curl: SMTP Command Injection Vulnerability in libcurl 8.16.0 via RFC 3461 Suffix

Executive Summary libcurl version 8.16.0 contains a critical SMTP command injection vulnerability CVE-quality in the implementation of RFC 3461 Delivery Status Notification DSN parameter support. The vulnerability allows an attacker to inject arbitrary SMTP commands by including CRLF \r\n...

Nextcloud: Predictable proposal participant tokens enable unauthorized access and vote submission

A vulnerability was discovered in predictable proposal participant tokens, which enabled unauthorized access and vote submission...

arkadiyt-projects: Arbitrary File Write

A path traversal vulnerability was discovered in the protodump tool. The vulnerability allowed for arbitrary file writes outside the intended output directory due to insufficient validation of the gopackage option extracted from embedded protobuf descriptors. The Filename function extracted the...

arkadiyt-projects: DNS Rebinding Attack

Hi, there is a DNS rebinding vulnerability in your SSRF filter. F4891755 You validate the hostname's IP address, but then pass the hostname to Net::HTTP.start, which does its own DNS lookup. An attacker can control a DNS server that returns a safe public IP during validation, then returns 127.0.0...

AWS VDP: Responsible disclosure - public S3 bucket exposing JSON/config files

A publicly listable S3 bucket was discovered, exposing various JSON and configuration files. The bucket listing and file metadata were retrievable without authentication...

Nextcloud: BOLA/IDOR in Out-of-Office API allows any authenticated user to read other users' absence data

Summary The Out-of-Office OOO API endpoints at /ocs/v2.php/apps/dav/api/v1/outOfOffice/userId and /ocs/v2.php/apps/dav/api/v1/outOfOffice/userId/now suffer from a Broken Object Level Authorization BOLA vulnerability. Any authenticated user can retrieve the out-of-office data of any other user by...

curl: Missing enforcement of SFTP quote syntax can lead to operation on wrong object

Summary: curl supports -Q or --quote and libcurl CURLOPTQUOTE to specify "commands" to execute for ftp and SFTP connections. The SFTP supports commands that perform operations on filesystem objects. When the object path has a filename, the caller is supposed to quote the parameter example: -Q...

lemlist: Unauthorized Password Reset Allows Account Takeover Across Tenant Boundaries

An authorization issue was discovered in the application that allowed a tenant admin to change the password of another user within the same tenant, including invited agency accounts. The victim had to first accept the invitation before the attacker could proceed. The issue could allow unintended...

HackerOne: Lack of Validation in Reward Redemption Allows Unlimited Burp Suite License Abuse

A vulnerability was discovered in the reward redemption process of a points and rewards system. The vulnerability allowed an attacker to obtain multiple valid Burp Suite Pro licenses by using different email addresses, without any validation or verification tied to the user's account. The email...

Mars: Sensitive information exposed at [███] via /export_panelists_to_xlsx endpoint

A vulnerability was identified that allowed unauthorized access to personally identifiable information through an unprotected API endpoint. The vulnerability exposed user email addresses and telephone numbers. The issue was classified under CWE-312 with a CVSS score of 6.1. The vulnerability was...

curl: Apple SecTrust legacy path accepts untrusted certificates on pre-10.14 macOS/iOS when built with USE_APPLE_SECTRUST

Summary: When libcurl is built with USEAPPLESECTRUST and runs on Apple OS versions that lack SecTrustEvaluateWithError macOS 10.14 / iOS 12, the legacy verification path miscompares OSStatus to SecTrustResultType and never checks the SecTrust result. This can cause untrusted certificates to be...

curl: OpenSSL backend: X509 peer certificate not freed in ossl_get_channel_binding causes per-request memory leak (DoS risk for long-lived clients)

Summary: In curl’s OpenSSL backend, osslgetchannelbinding retains a new reference to the server’s X509 certificate via SSLget1peercertificate and never releases it. When Negotiate SPNEGO over TLS is in use, this path is invoked and leaks one X509 object per trigger. Over many requests in a...

Tucows (VDP): Information Disclosure via Accessible debug.log on ExactHosting

Vulnerability description not provided...

Lovable VDP: Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable AI)

The API endpoint /workspaces//tool-preferences/aigateway/enable did not enforce proper authorization checks. As a result, an account with the Editor role was able to disable the workspace-wide admin-only Lovable AI feature, which powers key AI functionalities across the workspace...

Lovable VDP: Improper Authorization Leads to Editor can toggle admin-only workspace features (Lovable Cloud)

A vulnerability was discovered where an account with the Editor role could call an API endpoint that disabled workspace-wide admin-only features. This was due to a lack of server-side role checks, allowing a vertical privilege escalation...

Tucows (VDP): Unauthenticated Access Control Bypass — Private WordPress Post Disclosure (Outdated WordPress 4.9.40)

Vulnerability description not provided...

Lovable VDP: Users can change project visibility which requires high subscription by just changing request body

A Broken Access Control vulnerability was discovered that allowed users to change project visibility to higher subscription tiers by modifying the request body. The visibility was changed from the default setting to Personal or Workspace, bypassing subscription checks and enabling unauthorized...

Lovable VDP: Low-privileged user can enable or disable Lovable AI for new projects in workspace

A vulnerability was discovered that allowed low-privileged users to enable or disable Lovable AI for new projects in a workspace. The vulnerability was caused by improper authorization, which enabled low-privileged users to modify the Lovable AI settings by replaying certain API endpoints...

Nextcloud: tabnabbing in roundcube webmail

A tab nabbing vulnerability was discovered in Roundcube webmail. This vulnerability allowed a malicious website opened in a new tab to access the initial tab and change its location. This could be exploited to perform phishing attacks...

Tucows (VDP): CSRF allowing unauthorized modification of user Notes on ███████

A CSRF vulnerability was discovered that allowed unauthorized modification of user notes. The vulnerability was present in the endpoint that handled saving the notes. The endpoint did not implement proper CSRF protection, allowing an attacker to craft a malicious link that could be used to modify...

curl: Unsanitized IPFS CID Allows SSRF Against Configured Gateway

Summary: ipfsurlrewrite in src/toolipfs.c decodes the host component CID of ipfs:// / ipns:// URLs using CURLUURLDECODE and then concatenates that decoded value directly into the gateway path aprintf"%s%s/%s%s", ... without normalization or validation. A crafted host value for example...

curl: AWS SigV4 Signature Disclosure via Verbose Logging in libcurl

Summary When libcurl is built with AWS SigV4 support, enabling verbose logging CURLOPTVERBOSE or --verbose causes the library to print both the string-to-sign and the final HMAC signature into logs. Because signatures remain valid for several minutes and are derived directly from AWS credentials,...

Nextcloud: WebAuthn app was updated based on public key

Vulnerability description not provided...

Mars: Publicly accessible `█████████` endpoint exposing internal user identifiers and email addresses

A publicly accessible JSON API endpoint was found to expose sensitive user information, including internal identifiers and email addresses. The vulnerability was classified as an information disclosure issue with a medium severity rating. The problem was remediated by implementing proper...

curl: SMTP Command Injection Vulnerabilities in curl

Summary Successfully reproduced SMTP command injection vulnerabilities in curl that allow attackers to inject arbitrary SMTP commands by using carriage return and line feed characters \r\n in email addresses. Vulnerabilities Confirmed 1. MAIL FROM Injection Description: Injection via --mail-from...

Nextcloud: Stored XSS Vulnerability via SVG File

A stored XSS vulnerability was discovered in Nextcloud related to the handling of SVG files. The vulnerability allowed the execution of arbitrary JavaScript code...

Node.js: Memory leak that enables remote Denial of Service against applications processing TLS client certificates

A memory leak was discovered in Node.js's OpenSSL integration when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. The vulnerability was triggered when applications called socket.getPeerCertificatetrue, causing steady memory growth through repeated TLS connectio...

Nextcloud: Mail stored HTML injection in subject text

A vulnerability was discovered in the mail stored HTML injection in subject text. The vulnerability allowed for arbitrary HTML code to be injected into the subject line of emails stored in the system...

Omise: 2FA requirement bypass when inviting team members

The application's requirement for users to enable 2FA before sending team invitations was bypassed by modifying client-side responses. This allowed invitations to be sent without enabling 2FA, defeating the security requirement...

curl: Race condition on global `gss_context` during SOCKS5 GSS-API negotiation in libcurl

Summary: Concurrent SOCKS5 GSS-API authentications share a file-scope global gsscontext without synchronization, causing data races and undefined behavior. - Global context defined at: 52:54:curl/lib/socksgssapi.c static gssctxidt gsscontext = GSSCNOCONTEXT; - Passed by address into the GSS init...

Sony: DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version)

A DLL side-loading vulnerability was discovered in Sony Music Center for PC Ver. 2.7.2. The application insecurely searched for a missing DLL file in the system PATH environment, allowing an attacker with access to the victim's local machine to achieve arbitrary code execution by placing a...

curl: CVE-2025-10966: missing SFTP host verification with wolfSSH

Summary: When curl is built with the wolfSSH backend, the SSH/SFTP implementation in lib/vssh/wolfssh.c performs no server host key verification and exposes no host identity options in the curl tool. I verified this locally by building curl with wolfSSH binary reports wolfssh/1.4.20, observing th...

curl: Use-after-free when POST body buffer is freed before transfer

Summary: I locally reproduced a heap use-after-free in libcurl by setting CURLOPTPOSTFIELDSIZE and CURLOPTPOSTFIELDS to a heap buffer and then freeing that buffer before curleasyperform. AddressSanitizer ASan reports a heap-use-after-free read during the request send path. This demonstrates the...

U.S. Dept Of Defense: Cross-Site Scripting via URL on ███████

A Cross-Site Scripting XSS vulnerability was discovered on an official domain from the Department of Defense. The vulnerability could be exploited through the GET method, allowing an attacker to inject malicious scripts that could potentially be executed. No further details were provided...

U.S. Dept Of Defense: Cross-Site Scripting via URL on ███████

A Cross-Site Scripting XSS vulnerability was discovered on a website from the U.S. Department of Defense. The vulnerability was found in the GET method via the URL. Exploitation of this vulnerability could have led to the execution of malicious scripts. No further details about the vulnerability ...

U.S. Dept Of Defense: Publicly Accessible CDN Endpoint Exposing XML Metadata (including ETag)

A publicly accessible CDN endpoint was found that returned raw XML listing of stored objects, including metadata such as Key, LastModified, Size, StorageClass, and ETag. The ETag values, which can contain object hashes, were exposed publicly. This configuration allowed reconnaissance of the...

curl: Timing Attack Vulnerability in curl Digest Authentication via Non-Constant-Time String Comparison

Summary: A timing attack vulnerability exists in curl's Digest Authentication implementation due to the use of non-constant-time string comparison strcmp when comparing authentication algorithms in digest.c line 360. This allows attackers to determine the supported authentication algorithm throug...

curl: Security Analysis Report: CURL Integer Overflow Vulnerability

Vulnerability Overview Vulnerability Type: Integer Overflow in HTTP chunked encoding Location in Source: lib/httpchunks.c line 173 lib/curlx/strparse.c lines 185–186 Impact: Integer overflow leads to memory corruption Can cause buffer overflow Results in Denial of Service DoS for curl Potential...

curl: int overflow in krb5_read_data() leads to (possible) massive `recv()` write

Summary: Note: AI created the PoC, not the report. In the krb5readdata function here, there are two issues one of which I am very surprised hasn't been caught before. Issue 1 is that this block can result in an int overflow, where the following check becomes invalid if the value is wrapped to a...

IBM: IBM Aspera HTTP Gateway stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user.

The IBM Aspera HTTP Gateway stored sensitive information in clear text in easily obtainable files, which could be read by an unauthenticated user. The issue was submitted to IBM, analyzed, and remediated...

curl: Stack Buffer Overflow in cURL Cookie Parsing Leads to RCE

Summary I discovered a critical stack-based buffer overflow vulnerability in cURL's cookie parsing mechanism that can lead to remote code execution. The vulnerability occurs when processing maliciously crafted HTTP cookies, affecting all applications that use libcurl for HTTP requests. Descriptio...

Nextcloud: Approval app allows users to request approval for other users file

A security vulnerability was discovered in the Approval app that allowed users to request approval for other users' files. The vulnerability was addressed in a security advisory...

curl: Multiple Unsafe strcpy() Function Calls Leading to Potential Buffer Overflow Vulnerabilities in cURL 8.16.1-DEV

Summary: During a comprehensive security audit of the cURL codebase, multiple instances of unsafe strcpy function usage were identified in critical code paths. These implementations violate secure coding practices and represent latent security risks that could lead to buffer overflow...

Django: SQL Injection in Django ORM via Unvalidated `_connector` in Q Objects

A critical SQL injection vulnerability was discovered in the Django ORM's handling of Q objects. The internal WhereNode.assql method used unsafe string formatting to inject the query connector, which could be controlled by an attacker through the connector key when creating a Q object. This allow...

curl: TOCTOU Race Condition in HTTP/2 Connection Reuse Leads to Certificate Validation Bypass

I've discovered a Time-of-Check to Time-of-Use TOCTOU vulnerability in how libcurl handles persistent HTTP/2 connections. During the initial handshake, libcurl correctly validates the server's certificate against the user-provided CA bundle. However, it then assumes this trust is permanent for th...

Nextcloud: Nextcloud Tables v1 Share Enumeration Without Authorization (Regression of CVE-2024-52507)

A vulnerability was discovered in Nextcloud Tables v1 that allowed unauthorized users to enumerate shares. The vulnerability was a regression of a previously addressed issue, CVE-2024-52507...

curl: Confirmed Security Misconfigurations on curl.se (BREACH, Missing Security Headers, ETag Info Disclosure)

Summary: During a security assessment of curl.se, multiple misconfigurations were identified that led to information disclosure or weakened the security posture of the website. Affected version: Website: https://curl.se Tested on: 09-09-2025 curl version: curl/8.8.0 x8664-pc-linux-gnu Steps To...

curl: CVE-2025-10148: predictable WebSocket mask

No AI was involved. Summary: The curl WebSocket implementation generates a fixed masking key at the beginning of a connection an re-uses it for every frame: Generation of masking key enc.mask in Curlwsaccept: https://github.com/curl/curl/blob/455afa1de5182b95a5dcc988f18cdff584b95239/lib/ws.cL1340...

SingleStore: 2FA bypass possible on https://authsvc.singlestore.com

A vulnerability was discovered that allowed the 2FA authentication mechanism to be bypassed completely. An attacker could access the victim's account by only knowing the email address and password, without requiring the 2FA code...

Basecamp: Improper bot-authentication allows to impersonate any user when sending messages in a room

A vulnerability was discovered in the bot authentication mechanism. The issue allowed an unauthenticated user to impersonate any user and post messages in rooms the impersonated user had access to. The bot authentication function failed to properly validate the bot key, allowing a partial key to...