U.S. Dept Of Defense: Exposed wp-config.php file in ███ National Guard website

A WordPress configuration file containing sensitive information, such as the MySQL database password, was found exposed on a website of the National Guard. The file was accessible at a public endpoint...

Django: Path traversal via archive.extract - CVE 2021-3281 incomplete patch

A vulnerability was discovered in the "extract" function of the ZipArchive and TarArchive classes in the Django framework. The vulnerability was caused by the use of the "abspath" function, which removes terminating path separators. This made the guard logic protection insufficient to protect...

Bykea: Lack of minimum value bid wheel verification on customer_bid in Rental Trips

A missing validation on the customerbid field when creating rental trips allowed passengers to submit arbitrary bid amounts, including very low fares. Proper validation was added to prevent unrealistic values...

AWS VDP: Existence of completed pods allows for bypass of Kubernetes NetworkPolicy

Description The Amazon VPC CNI controller, when configured to manage NetworkPolicy rules, will incorrectly apply firewall rules for Completed pods as if the pods are still running, causing these rules to be applied to other unrelated pods that happen to receive the same IP address as a Completed...

Mozilla: User Can Delete Other Users' Personal Access Tokens at /delete-token/{token_id}/ on Mozilla Pontoon

A vulnerability was discovered in the Mozilla Pontoon application that allowed users to delete other users' personal access tokens at the /delete-token/tokenid/ endpoint without proper permission checks. The vulnerability was caused by the absence of user permission verification in the deletetoke...

curl: libcurl: Host-Only Cookies Leak to Alternate IPv4 Forms

libcurl canonicalizes numeric IPv4 hostnames during URL parsing and redirect handling example: 127.000.000.001 to 127.0.0.1. When a host-only cookie no Domain= attribute is set, it is stored in the cookie jar with the host string 127.0.0.1. On redirect, even if the Location: contains an alias hos...

U.S. Dept Of Defense: Account Takeover via Unverified Email Change and Improper Session Handling

A vulnerability was discovered in the email change functionality of the system. When the email was changed to an unregistered email address, the system accepted the change without proper verification. If the victim later registered using the same email, the attacker's existing session was not...

curl: Heap-buffer-overflow (Out-of-Bounds Read) in DoH hostname encoding

Summary: I found a heap-buffer-overflow in the dohreqencode function in lib/doh.c. The bug happens when curl processes a DNS-over-HTTPS request for a hostname that is an empty string. The code gets the string length as 0, then tries to access hostlen - 1, which becomes host-1. This is an...

Cloudflare Public Bug Bounty: [Variation of #1554049] 1-Click Chaining of Self-XSS, Cookie Tossing and AntiCSRF Token Prediction leads to auto approval in Access Temp Auth

A vulnerability was discovered in Cloudflare Access that could allow for unauthorized approvals within the Temporary Auth workflow. The issue was resolved after the researcher reported it to Cloudflare...

PlayStation: Double fdrop on a socket through sys_netcontrol

The netcontrol syscall in the kernel had a vulnerability where the socket file descriptor was not properly validated when removing a socket from a netevent structure. This allowed an attacker to cause a double fdrop on a socket, potentially leading to a use-after-free condition...

curl: Incorrect Parsing of IPv6 Zone ID in curl

I'm Zehui Miao from NISL@THU. During recent research, our team identified a parsing inconsistency in the curl. 0x01 Affected components 1.1 Affected components • C Curl • Versions: tested in 8.4.0 • CLAIMS TO FOLLOW: RFC-3986 1.2 Attack scenario The threat model illustrated in Figure 1 explains t...

U.S. Dept Of Defense: Information Disclosure via Publicly Accessible Debug Log

A publicly accessible WordPress debug log file was discovered on the target system. The log file contained PHP warnings and deprecated notices that disclosed sensitive server paths and plugin details. This exposure may have assisted an attacker in fingerprinting the environment or exploiting know...

Cloudflare Public Bug Bounty: Second-Order XSS via javascript protocol in MCP Server Portal Apps leads to ATO

The vulnerability in the MCP Server Portal Apps was caused by missing sanitization of the redirecturi parameter, leading to a second-order XSS vulnerability. An attacker could craft a malicious redirecturi containing JavaScript code, obtain a clientid for this URI, and reuse it when a victim had ...

Dynatrace: OneAgent Unprivileged NTLM User Coercion

Vulnerability description not provided...

curl: Missing Security Headers

Missing Security Headers Low Target: https://curl.se/ OWASP Mapping: A05 Misconfiguration / A02 Crypto Vulnerability ID: sec-headers-0f70ef5bcb Description A Missing Security Headers issue was discovered. This may allow an attacker to exploit the application. Proof of Concept Using cURL bash curl...

Monero: Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis

A deadlock vulnerability was discovered in the Monero JSON-RPC interface that allowed a remote, unauthenticated attacker to completely paralyze any Monero node with a single HTTP request containing specific batch methods, leading to permanent denial of service. The vulnerability affected all...

curl: curl leaks destination IP via glibc getaddrinfo() UDP connect, bypassing SOCKS5/Tor

Summary: When using curl with a SOCKS5 proxy e.g. Tor on 127.0.0.1:9050, glibc getaddrinfo performs direct UDP connect probes to the target’s IP:443. These syscalls bypass the proxy and expose the user’s route to the destination, breaking anonymity expectations. The IPs I got in my case:...

curl: Curl parse_connect_to_string Heap-Overread Leading to Denial of Service via CURLOPT_CONNECT_TO

Summary: A heap-buffer-overread occurs in Curl's parseconnecttostring function when using the CURLOPTCONNECTTO option with crafted input. This can lead to a segmentation fault and crash of the application, resulting in a denial-of-service. The issue is triggered by malformed host strings containi...

Nextcloud: Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner

Files drop share links for end-to-end encrypted folders allowed to drop files into other folders of the share owner...

WakaTime: Invalid

Summary: While testing the OAuth implementation on your platform, I discovered a critical vulnerability that allows a malicious attacker to take over any victim’s account and maintain persistent access even if the victim later verifies their email or changes their password. This issue arises...

curl: WebSocket Fragmentation DoS on Curl Client

Summary A malicious WebSocket server can send a fragmented message FIN=0 followed by a flood of continuation frames, causing the client curl to continuously allocate memory while waiting for message completion. This can result in high memory usage and potential crash OOM, representing a...

Omise: Pending invites remain valid even after the inviter is removed.

The pending invites created by a removed admin remained valid, and members already added by the removed admin remained in the team with admin privileges, even after the inviter was removed...

Node.js: CWE-195 in ExternalMemoryAccounter::Increase()

Summary: V8's ExternalMemoryAccounter::Increase expects an unsigned sizet argument, but a signed ssizet which in some cases results in garbage collection to happen during garbage collection. Here's a simplified version of what happens full backtrace has been attached in the issue:...

curl: ## Title Heap Use-After-Free Vulnerability in `curl` Leading to Potential Code Execution

Summary A Use-After-Free UAF vulnerability was discovered in curl at curltrc.c:195. When processing specially crafted input, the code accesses memory after it has already been freed. This can result in undefined behavior, leading to a denial of service crash and potentially enabling information...

curl: Account/Repository Takeover via Abandoned GitHub Username in curl's href_extractor.c

Summary: The hrefextractor.c example in the curl repository https://github.com/curl/curl/blob/master/docs/examples/hrefextractor.c references an external HTML parser library hosted at https://github.com/arjunc77/htmlstreamparser. The referenced GitHub username arjunc77 or repository...

curl: Unsafe Global IFS Modification in OS400 Shell Script Enables Command Injection and Parsing Flaws (CWE-78/CWE-20)

In the curl source repository, the OS400 initialization script packages/OS400/make-incs.sh modifies the global shell variable IFS Internal Field Separator without local scoping or restoration. This pattern exposes users and CI/CD systems to unintended parsing, command injection, and logic errors ...

curl: Insecure WebSocket Usage in curl Documentation and Examples (CWE-319: Cleartext Transmission of Sensitive Information)

The curl source repository contains official documentation and example code that demonstrate WebSocket connections using the insecure ws:// protocol instead of the secure wss://. This misleading guidance may encourage developers to implement cleartext WebSocket endpoints, exposing users and...

curl: Exposure of Hard-coded Private Keys and Credentials in curl Source Repository (CWE-321)

Multiple private/test RSA keys and example credentials were discovered embedded in the public curl source repository and associated documentation. These sensitive secrets were detected using automated tools gitleaks and manual review. Their presence could allow attackers to impersonate trusted cu...

Bykea: Customer can cancel a individual booking in a batch, causing locking of partner.

The vulnerability allowed users to update the status of individual trips inside a batch, even though only batch-level status changes were intended. By cancelling the single trip inside a one-parcel batch, the batch was placed into an inconsistent state, causing the assigned partner to become stuc...

curl: CVE-2025-9086: Out of bounds read for cookie path

We are tracking this issue with the public ID BIGSLEEP-437903454. Please use this identifier for reference in any future communication. Vulnerability Details In the cookie support found in cookie.c, there's an out-of-bounds string comparison that results from a crafted sequence of cookie...

curl: Vulnerability Report: Local File Disclosure via file:// Protocol in cURL

Summary A security vulnerability has been identified that allows unauthorized local file system access via the file:// protocol in cURL, particularly when executed with elevated privileges e.g., sudo. This could lead to sensitive data exposure, including password hashes stored in /etc/shadow. Ste...

Mars: SQLi At `███████` via `theme_name`

A SQL injection vulnerability was discovered in a web application's theme selection endpoint through the "themename" parameter. Using SQLMap, the vulnerability was demonstrated to be exploitable through both error-based and time-based blind injection attacks against a MySQL database version 5.1 o...

curl: Title: Remote Code Execution (RCE) via Arbitrary Library Loading in `--engine` option

Summary: The curl command-line tool is vulnerable to Arbitrary Code Execution on POSIX-like systems Linux, macOS, etc.. The --engine option allows loading an OpenSSL crypto engine from a shared library .so file. Crucially, this option accepts an absolute or relative path to the library file,...

Nextcloud: Stored XSS in contacts app via organisation and title field

A stored XSS vulnerability was discovered in the contacts app of the software. The vulnerability could be triggered by inputting malicious code in the organization or title field...

curl: Path Traversal in SFTP QUOTE command leads to Arbitrary File Write and potential RCE

Description Summary libcurl is vulnerable to a path traversal attack when processing SFTP QUOTE commands. The internal function Curlgetpathname in lib/vssh/curlpath.c fails to sanitize user-provided paths for traversal sequences ../. An attacker who can control the SFTP QUOTE commands can leverag...

curl: Heap Buffer Overflow in Curl_memdup0() via CURLOPT_COPYPOSTFIELDS/CURLOPT_POSTFIELDSIZE Mismatch

Summary A heap buffer overflow vulnerability exists in libcurl's Curlmemdup0 function when handling CURLOPTCOPYPOSTFIELDS operations. The vulnerability occurs when libcurl internally processes POST data where the specified CURLOPTPOSTFIELDSIZE exceeds the actual buffer size of data set via...

Django: SQL Injection when using FilteredRelation

A SQL injection vulnerability was discovered in the Django framework when using the FilteredRelation feature. The vulnerability was located in the tests/filteredrelation/tests.py file. The vulnerability allowed an attacker to inject malicious SQL code through the userdata parameter used in the...

U.S. Dept Of Defense: exposed FOUO documents, including Passport information

A set of FOUO documents, including a person's passport information, was found posted online. The documents were hosted on various government websites and did not appear to contain highly sensitive information, aside from the passport details. The Distributed Denial of Secrets website was also...

GitHub: Sample report: Denial of service

The denial of service vulnerability was identified in the system. The vulnerability could have allowed an attacker to disrupt the availability of the system by exhausting its resources...

AWS VDP: AWS | Self Registration Internal LibreChat : Access to internal/proprietary LLMs

Issue Summary A LibreChat endpoint/UI is found to be accessible to the public Internet, with self registration for any non AWS/Amazon Corporate domains enabled, allowing an attacker to use a ChatGPT like UI to access multiple public models Example : Claude with the API access it has enabled, as...

HackerOne: DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API

The GraphQL API's 'verifyAccountRecoveryPhoneNumber' mutation was found to be vulnerable to denial-of-service attacks through mutation aliasing. The vulnerability allowed multiple aliases of the same mutation to be included in a single request, causing the server to process each mutation...

WakaTime: Double Clickjacking Attack on WakaTime OAuth Authorization Flow at https://wakatime.com/oauth/authorize

The WakaTime OAuth authorization flow was vulnerable to a double-clickjacking attack. The attack allowed an attacker to trick users into unknowingly clicking the "Connect my WakaTime account" button in the consent dialog, enabling the attacker to register an OAuth application, capture the...

U.S. Dept Of Defense: CVE‑2025‑4123 — Grafana Open Redirect → Stored XSS → SSRF (Full Read) at ██████

A vulnerability, identified as CVE-2025-4123, was discovered in Grafana OSS and Enterprise versions 8.x through 12.x. The vulnerability allowed unauthenticated attackers to chain multiple flaws, including an open redirect through path traversal in the public redirect handler, stored cross-site...

U.S. Dept Of Defense: Reflected Cross-Site Scripting (XSS)

A reflected cross-site scripting XSS vulnerability was discovered. An attacker could have crafted a URL that, when visited, would have triggered a JavaScript alert function, confirming the vulnerability. The vulnerability was present in the affected system. No further details about the affected...

U.S. Dept Of Defense: Cross-Site Scripting via 'RAISED_FUNDS_DESC' parameter

A Cross-Site Scripting XSS vulnerability was discovered in the parameter 'RAISEDFUNDSDESC' through the POST method on the target website. Exploitation of this vulnerability could have led to consequences such as cookie theft and session hijacking. The vendor was notified, and appropriate...

U.S. Dept Of Defense: Cross-Site Scripting via 'EVENT_DESCRIPTION' parameter

A Cross-Site Scripting XSS vulnerability was discovered in the POST method on the website, specifically through the EVENTDESCRIPTION parameter. Exploitation of this vulnerability could have led to severe consequences, including session hijacking. The vulnerability was caused by insufficient...

curl: Use After Free (that leads to arbitrary Write for some versions)

Summary: - Use-After-Free vulnerability that leads to arbitrary write/READ YES, I used IA along with mermaind editor online one to generate this graph that show these paths for allocation, free and use after free F4637660: bugsvg.png Affected version - curl 8.13.0 x8664-pc-linux-gnu libcurl/8.13....

curl: Integer Overflow in schannel.c TLS Data Transmission

Summary This vulnerability allows an in overflow when adding TLS buffer sizes during an encrypted data tranmission which can lead to incorrect data sizes being sent and TLS security issues while in testing. Within testing on a Windows 10 enviroment, Windows's Schannel rejected the malformed TLS...

curl: Stack use-after-scope in HTTP/3 POST request processing via CURLOPT_POSTFIELDS

Summary A stack use-after-scope vulnerability exists in libcurl's HTTP/3 request processing when using CURLOPTPOSTFIELDS with stack-allocated buffers. libcurl retains a pointer to user-provided POST data but accesses it after the original stack frame has been destroyed, leading to memory corrupti...

WakaTime: Unauthorized Disclosure of Private Emails via WakaTime Private Leaderboards

The vulnerability allowed unauthorized disclosure of private email addresses of WakaTime users through the private leaderboards feature. The email addresses were exposed to leaderboard creators and members, even when the users had not chosen to make their emails public...