15365 matches found
Basecamp: DOM XSS in `fizzy.do` import filename preview enables one-click victim account takeover
A DOM XSS vulnerability was discovered in the file import functionality of the Fizzy application. The vulnerability allowed an attacker to craft a malicious filename that, when previewed by the victim user, would inject a second form submission into the import page. This enabled the attacker to...
LinkedIn: Access to Deactivated LinkedIn Company Pages via Competitor Analytics API
A vulnerability was discovered in LinkedIn's Competitor Analytics API that permitted authenticated users to access analytics data for deactivated company pages...
curl: SMB READ_ANDX DataOffset not validated
Summary: in smbrequeststate case SMBDOWNLOAD curl reads two server-controlled fields from a READANDX response and uses them to decide where in the receive buffer file data starts. c / lib/smb.c / len = Curlread16leconst unsigned char msg + sizeofstruct smbheader + 11; off = Curlread16leconst...
Ruby on Rails: Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs
A vulnerability was discovered in the Rails::HTML::Sanitizer.alloweduri? method of the rails-html-sanitizer library. The method incorrectly returned true for entity-encoded control-character-split javascript: URLs, which could lead to potential security issues if the application relied on the...
Lovable VDP: Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter
A bypass was discovered for a previously patched open redirect vulnerability on a web application. The original fix blocked certain payloads, but failed to account for path traversal sequences combined with double slashes. By supplying a specific redirect value, an attacker could still redirect...
curl: Curl_compareheader() fails to match multi-value HTTP headers
Summary Curlcompareheader in lib/http.c fails to scan the full value of HTTP headers for substring matches. Due to an incorrect loop condition, only the first byte position of the header value is checked. This causes curl to miss connection options like close when they appear as non-first tokens ...
curl: urlapi: off-by-one in custom scheme validation skips last character
Summary In lib/urlapi.c, the seturlscheme function has an off-by-one error when validating custom scheme names. The validation loop checks scheme0 twice once by ISALPHA, once in the loop and never checks the last character. This allows schemes ending with any arbitrary byte e.g., foo!, bar, bad/ ...
curl: NULL Pointer Dereference (DoS) in libcurl SFTP QUOTE command parsing due to missing return statement
Summary: A logic flaw in lib/vssh/libssh2.c causes a NULL pointer dereference when parsing SFTP QUOTE commands with trailing garbage. The function returnquoteerror is called to handle errors and free memory, but the return keyword is missing in several blocks e.g., lines 840, 857, 870. This allow...
curl: CURLOPT_UNRESTRICTED_AUTH Dangerous Default Documentation Gap
Summary: CURLOPTUNRESTRICTEDAUTH=1 instructs libcurl to send credentials to ALL hosts during redirect chains, 'possibly again and again as the following hosts can keep redirecting to new hosts.' The documentation explicitly warns this is dangerous, but the default behavior is also risky: curl onl...
curl: Connection Reuse Ignores OAuth Bearer Token Mismatch
Summary: The connection pool reuse function urlmatchconn in lib/url.c checks oauthbearer in its credential match block — but only for protocols marked as requiring per-connection credentials. For HTTP, OAuth bearer is passed as a header, not a protocol-level credential. If a libcurl application...
Nextcloud: Stored XSS in attachment-display exploitable through SameSite
A stored XSS vulnerability was discovered in the attachment-display feature of Roundcube. By uploading an HTML file and opening it through the display-attachment endpoint, the embedded script could execute under the Roundcube origin. The issue was caused by the lack of a restrictive Content...
IBM: Potential Subdomain Takeover on IBM.com domain.
A potential subdomain takeover on an IBM.com domain was reported to IBM, analyzed, and remediated...
curl: Use-After-Free in SMB connection reuse (req->path dangling pointer after needle destruction)
Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...
curl: CVE-2026-3805: use after free in SMB connection reuse
Summary A heap-use-after-free occurs in smbsendopen at lib/smb.c when curl processes two SMB URLs targeting the same host. The function smbparseurlpath sets req-path as a non-owning pointer into smbc-share connection-owned memory. During connection reuse, the needle connection is freed via...
Lovable VDP: Business Logic Bypass Allows Setting “Read Access” Role Without Pro Plan Subscription
A business logic vulnerability was identified that allowed users on a free plan to generate an invitation link that assigned the "Read Access" role, which was intended to be restricted to users with a Pro Plan subscription. The vulnerability was triggered by manipulating the invitation creation...
AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)
Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...
Nextcloud: position: fixed !important bypasses CSS sanitizer's fixed-position mitigation, enabling full-viewport phishing overlays.
A vulnerability was discovered in the CSS sanitization process of the Roundcube webmail application. The sanitizer failed to properly handle the "position: fixed !important" CSS declaration, allowing an attacker to bypass the mitigation for fixed-position overlays. This could enable the creation ...
Nextcloud: Unquoted body background attribute enables CSS injection that bypasses remote image blocking
A vulnerability was discovered in Roundcube's HTML sanitizer that enabled CSS injection when the allowremote option was set to false. The sanitizer failed to quote the value of the background attribute from the email's element, allowing a crafted data: URI to terminate the url function and inject...
Nextcloud: SMIL values and by attributes bypass remote image blocking via unvalidated resource-loading animations, enabling email tracking without consent
A vulnerability was discovered in the HTML sanitizer of the Roundcube webmail client. The vulnerability allowed attackers to bypass the "Block remote images" security feature by using SMIL animation attributes to load arbitrary external resources without validation. This could have enabled email...
Rocket.Chat: RBAC bypass on App log endpoints via `permissionRequired` typo — any authenticated user reads admin-only Enterprise App logs
Vulnerability description not provided...
Enjin: Unauthenticated File Upload to CDN
An unauthenticated file upload vulnerability was discovered in the NFT.io platform. The vulnerability allowed an unauthenticated user to upload files to the platform's content delivery network. The issue was reported and promptly fixed by the Enjin team, despite the low-impact nature of the...
AWS VDP: QuickSight Authorization Bypass: Chat Agents Accessible Despite Custom Permissions Denial
A vulnerability was discovered in Amazon Quick Suite formerly QuickSight that allowed users to access and interact with AI chat agents, despite administrative restrictions being in place to disable this functionality. The vulnerability was caused by the lack of proper server-side authorization...
curl: CVE-2026-3784: wrong proxy connection reuse with credentials
Summary libcurl may reuse an existing HTTP proxy CONNECT tunnel without matching proxy credentials when selecting a reusable connection. In lib/url.c, urlmatchproxyuse calls proxyinfomatches lib/url.c:930-935 → lib/url.c:589-595, and that matcher compares proxy type, host, and port but does not...
curl: In curl's SASL OAUTHBEARER authentication, including the SOH character (0x01) in the username corrupts the message structure.
Summary: This vulnerability arises because curl fails to validate the contents of the username when constructing OAuth2 authentication messages. Depending on the server-side implementation, this could lead to log tampering or credential spoofing. Affected version curl 8.18.0...
curl: LM Challenge-Response Hash Always Sent in SMB Authentication
LM Challenge-Response Hash Always Sent in SMB Authentication Summary The curl SMB client unconditionally computes and sends both the legacy LAN Manager LM and NT challenge-response hashes during SMB session setup. The LM hash is cryptographically broken — it splits the password into two 7-charact...
curl: SSTI leads to Command injection
Summary: Hi ,team i 'am new reasercher search for pleasure excuse me for poor technical details. the parmeter os is vulnerable to SSTI leads to command injection Affected version curl/7.55.1 Steps To Reproduce: i tried to injected the os parmeter curl -ospopen'sleep 10'.read --url...
curl: CVE-2026-3783: token leak with redirect and netrc
Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curlauthallowedtohost, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched...
Node.js: HTTP Response Queue Poisoning via TOCTOU Race Condition in `http.Agent`
Vulnerability description not provided...
Lovable VDP: Open Redirect on lovable.dev via redirect parameter leads to phishing attacks
An open redirect vulnerability was discovered on the website lovable.dev. After logging in, a request was sent to a URL with a 'redirect' parameter. By supplying a backslash-prefixed value for the 'redirect' parameter, the user could be redirected to an external domain. This vulnerability could...
Ruby on Rails: ActiveStorage Disk Service Path Traversal via Custom Blob Key Injection
A vulnerability was discovered in the ActiveStorage Disk Service component of Ruby on Rails. The vulnerability allowed an attacker to achieve arbitrary file write, read, and delete on the server's filesystem by injecting a malicious blob key. The vulnerability was due to insufficient validation o...
curl: Use after free in hyperfifo example
Summary: THIS ONLY IS AN ISSUE IN EXAMPLE CODE, NOT CURL ITSELF! In the hyperfifo example the event base is freed before the curlmulticleanup is called. This leads to a use after free in the addsocket callback, when libevent tries to lock a mutex in the base event during the curl shutdown. Link t...
IBM: SQL Injection vulnerability found on ibm.com endpoint
A SQL injection vulnerability was found on an ibm.com endpoint. The vulnerability was reported to IBM, analyzed, and remediated...
curl: Curl Telnet Handler Buffer Overflow
Summary: I found a buffer overflow in curl's telnet protocol handler that allows remote memory corruption without authentication. The bug is in the CURLSBACCUM macro in lib/telnet.c line 69, where the bounds check lets you write one byte past the end of a 512-byte buffer. When curl receives 512+...
curl: RTSP RTP Interleaved Parser Assertion Failure (Zero-Length RTP Payload)
Summary: I am submitting this as a security issue primarily due to how it was discovered and that it's my first Curl submission, but I suspect I might be overly cautious here. This issue was discovered as part of the AIXCC competition, and I am assisting on reporting true positive findings to...
curl: Integer Overflow in curl_multi_get_handles() Leading to Heap Buffer Overflow
Integer Overflow in curlmultigethandles Leading to Heap Buffer Overflow Summary The curlmultigethandles function in lib/multi.c contains an integer overflow vulnerability when the number of easy handles in a multi handle approaches UINTMAX 4,294,967,295. When count == UINTMAX, the expression coun...
curl: Able to bypass HSTS using trailing dot
Summary: curl allows users to load a HSTS cache which will cause curl to use HTTPS instead of HTTP given a HTTP URL for a given site specified in the HSTS cache. Affected version curl version used for reproducing this issue is: 8.16.0 curl --version curl 8.16.0 Windows libcurl/8.16.0 Schannel...
Nextcloud: Group restriction bypass via bearer token in user_oidc (SETTING_RESTRICT_LOGIN_TO_GROUPS not enforced in Backend::getCurrentUserId)
A security inconsistency was identified in the useroidc app where group-based login restrictions were enforced in the browser OIDC flow but not in bearer token validation. This could have allowed users outside whitelisted groups to access the Nextcloud API with a valid bearer token...
Rocket.Chat: Complete authentication bypass to admin permissions
Vulnerability description not provided...
Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)
Vulnerability description not provided...
GitHub: Cross-repository IDOR in `/settings/security_analysis/bypass_reviewers` allows unauthorized delegated bypass reviewer modification
A vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository. Authorization was verified against the repository in the URL, but the action...
Node.js: Node.js Permission Model bypass: UDS server bind/listen works without `--allow-net`
Vulnerability description not provided...
Nintendo: Splatoon 3 In-Match Integrity Bypass via Consensus Reflection Attack on Unordered Peer Submission
A consensus reflection attack on unordered peer submission was discovered in Splatoon 3, allowing an in-match integrity bypass...
AWS VDP: Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`
Asset: aws-cdk-lib npm package, source: https://github.com/aws/aws-cdk Severity: High CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection' --- Summary The NodejsFunction construct in aws-cdk-lib/aws-lambda-nodejs constructs a shell command string...
Python Cryptographic Authority: Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass
A vulnerability was discovered in the pyopenssl library's handling of the Server Name Indication SNI callback settlsextservernamecallback. The internal wrapper for this callback catches all Python exceptions raised by user code but returns 0 Success/SSLTLSEXTERROK to the underlying OpenSSL engine...
AWS VDP: Arbitrary Code Execution via Scanner Bypass in **aws-diagram-mcp-server** `exec()` Namespace
Description: The aws-diagram-mcp-server contains an arbitrary code execution vulnerability in diagramstools.py. User-supplied Python code is executed via execcode, namespace at line 305 with a namespace containing the full os module, urlretrieve, and Python builtins. A security scanner scanner.py...
PortSwigger Web Security: HTML Injection in DAST Trial Request Form Confirmation Email – PortSwigger
A vulnerability was discovered in the DAST trial request form on the website, where user input in the "First Name" field was not properly sanitized before being included in confirmation emails. This allowed the injection of arbitrary HTML content, which would be rendered in the recipient's email...
Node.js: Incomplete fix for CVE-2026-21637: loadSNI() in _tls_wrap.js lacks try/catch leading to Remote DoS
A flaw was discovered in the Node.js TLS error handling that left SNICallback invocations unprotected against synchronous exceptions. This represented an incomplete fix of the prior CVE-2026-21637 vulnerability, where the equivalent ALPN and PSK callbacks were already addressed. The issue could...
Monero: Inverted ternary in peerlist_manager::filter() allows unlimited whitelist entries per host via different ports
The peerlistmanager::filter function in the Monero project's p2p/netpeerlist.h file contained an incorrect ternary operator that operated on the wrong peer list. When called with 'white=true', it filtered the gray list instead of the white list. As a result, a single host could accumulate unlimit...
Node.js: Assertion error in node_url.cc via malformed URL format leads to Node.js crash
An assertion error in nodeurl.cc via malformed URL format leads to a Node.js crash. A flaw in the URL processing caused an assertion failure in the native code when url.format was called with a malformed internationalized domain name containing invalid characters, crashing the Node.js process. Th...
Basecamp: Improper Access Control in `fizzy.do` import flow allows cross-tenant ActionText reference resolution and data disclosure
The vulnerability allowed for cross-tenant ActionText reference resolution and data disclosure during the account import flow. The import process did not properly verify the ownership of the referenced records before minting signed global IDs, enabling an attacker to access and disclose data from...