PlayStation: Blu-ray Disc Java Sandbox Escape via two vulnerabilities

Two vulnerabilities in Blu-ray Disc Java bd-j related to the Inter-Xlet Communication Ixc implementation were discovered. The first vulnerability allowed invoking methods in privileged context by registering a remote object that implements an interface extending java.rmi.Remote. The second...

Dust: Race Condition in Folder Creation Allows Bypassing Folder Limit

The application enforced a hard limit of 10 folders per user under a specific space. However, due to a race condition, it was possible to bypass this limit by sending multiple folder creation requests simultaneously after deleting one folder. This allowed creating more than 10 folders, breaking t...

Dust: Privilege Escalation leads to Unauthorized Access to Private Conversations By any Regular user [Read , Edit and Delete]

Summary: A normal authenticated user on dust.tt can escalate their privileges by accessing, modifying, and deleting any chat threads belonging to other users — including administrators — through a vulnerable API endpoint without having the appropriate permissions. Vulnerability Details: Reading...

Dust: Privilege Escalation in Edit and Create Secret Endpoints Leads to Unauthorized Secret Modification

The vulnerability allows a user with the Builder role to list all existing secret names, create new secrets, and overwrite existing secrets by using the same name. This behavior violates permission boundaries and leads to privilege escalation and unauthorized access to sensitive data...

Dust: User Limit Bypass via Pending Invitations in Workspace System

The platform's workspace user limit was found to be vulnerable to bypass through the use of pending invitations. Users were able to join a workspace by signing up with an invited email, even after the workspace had reached its user limit for the current subscription tier. This allowed an unlimite...

Dust: UI flaw allows unauthorized users to add documents to restricted folders

The UI flaw allowed unauthorized users to add documents to restricted folders. The vulnerability constituted an Insecure Direct Object Reference IDOR issue, where users could manipulate the client-side behavior to perform actions they were not supposed to have access to, such as uploading documen...

Dust: Unauthorized Table Creation by Member

A member user was able to create tables inside restricted company data spaces, despite the UI indicating that only workspace builders admins should be allowed. The "Add Data" button appeared disabled in the UI, but it was still interactable and functional, allowing the member to successfully crea...

Dust: Improper Session Invalidation – Auto Sign-In Without Credentials After Logout (Affects Chrome & Firefox)

The session was not invalidated properly when the user logged out. Revisiting the login page allowed automatic re-authentication without user input, as the session remained active or was improperly restored across multiple browsers...

curl: Buffer Overflow in curl MQTT Test Server (tests/server/mqttd.c) via Malicious CONNECT Packet

Title: Buffer Overflow in curl MQTT Test Server mqttd.c via Malicious CONNECT Packet Description The MQTT test server mqttd.c in the curl project contains a buffer overflow vulnerability due to improper validation of password length fields in MQTT CONNECT packets. An attacker can craft a maliciou...

pixiv: Bypassing Inbox Privacy Settings and Enabling Spam on Pixiv.net

A vulnerability was discovered in the messaging system of Pixiv.net. The vulnerability allowed any user to bypass the inbox privacy settings and send messages to another user who had disabled their inbox. The vulnerability was triggered by manipulating the id parameter in the message-sending POST...

curl: Path Traversal Vulnerability in curl via Unsanitized IPFS_PATH Environment Variable

A path traversal vulnerability exists in curl versions with IPFS support 7.81.0+. The IPFSPATH environment variable is not properly sanitized, allowing attackers to read arbitrary files by manipulating directory traversal sequences e.g., ../../../../etc. This flaw enables leakage of sensitive dat...

Khan Academy: Leaked reused password for a few Khan Academy users

A large number of Khan Academy user credentials, including emails and passwords, were exposed through a Telegram bot. The exact source of the leaked data is unknown, but the volume of exposed information was substantial...

Lichess: Open Redirect Vulnerability in OAuth Flow Leading to Potential Phishing Attack

Summary: An open redirect vulnerability exists in the OAuth flow on lichess4545.com. By manipulating the redirecturi parameter during the OAuth authorization process with Lichess, an attacker can redirect users to an arbitrary external domain e.g., example.com after login. This could be exploited...

WakaTime: user api key leaked

The user's API key was found exposed in an older URL while testing the WakaTime tool. The API key successfully authenticated requests to a restricted endpoint, indicating that it was valid and granted access to protected resources...

RubyGems: `/names.nsf` and all `/names*` files route to public API on rubygems.org

During the security assessment of the application hosted at https://rubygems.org/names.nsf, it was discovered that a sensitive file "names.nsf", is publicly accessible without proper authentication and it is supposed to be protected by authentication mechanisms to ensure that unauthorized users d...

Informatica: [███] Cross-Site Scripting (XSS) via /ssl-vpn/getconfig.esp at GlobalProtect VPN Portal

A Cross-Site Scripting XSS vulnerability was discovered in the GlobalProtect VPN portal's getconfig.esp endpoint. The vulnerability existed because the application reflected user input from the user parameter in an XML response without proper sanitization. This allowed an attacker to inject SVG...

curl: Heap‑based buffer overflow in curl -K <config_file> allows arbitrary write .

Summary: A heap‑based buffer overflow in curl’s config‑file parser parseconfig -- getparameter allows an attacker supplying a crafted config file to overwrite internal pointers via cleanarg, leading to a write‑what‑where primitive and potential remote code execution. Affected version -curl 8.13.0...

AWS VDP: Non-Production API Endpoints for the Route 53 Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Route 53 service failed to log to CloudTrail, resulting in silent permission enumeration. Two non-production endpoints were found that could be used with standard IAM credentials without logging to CloudTrail. This allowed an adversary to perform permissio...

WakaTime: Leaked credentials ( emails and passwords , etc...)

The security researcher reported the discovery of a large number of leaked credentials, including emails and passwords, on a Telegram bot. The source of the leaked data is unknown, but the volume of exposed information is substantial. The researcher did not attempt to verify the validity of the...

Revive Adserver: Reflected Cross-Site Scripting (XSS) in Revive Adserver 5.5.2

A reflected Cross-Site Scripting XSS vulnerability has been identified in Revive Adserver version 5.5.2. This vulnerability allows an attacker to inject malicious JavaScript code into the application, which is then executed in the context of the victim's browser. The vulnerability is present in t...

WakaTime: Login Information and Credentials Have Been Leaked on wakatime.com

A security vulnerability was identified on wakatime.com, where user login information, including usernames and passwords, was leaked to the public. The issue appears to have been caused by insufficient protection of sensitive data, potentially due to inadequate encryption or improper handling of...

Mars: insecure deserilize object leads to RCE On Sitecore (CVE-██████████-27218)

This critical vulnerability involved an insecure deserialization issue in Sitecore implementation, which was assigned CVE-2025-27218. The vulnerability allowed remote code execution through unsanitized user input in the ThumbnailsAccessToken header. The vulnerability was remediated by removing...

curl: Memory leak from doh_write_cb

Summary: summary of the vulnerability A memory leak found by curlfuzzerhttp Affected version Which curl/libcurl version are you using to reproduce? On which platform? curl -V typically generates good output to include curl 8.13.0-DEV x8664-apple-darwin23.6.0 libcurl/8.13.0-DEV OpenSSL/1.0.2n...

IBM: Middleware Authentication Bypass on IBM Portal

The vulnerability of middleware authentication bypass on the IBM Portal endpoint was reported, analyzed, and remediated. The discovery was reported by an external researcher...

Brave Software: Prompt Injection via GitHub Patch in Brave AI Chat (Leo)

Component: Brave AI Chat brave-core/components/aichat/ Severity: High Confirmed ability to override AI instructions and persona via fetched content Vulnerability Summary The Brave AI Chat feature allows fetching .patch files from GitHub pull request pages to use as context. A combination of...

Lichess: Weak Rate Limiting Controls in the (LOGIN) page Expose System to Brute Force and DoS Attacks

Summary: The login page lacks proper rate limiting, allowing an attacker to easily perform a brute-force attack. This vulnerability enables the attacker to systematically try different username and password combinations until they successfully compromise any account, which poses a significant...

Bykea: IDOR on in-app hardcoded zombie endpoint

The researcher discovered an Insecure Direct Object Reference IDOR vulnerability in a hardcoded legacy zombie endpoint that was no longer actively used but remained accessible. By reverse engineering the Android app and reviewing the code for unused endpoints, the sensitive details related to...

IBM: Information disclosure on IBM training service endpoint

The IBM training service endpoint had an information disclosure vulnerability that was reported to IBM, analyzed, and remediated. The vulnerability was discovered and reported by an external researcher...

Node.js: Corrupted pointer in node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args) when args[0] is a string.

In Node.js, the ReadFileUtf8 internal binding was found to have a memory leak due to a corrupted pointer in uvfss.file. A UTF-16 path buffer was allocated and subsequently overwritten when the file descriptor was set, leading to an unrecoverable memory leak on every call...

AWS VDP: Private AWS AMIs are temporarily being exposed publicly

Temporary public exposure of private AWS AMIs was discovered. Multiple AMIs with internal AWS-related content were found in the public AMI community catalog, but were quickly removed. An EC2 instance was successfully created using one of the exposed AMIs, revealing the presence of undocumented...

Internet Bug Bounty: Possible Sensitive Session Information Leak in Active Storage

There was a possible sensitive session information leak in Active Storage. Active Storage incorrectly sent the user's session cookie along with a Cache-Control: public header when serving files blobs. This allowed certain caching proxies to cache the response, including the Set-Cookie header,...

hostinger : 1 Click Account Takeover via Auth Token Theft on marketing.hostinger.com

The vulnerability discovered in the marketing.hostinger.com subdomain allowed for one-click account takeover through the theft of authentication tokens. An attacker could exploit the whitelisted redirect functionality of the subdomain to steal a victim's authentication token, which could then be...

Khan Academy: Unauthorized Account Access via Leaked Credentials in URL Format (Account Takeover )

The vulnerability allowed attackers to access user accounts on khanAcademy.com using leaked credentials that were publicly available. The credentials were found in clear text format on a third-party website. By entering the email and password, the attacker could perform an account takeover withou...

LinkedIn: HTML Injection in LinkedIn Premium Support Chat

The vulnerability exists in the LinkedIn Premium support chat interface where unsanitized HTML input was rendered directly in the chat window. An attacker could have exploited this by injecting malicious HTML such as clickable links, potentially leading to phishing or redirection attacks on...

RubyGems: Memory leak in gem decode logic can allow attacker to take down Rubygems.org application

A memory leak vulnerability was discovered in the gem decode logic of the Rubygems.org application. The vulnerability allowed an attacker with a valid API key to set arbitrary instance variables during the decoding of gem metadata, which would cause the server to exhaust its memory. The issue was...

Basecamp: Two click Account Takeover

A vulnerability was discovered in the HEY Email Android application that allowed for a two-click account takeover. Improper handling of incoming deeplinks led to the application's authorization bearer token being sent to an attacker-controlled server if the user could be tricked into clicking a...

Internet Bug Bounty: Apache Airflow Sql injection by authenticated user

Apache Airflow versions 2.10.5 were affected by a vulnerability that allowed an attacker to manipulate query construction, leading to an SQL Injection vulnerability. The vulnerability was present in the SQLColumnCheckOperator, which could result in remote code execution...

U.S. Dept Of Defense: [Critical Data Breach] Exposure of PII Data Leak via API Response

A critical information disclosure vulnerability was discovered, exposing sensitive user data via an API response. The leaked data included personal information such as full name, email, and phone number...

Internet Bug Bounty: Apache Airflow Fab Provider: Application does not invalidate session after password change via Airflow cli

The Apache Airflow Fab Provider before version 1.5.2 was affected by an insufficient session expiration vulnerability. When a user's password was changed using the admin CLI, the existing user sessions were not cleared, allowing logged-in users to continue accessing the system even after the...

AWS VDP: Amazon Pinpoint SMS and Voice, version 2 Service Reporting "AWS Internal" for CloudTrail Events Generated from FIPS Endpoints

The Amazon Pinpoint SMS and Voice, version 2 service was found to incorrectly report the user-agent and network information as "AWS Internal" for five specific API endpoints that are FIPS endpoints. This issue was discovered to be similar to a previous bug reported for the Comprehend Medical and...

Lichess: Direct IP Access to Website

Summary: The website is accessible directly via its IP address 37.187.205.99, which may bypass domain-based security policies and expose potential misconfigurations. Steps To Reproduce: 1. Open a web browser and enter the IP address: http://37.187.205.99 2. Observe that it loads the main website...

AWS VDP: Non-Production API Endpoints for the Neptune Graph Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration

The non-production API endpoints for the Neptune Graph Service were found to fail logging to CloudTrail, resulting in silent permission enumeration. Specifically, seven non-production endpoints were identified that could be used with standard IAM credentials without generating CloudTrail logs. Th...

Nintendo: [Xenoblade Chronicles X: Definitive Edition] Unrestricted RPCs allow DoS and writing arbitrary flags remotely

The Xenoblade Chronicles X: Definitive Edition vulnerability allowed attackers to perform Denial-of-Service DoS attacks and write arbitrary flags remotely due to unrestricted Remote Procedure Calls RPCs...

U.S. Dept Of Defense: Debug Info disclose

A debug information disclosure vulnerability was discovered. The vulnerability allowed the disclosure of debug output information through a specific request parameter. The vulnerability has been reported but no further details are provided...

Mars: ███████ - Publicly Accessible public_html Directory Exposing WordPress Configuration

A publicly accessible directory containing sensitive WordPress configuration files, including database credentials, authentication keys, and API secrets, was discovered. The vulnerability allowed unauthorized access to critical system information through a downloadable zip file. The security team...

Mars: debug.log leaked [█████████]

The report identified a security vulnerability in the visitor management system that exposed a debug log file containing personally identifiable information. The log file was publicly accessible without authentication, allowing unauthorized access to sensitive user data. The vulnerability was...

Hiro: Logout Bypass Vulnerability in Hiro.so

Summary A logout bypass vulnerability has been identified on platform.hiro.so, allowing users to regain access to their session after logging out simply by pressing the back button on the browser. This issue arises due to improper session invalidation and potential caching misconfigurations. If...

IBM: Path Traversal Vulnerability found on IBM Cloud

The path traversal vulnerability on IBM Cloud was reported by an external researcher, analyzed, and remediated. The vulnerability has been addressed...

Discourse: Application Level DoS - Large Markdown Payload in Reply Section Leading to Resource Exhaustion

A Denial of Service DoS vulnerability was identified in the reply section of the web application. Submitting an excessively large markup payload approximately 800,000 characters resulted in the server taking 30 seconds to respond before returning an HTTP/2 502 Bad Gateway error, indicating...

AWS VDP: Bedrock Guardrails Evasion with Prompt Formatting

Description Greetings, my name is ██████ and I am a Director here at NR Labs. We recently completed disclosure of this vulnerability by working with ████ and the AWS Security team. We are submitting this issue to the AWS VDP to create an official record of the issue with AWS in preparation for a...