Lucene search
K
GitlabRecent

1518 matches found

GitLab Advisory Database
GitLab Advisory Database
added 2026/06/04 12:0 a.m.11 views

AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle

This report covers the client-triggered DoQ forwarding path in: - dnsproxy v0.81.2 adguard/dnsproxy:v0.81.2 - AdGuard Home v0.107.74 adguard/adguardhome:latest, image version label v0.107.74 The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ listener...

5.8AI score0.00047EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/06/01 12:0 a.m.5 views

Logback vulnerable to Object Injection through HardenedObjectInputStream modules

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection, albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer...

6.3CVSS6.6AI score0.00342EPSS
Exploits0References4
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.15 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.27 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.13 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.11 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.40 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.28 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.51 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.14 views

Sparkle: Binary delta apply intermediate-symlink traversal in malicious .delta

Binary delta apply intermediate-symlink traversal in malicious .delta Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relative path...

5.9AI score0.00029EPSS
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.19 views

Sparkle's AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection

AppInstaller post-stage-1 XPC listener accepts unvalidated connections, allowing spoofed appcast item data injection...

5.8AI score0.00014EPSS
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/29 12:0 a.m.18 views

CC-Tweaked has an SSRF Protection Bypass with NAT64

CC-Tweaked's HTTP API http.request, http.websocket blocks requests to private network ranges to prevent server-side request forgery SSRF. This protection can be bypassed on IPv6-capable servers using NAT64 well-known prefix addresses 64:ff9b::/96. An attacker who can execute Lua code can reach an...

5.9AI score0.00054EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/28 12:0 a.m.8 views

QOS.CH Sarl logback logback-core has a deserialization of untrusted data vulnerability

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core HardenedObjectInputStream logback-core modules allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer c...

6.3CVSS6.4AI score0.0037EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/22 12:0 a.m.10 views

Flask-Security-Too OAuth reauthentication freshness bypass via cross- user OAuth identity acceptance

Flask-Security-Too 5.8.0's OAuth reauthentication flow can mark a session as fresh after verifying an OAuth account that belongs to a different user. If an attacker can operate an already-authenticated but stale victim session, they can complete OAuth verification using their own OAuth identity...

5.8AI score0.00035EPSS
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/19 12:0 a.m.11 views

9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required. The vulnerability exists because the Next.js middlewar...

6.1AI score0.00147EPSS
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.10 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.11 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.16 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.9 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.11 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.12 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.13 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.11 views

HAPI FHIR: ReDoS via FHIRPath matches()/replaceMatches() in FHIR Validator HTTP Endpoint

All implementations of FHIRPathEngine accept arbitrary FHIRPath expressions and evaluate them without input validation. The FHIRPath functions matches, matchesFull, and replaceMatches pass user-controlled regular expressions directly to Java's Pattern.compile and String.replaceAll without...

5.9AI score0.00086EPSS
Exploits0References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/18 12:0 a.m.13 views

TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection

TinyIce's WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=, accepted any inbound WebRTC SDP offer with no authentication check. The handler routed the offer to WebRTCManager.HandleSourceOffer, which then accepted whatever audio/video tracks the peer published and broadcast the...

8.2CVSS5.8AI score0.00357EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/13 12:0 a.m.12 views

uniget is Vulnerable to Command Injection in tool.Check Leading to Arbitrary Code Execution

A command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files using /bin/bash -c. Because the check field is loaded directly from untrusted JSON metadata without validation or sanitization, an attacker can craft malicious metadata that executes...

7.8CVSS6.3AI score0.00715EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/07 12:0 a.m.11 views

container: pf Rule Injection via Domain Name Argument in `container system dns create --localhost` Command

The container system dns create --localhost command accepts a domainName argument and passes it unsanitized into the pf anchor file /etc/pf.anchors/com.apple.container as a comment in a rule line. A domain name containing a newline character breaks out of the comment context and injects an...

6AI score
Exploits0References2Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/06 12:0 a.m.13 views

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; i...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/06 12:0 a.m.12 views

Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

An unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. When the instance is still uninitialized, POST /api/install is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets the...

9.8CVSS5.8AI score0.00339EPSS
Exploits1References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/06 12:0 a.m.21 views

Nginx-UI Settings API Exposes Protected Secrets

The GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes via ProtectedFill in SaveSettings and is completely...

6.5CVSS5.8AI score0.00295EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/06 12:0 a.m.10 views

Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore

nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file...

9.8CVSS6AI score0.00764EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/05 12:0 a.m.17 views

Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

6.5CVSS5.8AI score0.00299EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.28 views

apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString, and the downloaded package control hash is computed, but the two values are never...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.222 views

apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root

A crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. The root cause was the sanitizePath...

7.5CVSS5.8AI score0.00352EPSS
Exploits0References6Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/05/04 12:0 a.m.38 views

apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g. EC, the unchecked assertion panics and crashes apko. This affects any workflow that initializes the APK...

6.5CVSS5.8AI score0.00252EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/29 12:0 a.m.13 views

Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network...

9.9CVSS5.9AI score0.00318EPSS
Exploits1References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/29 12:0 a.m.16 views

Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network...

5.9AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/24 12:0 a.m.29 views

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...

6.5CVSS6AI score0.00201EPSS
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/24 12:0 a.m.11 views

nova-toggle-5: Improper authorization on toggle endpoint allowed non-Nova users to modify boolean fields

In versions middleware. Any user authenticated on the configured guard could call the endpoint and flip boolean attributes on any Nova resource — including users who do not have access to Nova itself for example, frontend customers sharing the web guard with the Nova admin area. The endpoint also...

5.6AI score
Exploits0References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.11 views

Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers

Any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowing any session to overwrite the password hash; the inactive password auth...

8.8CVSS5.7AI score0.00472EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.10 views

go-ntlmssp NTLM challenges can panic on malformed payloads

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue...

7.5CVSS5.8AI score0.01027EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.10 views

H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

9.8CVSS7.5AI score0.00938EPSS
Exploits1References4
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.59 views

melange has Path Traversal via .PKGINFO in --persist-lint-results

melange lint --persist-lint-results opt-in flag, also usable via melange build --persist-lint-results constructs output file paths by joining --out-dir with the arch and pkgname values read from the .PKGINFO control file of the APK being linted. In affected versions these values were not validate...

4.4CVSS5.9AI score0.00172EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.13 views

melange has Path Traversal When Resolving External Pipelines via Unvalidated pipeline[].uses

An attacker who can influence a melange configuration file — for example through pull-request-driven CI or build-as-a-service scenarios — could set pipeline.uses to a value containing ../ sequences or an absolute path. The Compiled.compilePipeline function in pkg/build/compile.go passed uses...

6.1CVSS5.9AI score0.0014EPSS
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/22 12:0 a.m.12 views

actix-http has HTTP/1.1 CL.TE Request Smuggling

A vulnerability in actix-http's HTTP/1.1 request parser allows an unauthenticated remote client to smuggle requests in deployments where a front-end HTTP intermediary and the Actix backend disagree about whether Content-Length or Transfer-Encoding: chunked defines the request body length...

5.8AI score
Exploits0References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/21 12:0 a.m.41 views

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources...

8.6CVSS5.7AI score0.00274EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/21 12:0 a.m.31 views

Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens are stored in browser cookies set via JavaScript without HttpOnly or explicit...

8.1CVSS5.8AI score0.00176EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/18 12:0 a.m.34 views

Wish has SCP Path Traversal that allows arbitrary file read/write

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequence...

9.6CVSS5.9AI score0.00393EPSS
Exploits1References4Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/18 12:0 a.m.22 views

Wish has SCP Path Traversal that allows arbitrary file read/write

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequence...

5.9AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/09 12:0 a.m.20 views

decolua 9router vulnerable to authorization bypass

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...

7.5CVSS6.5AI score0.00313EPSS
Exploits0References10Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/08 12:0 a.m.11 views

WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs

objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such...

7.6CVSS5.9AI score0.00412EPSS
Exploits0References4Affected Software1
Total number of security vulnerabilities1518