Mozilla: Bypass of Restricted Keyword "Mozilla" in Display Name Field via Unicode Homoglyphs on addons.allizom.org

A restricted keyword bypass vulnerability was discovered on the Firefox Add-ons platform that allowed an attacker to register a display name visually identical to "Mozilla" by using a Unicode homoglyph character. This circumvented the intended restriction and could have been used to impersonate...

Mars: SQLi at █████ parameter

A SQL injection vulnerability was discovered in an items endpoint that accepted unauthenticated POST requests without CSRF validation. The vulnerability allowed execution of arbitrary SQL commands and extraction of database metadata. Additional security issues included stored XSS through the...

Nextcloud: Calendar app allowed booking appointments without the generated token

The calendar app was found to allow booking appointments without the necessary generated token, which could have led to unauthorized access...

curl: Vulnerability Report: Public Exposure of Security Audit File

Summary: A sensitive internal security audit report file for cURL/libcurl—specifically cure53-curl-report-2016.pdf—was found to be publicly accessible via search engine dorking. This file includes detailed vulnerability findings, exploit vectors, code review observations, and remediation advice...

U.S. Dept Of Defense: Cross-Site Scripting via 'fname' parameter in ███

A Cross-Site Scripting XSS vulnerability was discovered in the 'fname' parameter of the target application. The vulnerability allowed an attacker to inject malicious scripts that could be executed. Exploitation of this vulnerability could have led to consequences such as cookie theft and session...

Malwarebytes: Replayable Password Change Request Across Sessions.

Vulnerability description not provided...

curl: Security check up

Summary: summary of the vulnerability Statement clarifying if an AI was used to find the issue or generate the report Affected version Which curl/libcurl version are you using to reproduce? On which platform? curl -V typically generates good output to include Steps To Reproduce: add details for h...

curl: Exposure of Private RSA Private Key in curl GitHub Repository

Description: I discovered that a private RSA key along with its certificate is publicly accessible inside the curl GitHub repository under the file tests/data/stunnel.pem. This file contains a PEM-formatted RSA private key, which should be kept strictly confidential. Steps to Reproduce: Navigate ...

curl: Use after free (or assert triggered) with failed allocations in openssl

Summary: summary of the vulnerability A heap use after free or assertion can be triggered if some allocations fail I am not sure you consider allocations failures to be part of security issues, and I am not sure the issue lies in curl or in openssl, but I still think you want something to be fixe...

curl: on the implications of permitting procedural culling

Good day. My name is Lorentso Youriévitch Bogdanov. It has come to my attention that you are in need of higher-quality code review. Rest assured that you are not alone in noticing a certain degree of brain-drain in this field. As you can perhaps imagine, the recent shortage of qualified hackers a...

curl: OpenSSL HTTP/3 bogus CURLINFO_TLS_SSL_PTR

Summary: curleasygetinfo CURLINFOTLSSSLPTR appears to return invalid SSL connection pointer for OpenSSL HTTP/3 connections. Using this SSL connection results in a crash, and potential other impacts. This issue does not happen with libcurl 8.14.1, suggesting that the bug is in libcurl itself or...

curl: GnuTLS CURLINFO_TLS_SESSION / CURLINFO_TLS_SSL_PTR type confusion

Summary: curleasygetinfo for CURLINFOTLSSESSION and CURLINFOTLSSSLPTR incorrectly return CURLSSLBACKENDOPENSSL in struct curltlssessioninfo backend field for GnuTLS. struct curltlssessioninfo curlsslbackend backend; void internals; ; The bug is at...

U.S. Dept Of Defense: Unauthenticated Users Can Access Other Users’ Bug Report Attachments via Broken Access Control

A vulnerability was discovered where unauthenticated users could access other users' bug report attachments due to a lack of proper access control. The /BugReport/Admin/Attachment/id endpoint exposed attachments linked to private bug reports, and the numeric ID in the URL could be manipulated to...

curl: curl ASSERTs when accessing an LDAP URL

Summary: curl can crash when accessing an LDAP URL. curl ldap://localhost:1388 curl: result.c:930: tryread1msg: Assertion !BERBVISEMPTY &resoid ' failed. Aborted core dumped No AI was used in the production of this report. This was enabled by oss-fuzz, but initiated by me adding LDAP support to...

U.S. Dept Of Defense: SQL Injection - JSON 'name' parameter

A SQL injection vulnerability was discovered in the 'name' parameter of the website. The vulnerability allowed manipulation of SQL queries executed by the backend database. The original request containing the vulnerable parameter was provided...

Tucows (VDP): Vulnerability: XML-RPC Interface Enabled and Accessible

Summary The website ███ has the XMLRPC interface enabled which exposes several methods including pingbackping and systemmulticall These methods can be abused by attackers to perform high volume denial of service DDoS attacks and brute force amplification attacks which can severely impact the...

Node.js: Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix

Summary: I found that Windows device names CON, PRN, AUX, etc. can still be used for path traversal attacks when working with UNC network paths, even after the CVE-2025-27210 patch. So basically, the fix only covered regular paths but missed the UNC path scenario when using path.join Description:...

Tucows (VDP): Business Logic Error – Bypass of OTP Verification During Signup on hover.com

The Business Logic Error – Bypass of OTP Verification During Signup on hover.com was a vulnerability that allowed an attacker to register an account on www.hover.com using any email address without passing the required OTP verification. The vulnerability was caused by the ability to omit the code...

Brave Software: SameSite restrictions are lifted, and SameSite:Strict cookie are being sent.

A vulnerability was discovered where SameSite=Strict cookies were being sent during cross-site navigations, even though they should have been restricted under the SameSite policy. This was caused by the absence of the Sec-Fetch-Site: cross-site header, which is normally used to prevent such...

U.S. Dept Of Defense: Exposed wp-config.php file

A copy of the WordPress configuration file wp-config.php was found at an endpoint. The file contained sensitive information, such as MySQL and AWS credentials, and various keys...

Khan Academy: 337k users and 1 employee leaked credentials

The Khan Academy website experienced a data breach, resulting in the leakage of 337.7k user accounts and one employee account. The leaked credentials, including email addresses and passwords, were discovered on a website called "leakradar.io"...

curl: Disk Space Exhaustion leading to a Denial of Service (DoS)

Description The tooldebugcb function can write large amounts of debug data to a log file if the --trace or --trace-ascii options are used with a large volume of data. If an attacker can cause cURL to download or upload a very large amount of data e.g., via a very large HTTP response or an unlimit...

8x8: █.8x8.vc/index.js: Exposed Google Maps API Key Allowing Potential Abuse of Paid Services

The Google Maps API key was inadvertently exposed in client-side code, allowing potential unauthorized access to some Google Maps services. The issue was promptly addressed by implementing appropriate API key restrictions where feasible...

curl: Uncontrolled File Write/Arbitrary File Creation

Description The dumpeasysrc function in the provided code snippet allows an attacker to specify an arbitrary file path for outputting the generated libcurl source code via the global-libcurl variable. If the global-libcurl value is not properly sanitized or restricted, a malicious user could...

curl: HTTP Request Smuggling Vulnerability Analysis - cURL Security Report

HTTP Request Smuggling Vulnerability Report - cURL Summary: cURL does not explicitly reject HTTP requests that contain both Transfer-Encoding and Content-Length headers, which can lead to HTTP request smuggling vulnerabilities CWE-444 when the request passes through intermediary systems proxies,...

ExpressionEngine: SQL injection in structure plugin

An SQL injection flaw was discovered in ExpressionEngine's Structure plugin. User input from the channelids parameter was passed directly into SQL queries without proper sanitization. The vulnerability required admin panel access...

Nextcloud: Path Traversal Vulnerability in Nextcloud Tables Enables Arbitrary File Exfiltration of Any Files Supported by PhpSpreadsheet Library

A path traversal vulnerability was discovered in Nextcloud Tables. This vulnerability allowed the exfiltration of any files supported by the PhpSpreadsheet library...

Bykea: MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint

MongoDB Query Logs & Schema Leak via Unauthenticated Endpoint An unauthenticated health check endpoint was discovered that exposed basic system and infrastructure details...

WakaTime: Not a Vuln: Race Condition Allows Creation of Multiple Organizations with the Same Name

Summary: A race condition vulnerability exists in the organization creation logic that allows an attacker to create multiple organizations with the same name, violating the expected uniqueness constraint enforced by the UI. This could lead to confusion, broken business logic, or potential misuse...

Nextcloud: Deck app allowed user with "Can share" permission to modify permissions of other non-owners

The Deck app in Nextcloud allowed users with "Can share" permission to modify the permissions of other non-owners...

Nextcloud: Participants were able to blindly delete poll drafts of other users by ID

Participants were able to blindly delete poll drafts of other users by ID...

curl: Default Minimum TLS Version Set to TLS v1.0 (Cryptographic Weakness)

Summary: Curl sets TLS v1.0 as the default minimum version, which is outdated and vulnerable to attacks like BEAST, posing a risk to data integrity and confidentiality. This was found through manual code review. No AI was used in identifying the issue or generating this report. Affected Version:...

Mozilla: Microsoft `x-apikey` Exposed in Mozilla CI Public Logs

A Microsoft telemetry API key x-apikey was found exposed in publicly accessible Mozilla CI logs. The key appeared in HTTP POST requests sent to Microsoft's telemetry endpoint during automated Firefox testing and was captured via mitmproxy logs. The security impact was considered minimal as the...

U.S. Dept Of Defense: Critical PII Data Exposure in ORDER_ERROR_LOG

A critical security vulnerability was identified in the application's error logging system. The ORDERERRORLOG file contained complete database insertion statements that exposed personally identifiable information of customers in plain text format. The error handling mechanism was logging full SQL...

curl: Arbitrary File Read via file:// Protocol in cURL

cURL’s file:// protocol handler is enabled by default, allowing access to local files on the system. This behavior enables an attacker with the ability to run cURL commands to read arbitrary files on the host by specifying file paths or using directory traversal techniques. Steps to reproduce: 1...

curl: Use-After-Free in OpenSSL Keylog Callback via SSL_get_ex_data() in libcurl

Summary: A Use-After-Free UAF vulnerability exists in libcurl when the OpenSSL SSLCTXsetkeylogcallback is set. The callback may be invoked after the associated SSL object has been freed via SSLfree, leading to access to a dangling pointer and potential crash or information leak via SSLgetexdata...

curl: Disclosure of email addresses

https://github.com/curl/curl/blob/master/.mailmap Impact Summary: Disclosure of email addresses...

curl: access notes without permission

https://web.archive.org/web//https://github.com/curl/curl Impact Summary: access notes without permission...

Monero: Reported Denial of Service

A vulnerability was reported in the Monero RPC server that could cause a denial of service. The issue was found in the "calcpow" RPC endpoint, where specially crafted input could cause the server to crash with the message "Cryptonight variant 1 needs at least 43 bytes of data". The problem was th...

Monero: Reported RPC Overflow

A stack buffer overflow was reported in the Monero RPC server. Specifically, on line 1291 of the corerpcserver.cpp file, an overflow could occur if the size of the b.data did not match the size of the crypto::keyimage. Additionally, a missing return statement was found following line 1289. The...

U.S. Dept Of Defense: Reflected XSS Vulnerability in SSL VPN Endpoint — CVE-2025-0133

A reflected Cross-Site Scripting XSS vulnerability was discovered in a SSL VPN endpoint. The vulnerability was assigned the CVE number CVE-2025-0133. The vulnerability allowed an unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of a victim who clicked on a...

curl: Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations

Summary: The HTTP/2 proxy implementation in curl contains potential integer overflow vulnerabilities in buffer size calculations that could lead to memory corruption or denial of service. AI Usage Statement: This report was prepared by a human security researcher after manual code review. No AI w...

LinkedIn: Improper Access Control - Access to "Active Hiring" (Premium feature) filter results

An access control vulnerability was identified in LinkedIn's people search functionality that allowed unauthorized access to premium "Active Hiring" filter results. The vulnerability was found in the GraphQL API endpoint where premium feature restrictions were not properly enforced, allowing user...

curl: CRLF injection in libcurl's SMTP client via --mail-from and --mail-rcpt allows SMTP command smuggling

Summary: libcurl's SMTP client is vulnerable to CRLF injection via the --mail-from and --mail-rcpt parameters. An attacker can inject newline characters to smuggle SMTP commands like VRFY, potentially enabling user enumeration or protocol abuse. While curl may fail after injection, the injected...

U.S. Dept Of Defense: SQL Injection in URI Path Leading to Full Database Disclosure on ████████

A time-based blind SQL injection vulnerability was discovered in the URI path of the /home/server-ocsp/ endpoint on a U.S. Government Public Key Infrastructure website. The vulnerability allowed an unauthenticated attacker to interact with the backend MySQL database and extract sensitive...

curl: HTTP Proxy Bypass via `CURLOPT_CUSTOMREQUEST` Verb Tunneling

Summary A logic flaw in libcurl version 8.14.1 allows an attacker to bypass restrictive HTTP proxy firewalls by "tunneling" an arbitrary HTTP verb within a CONNECT request. By setting CURLOPTCUSTOMREQUEST to CONNECT for a standard http:// URL, an attacker can trick libcurl into creating a hybrid...

Lichess: CSRF at Network feature

A CSRF vulnerability was found in the network feature, where an attacker could change the Network Routing settings by sending a CSRF script to the victim...

curl: Stack-based Buffer Overflow in TELNET NEW_ENV Option Handling

Title: Stack-based Buffer Overflow in TELNET NEWENV Option Handling Vulnerability Description: Summary: A stack-based buffer overflow vulnerability exists in the libcurl TELNET handler. When libcurl connects to a malicious TELNET server, the server can trigger an overflow by sending a NEWENVIRON...

curl: Heap Buffer Overflow in libcurl curl_slist_append via Unterminated String

Summary A heap buffer overflow vulnerability exists in libcurl's curlslistappend function in lib/slist.c:94. When the function is called with a non-null-terminated string, the internal strdup call triggers strlen to read beyond allocated buffer boundaries, leading to a heap buffer overflow. This...

Mars: Account Takeover in Password Reset Function

A critical authentication bypass vulnerability was present in the password reset functionality of the website. The vulnerability allowed attackers to take over any user account without requiring access to the victim's phone number or one-time password. The security flaw existed in the...