Lucene search
K
GithubRecent

33181 matches found

Github Security Blog
Github Security Blog
added 2026/04/04 6:16 a.m.7 views

AVideo: Unauthenticated Information Disclosure via Disabled CLI Guard in install/test.php

Summary The install/test.php diagnostic script has its CLI-only access guard disabled by commenting out the die statement. The script remains accessible via HTTP after installation, exposing video viewer statistics including IP addresses, session IDs, and user agents to unauthenticated visitors...

5.3CVSS5.9AI score0.00332EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:15 a.m.8 views

AVideo: Unauthenticated Access to Payment Order Data via BlockonomicsYPT check.php

Summary The BlockonomicsYPT plugin's check.php endpoint returns payment order data for any Bitcoin address without requiring authentication. The endpoint was designed as an AJAX polling helper for the authenticated invoice.php page, but it performs no access control checks of its own. Since Bitco...

3.7CVSS5.9AI score0.00318EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:14 a.m.7 views

LightRAG: Hardcoded JWT Signing Secret Allows Authentication Bypass

Subject: Security Vulnerability Report Hardcoded JWT Secret CVE-2026-30762 Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improper Authentication...

5.8AI score0.0012EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:13 a.m.10 views

Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries

Summary Aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, includi...

8.1CVSS5.9AI score0.00337EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:13 a.m.12 views

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:12 a.m.9 views

Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

6.5CVSS6AI score0.00361EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:12 a.m.21 views

Directus: Sensitive fields exposed in revision history

Summary Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields including user tokens, two-factor authentication secrets, external auth...

6.5CVSS5.9AI score0.0017EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:11 a.m.10 views

Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite

Summary Directus' TUS resumable upload endpoint /files/tus allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directusfile...

8.1CVSS6.1AI score0.00302EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:10 a.m.8 views

Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Summary A Server-Side Request Forgery SSRF protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. Details Directus implements an IP deny-li...

7.7CVSS5.8AI score0.00336EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:10 a.m.7 views

Directus: GraphQL Schema SDL Disclosure Setting

Summary When GRAPHQLINTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries schema, type. However, the serverspecsgraphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same...

5.3CVSS5.9AI score0.00314EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:9 a.m.7 views

Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow

Summary An open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon...

6.1CVSS5.9AI score0.00256EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:8 a.m.5 views

Directus: Open Redirect in Admin 2FA Setup Page

Summary Directus is vulnerable to an Open Redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication 2FA visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing t...

4.3CVSS5.9AI score0.00256EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:6 a.m.12 views

Directus: Path Traversal and Broken Access Control in File Management API

Summary A broken access control vulnerability was identified in the Directus file management API that allows authenticated users to overwrite files belonging to other users by manipulating the filenamedisk parameter. Details The PATCH /files/id endpoint accepts a user-controlled filenamedisk...

8.8CVSS6.3AI score0.00204EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:6 a.m.7 views

Directus: Missing Cross-Origin Opener Policy

Summary Directus's Single Sign-On SSO login pages lacked a Cross-Origin-Opener-Policy COOP HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can...

9.3CVSS5.8AI score0.00169EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:4 a.m.14 views

Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

9CVSS6.2AI score0.11982EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:4 a.m.11 views

Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write

Summary The plugin file upload endpoint POST /api/plugin/upload passes the user-supplied filename directly to createTempFolder without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary...

8.7CVSS6.7AI score0.00554EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 6:3 a.m.12 views

actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

Summary External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution. Details In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell...

6.2AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 5:55 a.m.12 views

DynFuture Drop Can Construct a Dangling Reference

DynFuture is unsound because its Drop implementation transmutes a trait-object reference into unrelated reference types, which constructs an invalid reference from trait object metadata. This issue was reproduced against dyn-future 3.0.4 under Miri. The crate is unmaintained...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 5:45 a.m.11 views

scaly: Multiple soundness issues in Rust safe APIs

Affected versions contain multiple safe APIs that can trigger undefined behavior: - Array::index can perform an out-of-bounds read. - String::getlength can perform an out-of-bounds read. - String::appendcharacter can perform an invalid write. - String::tocstring can perform an out-of-bounds write...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 5:37 a.m.8 views

@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...

8.8CVSS6.3AI score0.00387EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 5:33 a.m.12 views

@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags

Summary @stablelib/cbor decodes nested CBOR structures recursively and does not enforce a maximum nesting depth. A sufficiently deep attacker-controlled CBOR payload can therefore crash decoding with RangeError: Maximum call stack size exceeded. Details The decoder processes arrays, maps, and...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 4:24 a.m.7 views

@stablelib/cbor: Prototype poisoning via `__proto__` map keys in CBOR decoding

Summary @stablelib/cbor decodes CBOR maps into ordinary JavaScript objects and assigns attacker-controlled keys directly onto those objects. A CBOR map key named proto therefore changes the prototype of the decoded object instead of becoming an ordinary data property. Details The decoder builds m...

6AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 4:23 a.m.9 views

@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing

All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service ReDoS via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This has been...

8.7CVSS5.4AI score0.00413EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 4:22 a.m.28 views

Parse Server: File upload Content-Type override via extension mismatch

Impact A file can be uploaded with a filename extension that passes the file extension allowlist e.g., .txt but with a Content-Type header that differs from the extension e.g., text/html. The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store...

5.4CVSS5.9AI score0.00162EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 4:18 a.m.7 views

pyLoad: SSRF in parse_urls API endpoint via unvalidated URL parameter

Vulnerability Details CWE-918: Server-Side Request Forgery SSRF The parseurls API function in src/pyload/core/api/init.py line 556 fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission...

7.7CVSS6AI score0.00269EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/04 4:17 a.m.306 views

Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers

Summary Jackson Core 3.x does not consistently enforce StreamReadConstraints.maxDocumentLength. Oversized JSON documents can be accepted without a StreamConstraintsException in multiple parser entry points, which allows configured size limits to be bypassed and weakens denial-of-service...

6.1AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 11:43 p.m.5 views

AVideo: CSRF on Player Skin Configuration via admin/playerUpdate.json.php

Severity: Medium CWE: CWE-352 Cross-Site Request Forgery Summary The player skin configuration endpoint at admin/playerUpdate.json.php does not validate CSRF tokens. The plugins table is explicitly excluded from the ORM's domain-based security check via ignoreTableSecurityCheck, removing the only...

4.3CVSS6AI score0.00134EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 11:38 p.m.11 views

Hugo: Certain markdown links are not properly escaped

Impact Links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. Patches Patched in v0.159.2 Workarounds Create custom render hooks for links and images in...

5.4CVSS5.9AI score0.00185EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 11:33 p.m.13 views

AVideo: Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php

Summary The SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access token, container ID, and Instagram account ID, and passes them direct...

5.3CVSS6AI score0.00215EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 11:14 p.m.7 views

BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation

Summary The Dockerfile generation function generatecontainerfile in src/bentoml/internal/container/generate.py uses an unsandboxed jinja2.Environment with the jinja2.ext.do extension to render user-provided dockerfiletemplate files. When a victim imports a malicious bento archive and runs bentoml...

9.6CVSS6.5AI score0.00392EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 10:3 p.m.14 views

BentoML: Command Injection in cloud deployment setup script

Commit ce53491 March 24 fixed command injection via systempackages in Dockerfile templates and images.py by adding shlex.quote. However, the cloud deployment path in src/bentoml/internal/cloud/deployment.py was not included in the fix. Line 1648 interpolates systempackages directly into a shell...

7.8CVSS6.4AI score0.00315EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 10:1 p.m.14 views

fast-jwt accepts unknown `crit` header extensions (RFC 7515 violation)

Summary fast-jwt does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. ---...

7.5CVSS5.9AI score0.00155EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:59 p.m.16 views

LiteLLM: Authentication bypass via OIDC userinfo cache key collision

Impact When JWT authentication is enabled enablejwtauth: true, the OIDC userinfo cache uses token:20 as the cache key. JWT headers produced by the same signing algorithm generate identical first 20 characters. This configuration option is not enabled by default. Most instances are not affected. A...

9.4CVSS5.9AI score0.0049EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:59 p.m.14 views

LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint

Impact The /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following: - Modify proxy configuration and environment variables - Register custom pass-through endpoint handlers pointing to...

8.8CVSS6.3AI score0.26409EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:58 p.m.7 views

goshs: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

Summary deleteFile missing return after path traversal check | httpserver/handler.go:645-671 The finding affects the default configuration, no flags or authentication required. Details File: httpserver/handler.go:645-671 Trigger: GET /?delete handler.go:157-160 dispatches to deleteFile The functi...

9.8CVSS6.1AI score0.00683EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:57 p.m.14 views

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

Description Six confrontarighe.php files across different modules in OpenSTAManager fetchArray 'SELECT mgarticolilang.title, mgarticoli.codice, inrigheinterventi. FROM inrigheinterventi INNER JOIN...

8.8CVSS6.2AI score0.00416EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:54 p.m.10 views

Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Summary An uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession of WebSocket messages, forcing the server to spawn an unbounded number of operating system threads. This leads to threa...

7.5CVSS6AI score0.00721EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:53 p.m.9 views

Budibase: Command Injection in Bash Automation Step

Location: packages/server/src/automations/steps/bash.ts Description The bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing...

8.8CVSS6.5AI score0.00466EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:52 p.m.8 views

Electron: Use-after-free in offscreen shared texture release() callback

Impact Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main...

5.5CVSS5.8AI score0.001EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:51 p.m.7 views

vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing

Summary The VideoMediaIO.loadbase64 method at vllm/multimodal/media/video.py:51-62 splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The numframes parameter default: 32, which is enforced by the loadbytes code path at line 47-48, is...

6.5CVSS6AI score0.00378EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:51 p.m.6 views

vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `

Summary A Server Side Request Forgery SSRF vulnerability in downloadbytesfromurl allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target...

5.4CVSS6.1AI score0.00246EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:50 p.m.16 views

OpenEXR: Heap information disclosure in PXR24 decompression via unchecked decompressed size (undo_pxr24_impl)

Summary The PXR24 decompression function undopxr24impl in OpenEXR internalpxr24.c ignores the actual decompressed size outSize returned by exruncompressbuffer and instead reads from the scratch buffer based solely on the expected size uncompressedsize derived from the header metadata. Additionall...

8.7CVSS6AI score0.00482EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:47 p.m.8 views

OpenEXR: integer overflow to OOB write in uncompress_b44_impl()

Summary The B44/B44A decoder in OpenEXR reconstructs row pointers into a scratch buffer using int. When the channel width nx is large enough, the product y nx overflows int, causing the row pointer to wrap before the start of the scratch buffer. Subsequent memcpy calls then write decoded pixel...

8.4CVSS6AI score0.00244EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:45 p.m.20 views

SandboxJS: Sandbox Escape via Prop Object Leak in New Handler

Description A scope modification vulnerability exists in @nyariv/sandboxjs version 0.8.35 and below. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an...

7.2CVSS6.1AI score0.00292EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:45 p.m.6 views

SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser

Summary The @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions e.g., 2000 nested parentheses, causing a RangeError:...

7.5CVSS6.1AI score0.00395EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:44 p.m.37 views

SandboxJS: Sandbox integrity escape

Summary SandboxJS blocks direct assignment to global objects for example Math.random = ..., but this protection can be bypassed through an exposed callable constructor path: this.constructor.calltarget, attackerObject. Because this.constructor resolves to the internal SandboxGlobal function and...

10CVSS6.2AI score0.00561EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:43 p.m.7 views

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

6.1CVSS6AI score0.00112EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:42 p.m.6 views

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

Summary The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a...

5.9CVSS5.9AI score0.00329EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:42 p.m.13 views

Signal K Server: Unauthenticated Source Priorities Manipulation

Summary The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns...

7.5CVSS5.9AI score0.0031EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:37 p.m.6 views

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the critical...

9.4CVSS6AI score0.00418EPSS
Exploits1References4Affected Software1
Total number of security vulnerabilities33181