array initializers, object initializers, or unary operators driv...

6.1AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/26 9:1 p.m.9 views

Scriban: array * int (ScriptArray<T>.TryEvaluate) bypasses LoopLimit — incomplete fix for GHSA-c875-h985-hvrc, missed sibling of GHSA-24c8-4792-22hx

Summary The array multiplication operator array integer in Scriban allocates a result whose size is the product of the attacker-controlled integer and the array length, with no LoopLimit / LimitToString check and no overflow-safe arithmetic. A 40-byte template forces a multi-gigabyte allocation,...

5.8AI score
Exploits0References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/06/26 9:1 p.m.6 views

nebula-mesh: Signed-poll nonce LRU is in-memory and bounded; replay survives restart + eviction

internal/api/pop/nonce.go:25,40,86 + internal/api/server.go:38 — the signed-poll nonce cache is an in-process LRU sized at 65,536 entries. internal/api/updates.go:31 sets pollClockSkew = 5 time.Minute as the replay window. Affected All released versions through v0.3.0 that have shipped the ADR 00...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:0 p.m.5 views

WebauthnAuthenticator leaks sensitive HTTP headers through INFO-level logs

Impact Webauthn\Bundle\Security\Http\Authenticator\WebauthnAuthenticator logs the full Symfony\Component\HttpFoundation\Request object inside the log context of both onAuthenticationSuccess and onAuthenticationFailure at INFO level: php $this-logger-info'User has been authenticated successfully...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/26 9:0 p.m.5 views

CakePHP: View::element() is missing a path containment check

Impact View::getElementFileName does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patches Patched...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References3Affected Software1
Total number of security vulnerabilities33100