Vikunja Affected by DoS via Image Preview Generation

Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. - Affected code: - Decoding without bounds: taskattachment.go:GetPreview - Resizing path: resizeImage - Endpoint...

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through...

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP...

Vikunja read-only users can delete project background images via broken object-level authorization

The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image...

Vikunja has an IDOR in Task Comments Allows Reading Arbitrary Comments

An authenticated user can read any task comment by ID, regardless of whether they have access to the task the comment belongs to, by substituting the task ID in the API URL with a task they do have access to...

Vikunja has a 2FA Bypass via Caldav Basic Auth

The Caldav endpoint allows login using Basic Authentication, which in turn allows users to bypass the TOTP on 2FA-enabled accounts. The user can then access standard project information that would normally be protected behind 2FA if enabled, such as project name, description, etc...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks

The @aborruso/ckan-mcp-server MCP server provides tools including ckanpackagesearch and sparqlquery that accept a baseurl parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network service...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

HAPI FHIR HTTP authentication leak in redirects

When setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value. Sending the same set of headers ...

Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and interpolated...

Admidio is Missing CSRF Protection on Role Membership Date Changes

The savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and removeformermembership against the CSRF token but omits savemembership from that check...

LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

LeafKit HTML-escaping is not working correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped...

LeafKit's HTML escaping may be skipped for Collection values, enabling XSS

LeafKit HTML-escaping is not working correctly when a template prints a collection Array / Dictionary via value. This can result in XSS, allowing potentially untrusted input to be rendered unescaped...

Admidio has a Second-Order SQL Injection via List Configuration (lsc_special_field, lsc_sort, lsc_filter)

The MyList configuration feature in Admidio allows authenticated users to define custom list column layouts. User-supplied column names, sort directions, and filter conditions are stored in the admlistcolumns table via prepared statements safe storage, but are later read back and interpolated...

File Upload(RCE) Vulnerability in admidio

A critical unrestricted file upload vulnerability exists in the Documents & Files module of Admidio. Due to a design flaw in how CSRF token validation and file extension verification interact within UploadHandlerFile.php, an authenticated user with upload permissions can bypass file extension...

Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint

The SSO metadata fetch endpoint at modules/sso/fetchmetadata.php accepts an arbitrary URL via $GET'url', validates it only with PHP's FILTERVALIDATEURL, and passes it directly to filegetcontents. FILTERVALIDATEURL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent to other...

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

AutoMapper is vulnerable to a Denial of Service DoS attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memor...

AutoMapper Vulnerable to Denial of Service (DoS) via Uncontrolled Recursion

AutoMapper is vulnerable to a Denial of Service DoS attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memor...

CairoSVG vulnerable to Exponential DoS via recursive <use> element amplification

Kozea/CairoSVG 300K downloads/week has exponential denial of service via recursive element amplification in cairosvg/defs.py line 335. This causes CPU exhaustion from a small input...

Trix has a Stored XSS vulnerability through serialized attributes

The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS attacks when a data-trix-serialized-attributes attribute bypasses the DOMPurify sanitizer. An attacker could craft HTML containing a data-trix-serialized-attributes attribute with a malicious payload that, when the content is...

AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass

An unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext h2c. Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware...

actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs for example, https://hostnamepath. In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open...

Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network

Server-Side Request Forgery SSRF in Azure MCP Server allows an authorized attacker to elevate privileges over a network...

Actual Sync Server has an Authenticated Path Traversal

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments ../ can escape the intended directory and write files outside userFiles...

Admidio: Event participation IDOR - non-leaders can register other users for events via user_uuid parameter

Register unwilling users for events potential harassment/spam - Cancel other users' event participation - Manipulate event participant counts and comments - If events have participation limits, fill slots with unwanted registrations...

Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure

The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data user credentials, session...

`melange update-cache` has unbounded HTTP download that can exhaust disk in CI

melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout pkg/renovate/cache/cache.go. An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions = 0.40.5. Fix: Merge...

Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse

Summary A critical business logic vulnerability exists in the password reset mechanism of vikunja/api that allows password reset tokens to be reused indefinitely. Due to a failure to invalidate tokens upon use and a critical logic bug in the token cleanup cron job, reset tokens remain valid...

@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode

In multi-user mode OpenID, the sync API endpoints /sync/ don't verify that the authenticated user owns or has access to the file being operated on. Any authenticated user can read, modify, and overwrite any other user's budget files by providing their file ID...

Vikunja has Path Traversal in CLI Restore

Path Traversal Zip Slip and Denial of Service DoS vulnerability discovered in the Vikunja CLI's restore functionality...

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Summary The application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account via brute-force or credential stuffing can mainta...

Vikunja: Stored XSS via Unsanitized SVG Attachment Upload Leads to Token Exposure

Details The application allows users to upload SVG files as task attachments. SVG is an XML-based format that supports JavaScript execution through elements such as tags or event handlers like onload. The application does not sanitize SVG content before storing it. When the uploaded SVG file is...

Vikunja has Reflected HTML Injection via filter Parameter in its Projects Module

Vikunja is an open-source self-hosted task management platform with 3,300+ GitHub stars. A reflected HTML injection vulnerability exists in the Projects module where the filter URL parameter is rendered into the DOM without output encoding when the user clicks "Filter." While and are blocked, , ,...

ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints

Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information...

Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster

htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead ...

Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster

htmlEscaped in leaf-kit will only escape html special characters if the extended grapheme clusters match, which allows bypassing escaping by using an extended grapheme cluster containing both the special html character and some additional characters. In the case of html attributes, this can lead ...

filippo.io/edwards25519 MultiScalarMult produces invalid results or undefined behavior if receiver is not the identity

Point.MultiScalarMult failed to initialize its receiver. If the method was called on an initialized point that is not the identity point, MultiScalarMult produced an incorrect result. If the method was called on an uninitialized point, the behavior was undefined. In particular, if the receiver wa...

Vikunja Vulnerable to XSS Via Task Preview

The task preview component creates a unparented div. The div's innerHtml is set to the unescaped description of the task...

amphp/http-server affected by HTTP/2 DDoS vulnerability

Versions of amphp/http-server prior to 3.4.4 for the 3.x release branch and prior to 2.1.10 for the 2.x release branch are vulnerable to the HTTP/2 "MadeYouReset" DoS attack described by CVE-2025-8671 and https://kb.cert.org/vuls/id/767506. In versions 3.4.4 and 2.1.10, stream reset protection ha...