Lucene search
K
GithubRecent

33181 matches found

Github Security Blog
Github Security Blog
added 2026/04/03 9:36 p.m.11 views

curl_cffi: Redirect-based SSRF leads to internal network access in curl_cffi (with TLS impersonation bypass)

Summary curlcffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curlcffi’s TLS impersonation...

8.6CVSS5.9AI score0.00463EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:36 p.m.14 views

JupyterHub has an Open Redirect Vulnerability

Affected Version JupyterHub = 5.4.3 Impact An open redirect vulnerability in JupyterHub =5.4.3 allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an arbitrary attacker-controlled site outside JupyterHub instead of a...

6.1CVSS6AI score0.00224EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:35 p.m.7 views

Auth0OAuthenticator has an Authentication Bypass via Unverified Email Claims

Summary An authentication bypass vulnerability in oauthenticator allows an attacker with an unverified email address on an Auth0 tenant to login to JupyterHub. When email is used as the usrnameclaim, this gives users control over their username and the possibility of account takeover. Impact This...

8.8CVSS5.9AI score0.00438EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:34 p.m.5 views

Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist

Summary | Field | Value | |-------|-------| | Title | SSRF via REST Connector with Empty Default Blacklist Leading to Full Internal Data Exfiltration | | Product | Budibase | | Version | 3.30.6 latest stable as of 2026-02-25 | | Component | REST Datasource Integration + Backend-Core Blacklist...

9.9CVSS6.3AI score0.00377EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:33 p.m.7 views

CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing

A vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker or a compromised/malicious MQTT broker to remotely crash the host iOS/macOS/tvOS application. The vulnerability is located in Source/FramePublish.swift during the extraction of the Topic string from the incomi...

6.5CVSS5.9AI score0.00318EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 9:31 p.m.7 views

Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9jpj-g8vv-j5mf. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 reuses the PKCE verifier as the OAuth state parameter in the Gemini OAuth flow, exposing it...

6CVSS5.9AI score0.00238EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 p.m.10 views

mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

9.8CVSS7.8AI score0.04392EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:29 p.m.5 views

Juju has a resource poisoning vulnerability

Summary Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This one is very straightforward to just read in the code: Step 1: The authorisation mechanism for the resource handler is defined here. One is on...

7.1CVSS6.1AI score0.00232EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:18 p.m.11 views

Juju: Read All Controller Logs From Compromised Workload

Summary It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authenticatio...

6.9CVSS5.7AI score0.00362EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:35 p.m.10 views

vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

Summary A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an...

6.5CVSS6AI score0.00346EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:30 p.m.10 views

Casdoor vulnerable to Stored XSS via Application formCss / formSideHtml

A security flaw has been discovered in Casdoor 2.356.0. This affects the function dangerouslySetInnerHTML. Performing a manipulation of the argument formCss/formCssMobile/formSideHtml results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the publi...

5.4CVSS4.4AI score0.00188EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:30 p.m.6 views

Casdoor vulnerable to SSRF via crafted Webhook URL

A weakness has been identified in Casdoor 2.356.0. This vulnerability affects unknown code of the component Webhook URL Handler. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not...

7.2CVSS5.6AI score0.00301EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:30 p.m.9 views

Focalboard doesn't validate file ownership when serving uploaded files

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to validate file ownership when serving uploaded files. This allows an authenticated attacker who knows a victim's fileID to read the content of the file. NOTE: Focalboard as a standalone product is not maintained and no fix will be issued...

4.3CVSS5.9AI score0.00221EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:30 p.m.7 views

Focalboard doesn't sanitize category IDs before incorporating them into dynamic SQL statements

UNSUPPORTED WHEN ASSIGNED Focalboard version 8.0 fails to sanitize category IDs before incorporating them into dynamic SQL statements when reordering categories. An attacker can inject a malicious SQL payload into the category id field, which is stored in the database and later executed unsanitiz...

8.1CVSS5.9AI score0.00309EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 12:31 p.m.7 views

Casdoor vulnerable to Open Redirect

A vulnerability was identified in Casdoor 2.356.0. Affected by this issue is some unknown functionality of the component OAuth Authorization Request Handler. Such manipulation of the argument redirecturi leads to open redirect. It is possible to launch the attack remotely. The exploit is publicly...

6.1CVSS5.5AI score0.00324EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.6 views

pymetasploit3 vulnerable to command injection in console.run_module_with_output()

Command injection vulnerability in console.runmodulewithoutput in pymetasploit3 through version 1.0.6 allows attackers to inject newline characters into module options such as RHOSTS. This breaks the intended command structure and causes the Metasploit console to execute additional unintended...

9.8CVSS6.2AI score0.01923EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.8 views

Roundcube Webmail: Insufficient HTML attachment sanitization in preview mode

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. XSS exists because of insufficient HTML attachment sanitization in preview mode. A victim must preview a text/html attachment...

6.1CVSS5.9AI score0.00251EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.10 views

Roundcube Webmail: Unsanitized IMAP SEARCH command arguments

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsanitized IMAP SEARCH command arguments could lead to IMAP injection or CSRF bypass during mail search...

3.1CVSS5.9AI score0.00283EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.64 views

Roundcube Webmail: Unsafe deserialization in the redis/memcache session handler

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

7.5CVSS6AI score0.00475EPSS
Exploits0References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.8 views

Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to a fixed-position mitigation bypass via the use of !important...

5.3CVSS5.9AI score0.00366EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.8 views

Roundcube Webmail: Incorrect password comparison in the password plugin

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Incorrect password comparison in the password plugin could lead to type confusion that allows a password change without knowing the old password...

4.2CVSS5.9AI score0.00243EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.6 views

Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content with animate attributes in an e-mail message. This may lead to information disclosure or access-control bypass...

5.3CVSS5.9AI score0.00402EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.6 views

Roundcube Webmail: Remote image blocking feature can be bypassed via SVG content in an e-mail message

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke...

8.2CVSS5.9AI score0.00329EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.5 views

Roundcube: Bypass of remote image blocking via crafted BODY background attribute

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via a crafted background attribute of a BODY element in an e-mail message. This may lead to information disclosure or access-control bypass...

5.3CVSS5.9AI score0.00402EPSS
Exploits0References9Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.7 views

Roundcube Webmail: Insufficient CSS sanitization in HTML e-mail messages

An issue was discovered in Roundcube Webmail 1.6.0 before 1.6.14. Insufficient Cascading Style Sheets CSS sanitization in HTML e-mail messages may lead to SSRF or Information Disclosure, e.g., if stylesheet links point to local network hosts...

6.5CVSS5.9AI score0.0031EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 6:31 a.m.8 views

Tornado has cookie attribute injection via .RequestHandler.set_cookie

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...

7.2CVSS5.9AI score0.00237EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:8 a.m.9 views

goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs POST multipart upload

Summary POST multipart upload directory not sanitized | httpserver/updown.go:71-174 This finding affect the default configuration, no flags or authentication required. Details File: httpserver/updown.go:71-174 Trigger: POST //upload server.go:49-51 checks HasSuffixr.URL.Path, "/upload" The filena...

9.8CVSS6.1AI score0.00683EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:7 a.m.7 views

goshs: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in goshs PUT Upload

Summary PUT upload has no path sanitization | httpserver/updown.go:20-69 This finding affects the default configuration, no flags or authentication required. Details File: httpserver/updown.go:20-69 Trigger: PUT / server.go:57-59 routes directly to put The handler uses req.URL.Path raw to build t...

9.8CVSS6.1AI score0.00683EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:7 a.m.6 views

fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)

NOTE: While the library exposes a mechanism which could introduce the vulnerability, this issue is created by developer-supplied code and not by the library itself. We will add a warning and some education for users around the possible issues however since the defaults work we will not be updatin...

9.1CVSS6AI score0.00212EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:4 a.m.7 views

Signal K Server: Arbitrary Prototype Read via `from` Field Bypass

Summary The /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It...

6.5CVSS6.5AI score0.00308EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:2 a.m.8 views

Antrea has Missing Encryption of Sensitive Data

Impact This is a missing encryption vulnerability CWE-311 affecting inter-Node Pod traffic. In Antrea clusters configured for dual-stack networking with IPsec encryption enabled trafficEncryptionMode: ipsec, Antrea fails to apply encryption for IPv6 Pod traffic. While the IPv4 traffic is correctl...

7.5CVSS5.8AI score0.00121EPSS
Exploits0References7Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 4:0 a.m.7 views

CI4MS: Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

Summary Vulnerability 1: Stored DOM XSS via Profile Name Update Persistent Payload Injection - Stored Cross-Site Scripting via Unsanitized User Name in Profile Management Description The application fails to properly sanitize user-controlled input when users update their profile name e.g., full...

9.4CVSS6AI score0.00297EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:57 a.m.7 views

Ajenti has an authorization bypass during custom package installation

Impact An authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. Patches This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible...

7.2CVSS5.9AI score0.00266EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:48 a.m.9 views

Kedro has Arbitrary Code Execution via Malicious Logging Configuration

Impact This is a critical remote code execution RCE vulnerability caused by unsafe use of logging.config.dictConfig with user-controlled input. Kedro allows the logging configuration file path to be set via the KEDROLOGGINGCONFIG environment variable and loads it without validation. The logging...

9.8CVSS6.7AI score0.00714EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:47 a.m.15 views

OpenSTAManager: SQL Injection via Aggiornamenti Module

Description The Aggiornamenti Updates module in OpenSTAManager query'SET FOREIGNKEYCHECKS=0'; // Line 69: FK checks DISABLED $errors = ; $executed = 0; foreach $queries as $query try $dbo-query$query; // Line 76: DIRECT EXECUTION ++$executed; catch Exception $e $errors = $query.' - '.$e-getMessag...

8.8CVSS6.5AI score0.00668EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:46 a.m.7 views

Kedro: Path Traversal in versioned dataset loading via unsanitized version string

Impact The getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences such as ../ are preserved and can escape the intended versioned...

8.1CVSS5.9AI score0.00327EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:46 a.m.36 views

DOMPurify ADD_ATTR predicate skips URI validation

Summary DOMPurify allows ADDATTR to be provided as a predicate function via EXTRAELEMENTHANDLING.attributeCheck. When the predicate returns true, isValidAttribute short-circuits the attribute check before URI-safe validation runs. An attacker who supplies a predicate that accepts specific...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:45 a.m.51 views

DOMPurify USE_PROFILES prototype pollution allows event handlers

Summary When USEPROFILES is enabled, DOMPurify rebuilds ALLOWEDATTR as a plain array before populating it with the requested allowlists. Because the sanitizer still looks up attributes via ALLOWEDATTRlcName, any Array.prototype property that is polluted also counts as an allowlisted attribute. An...

5.9AI score
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:44 a.m.8 views

D-Tale: Remote Code Execution through redis/shelf storage

Impact Users hosting D-Tale publicly while using a redis or shelf storage layer could be vulnerable to remote code execution allowing attackers to run malicious code on the server. Patches Users should upgrade to version 3.22.0. Workarounds There are no workarounds for versions 3.22.0...

9.8CVSS6.5AI score0.00622EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:44 a.m.30 views

Auth0 Symfony SDK has Insufficient Entropy in Cookie Encryption

Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? Consumers are affected if their application meets the following preconditions: - It...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:43 a.m.48 views

Auth0 WordPress Plugin has Insufficient Entropy in Cookie Encryption

Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? Consumers are affected if their application meets the following preconditions: - It ...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:41 a.m.10 views

Auth0 laravel-auth0 SDK has Insufficient Entropy in Cookie Encryption

Impact In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies. Am I Affected? You are affected if you meet the following preconditions: - Applications using...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:40 a.m.4 views

wisp has Allocation of Resources Without Limits or Throttling

Summary A multipart form parsing bug allows any unauthenticated user to bypass configured request size limits and trigger a denial of service by exhausting server memory or disk. Details The issue is in the multipart parsing logic, specifically in multipartbody and multipartheaders. When parsing...

8.7CVSS5.9AI score0.00622EPSS
Exploits0References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:39 a.m.7 views

Swift Crypto: X-Wing HPKE Decapsulation Accepts Malformed Ciphertext Length

Summary The X-Wing decapsulation path accepts attacker-controlled encapsulated ciphertext bytes without enforcing the required fixed ciphertext length. The decapsulation call is forwarded into a C API, which expects a compile-time fixed-size ciphertext buffer of 1120 bytes. This creates an FFI...

7.5CVSS6.2AI score0.00472EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:33 a.m.5 views

Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

Summary The GET /api/website/title endpoint accepts an arbitrary URL via the websiteurl query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network...

7.2CVSS6AI score0.00289EPSS
Exploits2References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:30 a.m.5 views

Ech0 has Unauthenticated Server-Side Request Forgery in Website Preview Feature

Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...

7.5CVSS5.8AI score0.00327EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:29 a.m.26 views

Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

5.9AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:28 a.m.15 views

Go JOSE Panics in JWE decryption

Impact Decrypting a JSON Web Encryption JWE object will panic if the alg field indicates a key wrapping algorithm one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW and the encryptedkey field is empty. The panic happens when cipher.KeyUnwrap in keywrap.go attempts to...

7.5CVSS6AI score0.00651EPSS
Exploits0References4Affected Software3
Github Security Blog
Github Security Blog
added 2026/04/03 3:27 a.m.6 views

OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps

Summary Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps Current Maintainer Triage - Status: narrow - Assessment: Real in shipped v2026.3.28 Discord voice ingress, but impact is channel/member allowlist bypass rather than a broader critical aut...

5.4CVSS5.8AI score0.00222EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/03 3:26 a.m.4 views

OpenClaw: Discord Component Interaction Misclassifies Group DM as Direct Message

Summary Discord Component Interaction Misclassifies Group DM as Direct Message Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Real on shipped v2026.3.24 component-interaction routing/auth in extensions/discord/src/monitor/agent-components-helpers.ts, but impac...

5.4CVSS5.9AI score0.00125EPSS
Exploits0References6Affected Software1
Total number of security vulnerabilities33181