Lucene search
K

908957 matches found

OSV
OSV
added yesterday3 views

GHSA-PMFC-4WJJ-GMHX cut: -s ignored in -z -d '' newline-delimiter mode

cut routes -z -d '' through a special newline-delimiter path that ignores the -s only-delimited flag, emitting whole undelimited records plus NUL that should be suppressed. Pipelines relying on cut -s to drop undelimited records process data that should be filtered. printf 'abc' | cut -z -d '' -s...

3.3CVSS5.9AI score0.00149EPSS
Exploits1References6
OSV
OSV
added yesterday2 views

GHSA-R9HW-MJ3W-PHCQ mknod: Device nodes created mislabeled on SELinux, with broken cleanup (remove_dir on a node)

uutils calls mknod before setting the SELinux context GNU uses setfscreatecon first, labeling atomically. If setselinuxsecuritycontext fails, cleanup uses std::fs::removedir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind. Impact: on SELinux-enforcing systems the no...

3.4CVSS5.9AI score0.00142EPSS
Exploits1References6
OSV
OSV
added yesterday2 views

GHSA-PMF6-RCX4-V53V mkfifo: permissions of an existing file are changed after FIFO creation fails

When mkfifo fails e.g. target already exists, the code shows an error but is missing a continue;, so it falls through to fs::setpermissions and changes the permissions of the pre-existing file to the default FIFO mode 0o666 & umask - 0644. $ touch secret; chmod 000 secret $ coreutils mkfifo secre...

7.1CVSS6AI score0.00165EPSS
Exploits1References5
OSV
OSV
added yesterday2 views

GHSA-QRWJ-VH9X-GW5V Coder's workspace agent API insecure redirect handling allowed cross-agent file read and write

Summary agentConn.apiClient used the default redirect behavior of http.Client while its custom transport dialed the host from the request URL as long as the port was the workspace agent HTTP API port 4. Agent tailnet IPs are deterministic from agent UUIDs, so a malicious workspace agent could...

8.3CVSS6.2AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-CGFV-JRFP-2R7V OpenRemote has Authenticated SQL Injection via Datapoint Crosstab Export

Summary The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected query output is...

7.2CVSS6.3AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-473P-56XX-VG67 Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)

Summary In Kiwi TCMS the fields TestCase.extralink and TestPlan.extralink were meant to represent URLs to external resources however in versions prior to 16.1 user input was not being sanitized and values were rendered verbatim which represents an opportunity for cross-site scripting exploitation...

5.8AI score
Exploits0References4
OSV
OSV
added yesterday2 views

GHSA-7CFM-PQRJ-XGQ7 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header

Summary The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can rotate the...

7.3CVSS6AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-QVFM-67H2-2QFX 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover

Summary The /api/settings/database endpoint allows full database export containing all credentials, API keys, OAuth tokens, and settings and full database import complete overwrite without any authentication requirement beyond the ALWAYSPROTECTED middleware check, which only validates JWT or CLI...

9.9CVSS6AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-F74W-488G-8X5R Craft CMS: Potential authenticated Remote Code Execution via referrer redirect

Requirements: Control panel access Permissions to edit an entry Details Control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header. The issue happens when a user is saving entries. Strings for a signed redirect URL are being compiled as a...

8.7CVSS6AI score0.00293EPSS
Exploits0References4
OSV
OSV
added yesterday2 views

GHSA-XRQC-P465-2XVG Craft CMS: Stored XSS via Structure entry title in table view

Stored XSS via Structure entry title in table view Summary An Author-level control panel user can store a JavaScript payload in an entry title. When an admin, or any control panel user with saveEntries for the same Structure section, drags another entry under the poisoned entry in table view, the...

5.9CVSS6AI score0.00412EPSS
Exploits0References4
OSV
OSV
added yesterday2 views

GHSA-287W-MXQ6-X2CP Craft CMS: Sensitive File Disclosure / Server-Side File Read

The dataUrl Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its content...

6CVSS6.1AI score0.00268EPSS
Exploits0References4
OSV
OSV
added yesterday3 views

GHSA-24X4-J6X9-RFW5 Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget

Summary An attacker with only a GitHub account can plant a JavaScript payload in a craftcms/cms issue title. When a Craft admin uses the CraftSupport widget’s "Give feedback" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session...

7.4CVSS6AI score0.00311EPSS
Exploits0References4
OSV
OSV
added yesterday3 views

GHSA-HMJ5-JM8H-H9FH Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint

Summary An open redirect vulnerability in the account confirmation endpoint allows an unauthenticated attacker to craft a URL hosted on a legitimate Kiwi TCMS instance that redirects victims to an arbitrary external domain. The attack surface is particularly relevant for phishing campaigns...

6.1CVSS6.1AI score
Exploits0References4
OSV
OSV
added yesterday2 views

GHSA-WW9Q-8R59-XV46 Zebra: Missing copy constraint in halo2_gadgets variable-base scalar multiplication allows under-constrained base, breaking Orchard Action circuit soundness

Summary A soundness vulnerability in the variable-base scalar multiplication gadget of halo2gadgets allowed a malicious prover to produce a valid proof for an Orchard Action with an under-constrained base point. Because this gadget enforces the diversified-address-integrity condition of the Orcha...

9.3CVSS5.9AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-2PQ5-3Q89-J7CC Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879

Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...

9.2CVSS5.9AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-VJC7-JRH9-9J86 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats

--- title: Unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats product: 9Router version: = 0.4.41 severity: critical cverequest: true --- Summary Multiple critical API security vulnerabilities were discovered in 9Router's Next.js dashboard. The /api/providers endpoin...

10CVSS6.1AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-5WG6-JMQ2-53PW Coder's workspace app CORS origin check can be bypassed via UUID-based subdomain spoofing

Summary Coder's subdomain-based workspace app proxy allowed the same-owner CORS check to be bypassed. When a workspace-name subdomain segment parsed as a UUID, the workspace was resolved by ID without confirming the URL's username matched the real owner, while the CORS middleware trusted the...

5.8CVSS5.9AI score
Exploits0References4
OSV
OSV
added yesterday2 views

GHSA-798H-HPPH-M24J Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command

Summary When a check plugin places user provided input inside a command which is passed to shellexec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get...

7.8CVSS6.2AI score
Exploits0References2
OSV
OSV
added yesterday3 views

GHSA-7QW2-F75V-62F7 Coder vulnerable to stored HTML injection via workspace agent logs in AgentLogLine component

Summary The AgentLogLine dashboard component instantiated ansi-to-html without escapeXML: true and inserted the result via dangerouslySetInnerHTML so HTML embedded in workspace agent log lines was rendered as live markup. Server-side sanitization did not neutralize HTML metacharacters. Note:...

5.4CVSS6.1AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-84RM-42XW-MX52 Coder's AI Bridge Proxy skips TLS certificate verification in default configuration

Summary The AI Bridge Proxy aibridgeproxyd created a goproxy server whose default transport set InsecureSkipVerify: true and only assigned a secure transport when an upstream proxy was configured. In the default configuration no upstream proxy, outbound HTTPS to the Coder access URL accepted any...

7.4CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-WQXV-W64V-5WH6 Suspended Coder users retain access to AI Bridge LLM proxy endpoints

Summary AI Bridge proxy endpoints authenticate via Server.IsAuthorized in coderd/aibridgedserver, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's...

5.4CVSS5.9AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-F5VP-W269-392G Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints

Summary AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could send an arbitrarily large body and exhaust memory. Note: Exploitation requires authenticated access to the AI Bridge endpoints and the impact is...

6.5CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-JQJ2-X4C5-JFXM Coder: Devcontainer recreate endpoint missing write authorization allows read-only roles to destroy containers

Summary The devcontainer recreate endpoint relied on route middleware that checked only ActionRead on the workspace and, unlike the sibling delete endpoint, performed no ActionUpdate check before triggering the destructive rebuild. Note: Exploitation requires an existing low-privilege role with...

5.4CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-X9QQ-2QH5-8RXF Coder's sub-agent app registration bypasses template port-sharing policy enforcement

Summary The CreateSubAgent RPC did not validate a requested app sharing level against the template's MaxPortSharingLevel before persisting workspace apps, letting a workspace owner exceed the administrator's configured maximum. Note: Exploitation requires the ability to register sub-agent apps in...

5.4CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-V54H-CP2W-9X4G Coder's session token leaked to arbitrary hosts via `coder open app` for external workspace apps

Summary coder open app opens external workspace-app URLs without validating the scheme or host. When an external app URL contains the $SESSIONTOKEN placeholder the CLI replaces it with the user's real session token before handing the URL to the OS open handler. Note: Practical exploitation requir...

7.7CVSS6.1AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-2MG2-P7R7-G27F Coder: Zip upload decompression lacks aggregate size limit, enabling denial of service

Summary POST /api/v2/files converts zip uploads to tar in memory via CreateTarFromZip, which enforced a per-entry size limit but no aggregate limit on total decompressed output, writing to an unbounded in-memory buffer. Note: Exploitation requires authenticated file-upload access and the impact i...

6.5CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-5G4W-3VW9-478W Coder's subdomain workspace app routing trusts unauthenticated X-Forwarded-Host header, enabling cross-app data access

Summary The workspace app proxy resolves the target app from httpapi.RequestHost which prefers the X-Forwarded-Host header over the real Host header. No middleware strips X-Forwarded-Host before routing and the header is not browser-forbidden so client-side JavaScript can set it on fetch calls...

5.8CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-WRQ8-FCV5-8HVP Coder: Route hijacking through lack of validation of agent-supplied AllowedIPs in tailnet coordinator

Summary The tailnet coordinator validates that an agent's Addresses derive from its authenticated UUID but applies no equivalent check to AllowedIPs. The coordinator forwards agent-supplied AllowedIPs verbatim to tunnel peers which install them into the WireGuard peer configuration. Impact A...

8.2CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-9RJW-3GWP-F59V Coder's workspace app upsert allows cross-workspace agent rebinding via user-controlled app ID

Summary UpsertWorkspaceApp overwrites an existing app's agentid on a primary-key conflict and insertAgentApp accepts the app ID from the provisioner's CompleteJob payload without verifying it belongs to the workspace being built. CompleteJob runs under dbauthz.AsProvisionerd so the authorization...

8.7CVSS5.9AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-F962-QM93-MJ4C Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service

Summary NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained Impact An authenticated user able to...

4.9CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-MCQQ-FQGF-RXWM Coder vulnerable to SSH config injection via unsanitized server-supplied values in `coder config-ssh`

Summary coder config-ssh wrote server-supplied SSH settings HostnameSuffix, SSHConfigOptions into the user's /.ssh/config without sanitizing embedded newlines or restricting directives so a malicious or compromised Coder server could inject arbitrary SSH configuration. Note: Practical exploitatio...

8.3CVSS6.6AI score
Exploits0References3
OSV
OSV
added yesterday2 views

GHSA-29XF-69GQ-M9JX Coder: User-admin role can reset owner account password

Summary The PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's password. It also did not require the current password when an admin reset another user's password. Note: Exploitation requires the privileg...

7.2CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-9R87-MVCW-X35F Coder vulnerable to OIDC account takeover via email-based user matching and email_verified bypass

Summary Two flaws in Coder's OIDC login chained into account takeover: email-based user matching fell back to linking by email without checking for an existing link to a different IdP subject and the emailverified claim was only enforced when present as a boolean false so an absent or non-boolean...

7.4CVSS6AI score
Exploits0References4
OSV
OSV
added yesterday3 views

GHSA-75VM-6W67-GWVP Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking

Summary Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string "false" or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based accou...

7.4CVSS5.9AI score
Exploits0References2
OSV
OSV
added yesterday3 views

GHSA-7V6W-C3F4-9WPQ OpenRemote has an incomplete fix for CVE-2026-40882: XXE in KNXProtocol.startAssetImport() allows arbitrary file read via unprotected XMLInputFactory

Summary The fix for CVE-2026-40882 addressed only the Velbus asset import handler. The KNX asset import handler KNXProtocol processes user-uploaded ETS project ZIP files through Saxon XSLT and XMLInputFactory.newInstance with no XXE protection, allowing any authenticated user to read arbitrary...

7.6CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-54060

Bulletin has no description...

7.5CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday2 views

DEBIAN-CVE-2026-58203

Bulletin has no description...

5.3CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-54291

Bulletin has no description...

8.2CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-55380

Bulletin has no description...

7.5CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-54059

Bulletin has no description...

7.5CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-58380

Bulletin has no description...

7.3CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday3 views

DEBIAN-CVE-2026-55379

Bulletin has no description...

7.5CVSS5.9AI score
Exploits0References1
OSV
OSV
added yesterday2 views

GHSA-XQR9-4WVV-GVCH OpenRemote has Cross-Realm User Information Disclosure in UserResourceImpl

Summary A realm admin of tenant B can read the profile, client roles, and realm roles of any user in any other realm including the master realm by supplying the target user's UUID in the REST API path. Three read endpoints in UserResourceImpl check whether the caller holds the read:admin role but...

7.7CVSS6AI score
Exploits0References3
OSV
OSV
added yesterday3 views

GHSA-Q6H5-Q3Q6-F87X CiliumLocalRedirectPolicy addressMatcher allows cross-namespace service traffic hijacking and can break service translation

Impact Users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, which enables hijacking traffic to Services in any namespace, bypassing the namespace-scoping guarantees enforced by serviceMatcher. In addition, deleting such a policy can...

6.9CVSS6AI score
Exploits0References5
OSV
OSV
added yesterday2 views

GHSA-GV83-GQW6-9J2C GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-GJGQ-W2M6-WR5Q Langroid: handle_message() executes user-supplied tool JSON without sender verification

Summary A Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Details enablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate...

8.1CVSS6AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-Q9P7-WQXG-MRHC Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent

Advisory Details Title: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgent Description: Summary Langroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents...

10CVSS6.3AI score
Exploits0References2
OSV
OSV
added yesterday2 views

GHSA-6XC5-4R68-67FC Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls

SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names Summary The SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only...

9.3CVSS6.2AI score
Exploits0References2
OSV
OSV
added yesterday3 views

GHSA-CHWM-M7G7-685G Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery SSRF. When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled...

6.9CVSS6.3AI score
Exploits0References11
OSV
OSV
added yesterday3 views

GHSA-R35R-FPX2-JGR4 Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases

Summary The SQLite databases are created at predictable static paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target. This becomes really...

5.1CVSS6.2AI score
Exploits0References2
Total number of security vulnerabilities908957