1518 matches found
1Panel IP Access Control Bypass via Untrusted X-Forwarded-For Headers
The server trusts all reverse-proxy headers by default, so any remote client can spoof X-Forwarded-For to bypass IP-based protections AllowIPs, API IP whitelist, “localhost-only” checks. All IP-based access control becomes ineffective...
yawkat LZ4 Java has a possible information leak in Java safe decompressor
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to...
Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors
Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled...
@accordproject/concerto-linter contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
@actbase/react-native-actionsheet contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
ExecuTorch integer overflow vulnerability
An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73...
ExecuTorch vulnerable to Heap-based Buffer Overflow
A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c...
Alchemy Non-SMA and Webauthn Account Security Advisory
A potential security issue has been mitigated on old account deployment functions from the factory. Smart wallets in use on all existing supported networks are not impacted...
ExecuTorch vulnerable to Heap-based Buffer Overflow attack
A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f...
ExecuTorch vulnerable to Heap-based Buffer Overflow attack
A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f...
shared_preferences_android vulnerability
Due to some data types not being natively representable for the available storage options, sharedpreferencesandroid serializes and deserializes special string prefixes to store these unrepresentable data types. This allows arbitrary classes to be deserialized leading to arbitrary code execution. ...
Duplicate Advisory: NVIDIA Container Toolkit allows specially crafted container image to create empty files on the host file system
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f748-7hpg-88ch. This link is maintained to preserve external references. Original Description NVIDIA Container Toolkit 1.16.1 or earlier contains a vulnerability in the default mode of operation allowing a...
Leak in Aliyun KeySecret
Users of this library will be affected when using this library, the incoming secret will be disclosed unintentionally...
Duplicate Advisory: Improper Neutralization of CRLF Sequences in dio
Duplicate advisory This advisory has been withdrawn because it is a duplicate of GHSA-9324-jv53-9cc8. This link is maintained to preserve external references. Original Description The dio package prior to 5.0.0 for Dart allows CRLF injection if the attacker controls the HTTP method string, a...
Use of Uninitialized Resource in acc_reader.
An issue was discovered in the accreader crate through 2020-12-27 for Rust. fillbuf may read from uninitialized memory locations...
Double free in algorithmica
An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. In the affected versions of this crate, mergesort::merge wildly duplicates and drops ownership of T without guarding against double-free. Due to such implementation, simply invoking mergesort::merge on Vec can cause...
melange: Incomplete package integrity verification allows data section substitution
Previously, Apko verified the control section hash .PKGINFO etc. against the signed APKINDEX, but never verified the data section hash the actual package files that get installed. An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file...
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...
org.hl7.fhir.core: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint
All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The utility intended to secure this evaluation did so incorrectly, and did not fully cover all places in which evaluation was being done. An attacker can send a resource...
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
A known vulnerability CVE-2026-33060 indicated tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a method to bypass exists...
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the X-Forwarded-Fo...
Aimeos Pagible CMS vulnerable to Server Side Request Forgery (SSRF) via DNS rebinding in admin proxy
The administrative proxy route cmsproxy in Aimeos Pagible CMS is vulnerable to a Server-Side Request Forgery SSRF attack via DNS Rebinding. A Time-of-Check to Time-of-Use TOCTOU race condition exists between the URL validation phase and the actual HTTP request phase, allowing attackers to access...
Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect
When a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV basic auth, and OpenID Connect — do not verify user status, allowing disabled or locked users to continue accessing th...
Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)
The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and interpolated...
Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster
htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead ...
AWS SDK for Swift adopted defense in depth enhancement for region parameter value
CVSSv3.1 Rating: 3.7 LOW Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. A defense-in-depth enhancement h...
@actbase/react-native-devtools contains malware after npm account takeover
On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...
ExecuTorch out-of-bounds access vulnerability
An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit fb03b6f85596a8f954d97929075335255b6a58d4...
Duplicate
This advisory duplicates another...
Duplicate Advisory: Consensys gnark-crypto allows Signature Malleability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-fr8m-434r-g3xp. This link is maintained to preserve external references. Original Description Consensys gnark-crypto through 0.11.2 allows Signature Malleability. This occurs because deserialisation of EdDSA and...
http before 0.13.3 vulnerable to header injection
An issue was discovered in the http package before 0.13.3 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request via HTTP header injection. This issue has been addressed in commit abb2bb182 by validating...
Active Record component in Ruby on Rails has a data-type injection vulnerability
The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attack...
Insecure Temporary File in SWHKD
SWHKD is a display protocol-independent hotkey daemon made in Rust. In SWHKD versions 1.1.5 and prior, SWHKD uses the /tmp/swhkd.pid pathname. As /tmp is accessible to all users, there can be an information leak or denial of service. No known workarounds exist. A patch is available on the 1.1.0...
Data Loss/Denial of Service in SWHKD
SWHKD 1.1.5 unsafely uses the /tmp/swhks.pid pathname. There can be data loss or a denial of service. A patch is available on the 1.1.0 branch of the repository...
Use after free in actix-utils
An issue was discovered in the actix-utils crate before 2.0.0 for Rust. The Cell implementation allows obtaining more than one mutable reference to the same data...
DIRAC: SQL injection and lack of access control in PilotManager service
Details A number of the functions in PilotManager pass parameters directly through to the database layer, which then does not do any escaping on the parameters. For example setPilotStatus:...
DIRAC is vulnerable to RCE in RequestManager due to eval on untrusted input
An remote code execution vulnerability exists in RequestManager due to the use of eval on untrusted input that allows any authenticated user to run code/commands on the DIRAC server as the system user running the DIRAC services...
DIRAC: Pilot code downloaded over unverified HTTPS connection
The second stage pilot pilot.tar is downloaded by the initial wrapper script without any verification of the webservers' SSL certificate and the contained script is subsequently executed. The checksum is tested, but the reference checksum file is downloaded over the same unvalidated channel...
melange: Incomplete package integrity verification allows data section substitution
Previously, Apko verified the control section hash .PKGINFO etc. against the signed APKINDEX, but never verified the data section hash the actual package files that get installed. An attacker who could compromise a mirror, poison a cache, or MITM a package fetch could substitute arbitrary file...
Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE
Joro's default proxy mode in versions = 1.1.0 exposes a local API on 127.0.0.1:9090 that performs no authentication and applies a wildcard CORS policy. Because plugin uploads use the CORS-safelisted multipart/form-data content type, cross-origin JavaScript on any page the operator visits can reac...
Logback vulnerable to Object Injection through HardenedObjectInputStream modules
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service DoS. By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive...
ExecuTorch integer overflow vulnerability
An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit d158236b1dc84539c1b16843bc74054c9dcba006...
ExecuTorch heap buffer overflow vulnerability
A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit ede82493dae6d2d43f8c424e7be4721abe5242be...
wasmvm: Malicious smart contract can crash the chain
CWA-2025-001 Severity Medium Moderate + Likely^1 Affected versions: - wasmvm = 2.2.0, = 2.1.0, = 2.0.0, 2.0.6 - wasmvm 1.5.8 Patched versions: - wasmvm 1.5.8, 2.0.6, 2.1.5, 2.2.2 Description of the bug The vulnerability can be used to crash the chain. The underlying bug that causes this is presen...
Missing connection timeout in Aardvark-dns
A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They contain a denial of service vulnerability due to serial processing of TCP DNS queries. This flaw allows a malicious client to keep a TCP connection open indefinitely, causing other DNS queries to time out and resulting in a denial ...
Filename spoofing in archive
An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing...
Path traversal in Archive
An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file...
`Read` on uninitialized buffer in `fill_buf()` and `read_up_to()`
Affected versions of this crate passes an uninitialized buffer to a user-provided Read implementation. Arbitrary Read implementations can read from the uninitialized buffer memory exposure and also can return incorrect number of bytes written to the buffer. Reading from uninitialized memory...