Improper Verification of Cryptographic Signature in aws-encryption-sdk-javascript

This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages. This ESDK supports a streaming mode where callers may stream the plaintext of signed messages before the ECDSA signature is validated...

Improper Verification of Cryptographic Signature in aws-encryption-sdk-java

This advisory addresses several LOW severity issues with streaming signed messages and restricting processing of certain types of invalid messages...

Listing of upload directory contents possible

There's an security issue in prosody-filer versions 1.0.1 which leads to unwanted directory listings of download directories. An attacker is able to list previous uploads of a certain user by shortening the URL and accessing a URL subdirectors other than /upload/ or the corresponding user defined...

RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be...

Information Exposure

Actions Http-Client can disclose Authorization headers to incorrect domain in certain redirect scenarios. The conditions in which this happens are if consumers of the http-client: make an http request with an authorization header that request leads to a redirect 302 the redirect url redirects to...

Incorrect header injection check

amphp/http isn't properly protected against HTTP header injection...

Padding Oracle Vulnerability in RSA Encryption

Padding Oracle Vulnerability in RSA Encryption...

Remote code execution and potential Denial of Service Vulnerability

Activeresource contains a format string flaw in the request function of lib/activeresource/connection.rb. The issue is triggered as format string specifiers e.g. %s and %x are not properly sanitized in user-supplied input when passed via the result.code and result.message variables. This may allo...

Crawl4AI: Unauthenticated SSRF on the Docker server streaming crawl path (/crawl/stream)

The Docker API server applied its SSRF destination check validateurldestination on the non-streaming /crawl path but not on the streaming path. handlestreamcrawlrequest passed seed URLs straight to the crawler with no destination validation. A remote, unauthenticated client could call POST...

Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta

Binary delta apply intermediate-symlink traversal in malicious .delta Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relative path...

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

Vikunja has Path Traversal in CLI Restore

Path Traversal Zip Slip and Denial of Service DoS vulnerability discovered in the Vikunja CLI's restore functionality...

Duplicate

This advisory duplicates another...

DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error

We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error figures 9.1 and 9.2. This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug. golang...

melange's world-writable permissions expose SBOM files to potential image tampering

It was discovered that the SBOM files generated by melange in apks had file system permissions mode 666: $ apkrane ls https://packages.wolfi.dev/os/x8664/APKINDEX.tar.gz -P hello-wolfi --full --latest | xargs wget -q -O - | tar tzv 2/dev/null var/lib/db/sbom drwxr-xr-x root/root 0 2025-06-23 14:1...

Apache ActiveMQ NMS OpenWire Client Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache ActiveMQ NMS OpenWire Client. This issue affects Apache ActiveMQ NMS OpenWire Client before 2.1.1 when performing connections to untrusted servers. Such servers could abuse the unbounded deserialization in the client to provide malicious...

H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a HEAD request to verify the existence of a specified resource without setting a timeout. An attacker can exploit this by sending multiple requests to an attacker-controll...

H2O Vulnerable to Denial of Service (DoS) and File Write

In h2oai/h2o-3 version 3.46.0.1, the runtool command exposes classes in the water.tools package through the ast parser. This includes the XGBoostLibExtractTool class, which can be exploited to shut down the server and write large files to arbitrary directories, leading to a denial of service...

Flask-AppBuilder Observable Response Discrepancy

User enumeration in database authentication in Flask-AppBuilder = 3.0.0. Allows for a non authenticated user to enumerate existing usernames by timing the response time from the server when brute forcing requests to login...

JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal fr...

wasm3 uncontrolled memory allocation vulnerability

wasm3 at commit 139076a contains a memory leak in the Readutf8 function...

Aimeos denial of service vulnerability in SaaS and marketplace setups

All SaaS and marketplace setups using Aimeos version from 2022/2023/2024 are affected by a potential denial of service attack...

ADOdb SQL injection vulnerability

The ADOdb Library for PHP prior to version 5.20.11 is prone to SQL Injection vulnerability in multiple drivers...

easyadmin-extension-bundle action case insensitivity

In alterphp/easyadmin-extension-bundle, role based access rules do not handle action name case sensitivity which may lead to unauthorized access...

Path traversal in ZIPFoundation

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file...

Cross site scripting in ameos_tarteaucitron

The ameostarteaucitron aka AMEOS - TarteAuCitron GDPR cookie banner and tracking management / French RGPD compatible extension before 1.2.23 for TYPO3 allows XSS...

Gitea XSS Vulnerability in Repository Description

Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting XSS. The impact is: execute JavaScript in victim's browser, when the vulnerable repo page is loaded. The component is: repository's description. The attack vector is: victim must navigate to public and affected repo page...

cnlh nps vulnerable to file overwrite by local user

lib/install/install.go in cnlh nps prior to 0.23.2 uses 0777 permissions for /usr/local/bin/nps and/or /usr/bin/nps, leading to a file overwrite by a local user...

SwiftNIO SSL arbitrary code execution vulnerability

A SwiftNIO application using TLS may be able to execute arbitrary code. The issue was addressed by signaling that an executable stack is not required. This issue is fixed in SwiftNIO SSL 2.4.1...

Django Arbitrary Code Execution

bin/compile-messages.py in Django 0.95 does not quote argument strings before invoking the msgfmt program through the os.system function, which allows attackers to execute arbitrary commands via shell metacharacters in a 1 .po or 2 .mo file...

Execution with Unnecessary Privileges in arc-electron

When the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, whic...

Duplicate advisory: swift-nio-http2 vulnerable to denial of service via mishandled HPACK variable length integer encoding

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-w3f6-pc54-gfw7. This link is maintained to preserve external references. Original Description A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a...

Argo Server TLS requests could be forged by attacker with network access

Impact We are not aware of any exploits. This is a pro-active fix. Impacted: You are running Argo Server = v3.0 with --secure unspecified note - running in secure mode is recommended regardless. The attacker is within your network. If you expose Argo Server to the Internet then "your network" is...

RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

A security-sensitive bug was discovered by Open Source Developer Erik Sundell of Sundell Open Source Consulting AB. The functions RandomAlphaNumericint and CryptoRandomAlphaNumericint are not as random as they should be. Small values of int in the functions above will return a smaller subset of...

Path Traversal

626 includes a path traversal vulnerability. It allows reading arbitrary files from the remote server...

Directory Traversal

360class.jansenhm is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...

Directory Traversal

11xiaoli is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the url./n...

Cookie leakage to wrong origins and non-restricted cookie acceptance

Cookie leakage to wrong origins and non-restricted cookie acceptance...

Incomplete List of Disallowed Inputs

A flaw in the iptype function is triggered when handling octal encoding. This may allow a remote attacker to bypass the IP exclusion feature...

@acastellon/auth: Authentication bypass via spoofable headers in validateToken()

@acastellon/auth v2.2.0 appears to allow an unauthenticated authentication bypass in validateToken through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get'host'.startsWithgetHostName. Both...

Crawl4AI: Arbitrary file write (path traversal) in crawler downloads can lead to RCE

When the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path e.g. /etc/cron.d/evil or ../ traversal escaped the downloads directory, giving an arbitrary...

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets the...

Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network...

Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation

The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory /etc/nginx. In particular, this allows an authenticated us...