7035 matches found
BabelDOC: Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py
Arbitrary Code Execution via CMap Pickle Deserialization in babeldoc/pdfminer/cmapdb.py SummaryBabelDOC's vendored PDF parser babeldoc/pdfminer/cmapdb.py deserializes untrusted pickle data when loading CMap files. The loaddata method strips only NUL bytes from a PDF-controlled CMap name, then...
Mistune: Potential DoS via quadratic-time parsing in parse_link_text
SummaryMistune is vulnerable to a CPU exhaustion DoS due to superlinear approximately On² behavior in parselinktext. A relatively small input consisting of repeated characters causes significant parsing slowdown. Affected componentmistune/inlineparser.py → parselinktext DescriptionWhen parsing...
psd-tools vulnerable to arbitrary file write via smart-object filename
psd-tools: arbitrary file write/read via smart-object path traversal SummaryIn psd-tools all releases exposing the SmartObject API through v1.17.0, SmartObject.save writes an embedded smart object to a path taken verbatim from the PSD file. Because that name is attacker-controlled and unsanitised...
pypdf: Possible infinite loop when processing threads/articles in writer
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with threads/articles into a writer. PatchesThis has been fixed in pypdf==6.13.1. WorkaroundsIf users cannot upgrade yet, consider applying the changes from PR 3839...
Rattler vulnerable to package cache path traversal via conda package build string
rattlercache and py-rattler were vulnerable to package-cache path traversal when handling package metadata from conda channels.During cache materialization, the rattercache code used the package record build string as part of a cache key that was joined into a filesystem path. A malicious or...
pymonocypher: Potential heap buffer overflow on nb_blocks in argon2i_32 when provided buffer is too small
ImpactThe argon2i32 implementation does not check the nbblocks size. If the caller does not provide a sufficiently large buffer based on the API contract, then argon2i32 will write past the end of the buffer and possibly corrupt the heap. PatchesFixed in 4.0.2.8, which now verifies that nbblocks ...
Soup Sieve has Memory Exhaustion via Large Comma-Separated Selector Lists
SummaryThe CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 allocates unbounded memory when compiling large comma-separated selector lists. An attacker who can supply a crafted CSS selector string to soupsieve.compile or Beautiful Soup's .select / .selectone can cause...
Soup Sieve: Regular Expression Denial of Service (ReDoS) via Selector Parser
SummaryThe CSS selector parser in soupsieve the CSS selector engine for Beautiful Soup 4 contains a regular expression vulnerable to catastrophic backtracking. When processing an attribute selector with an unterminated quoted value, the VALUE regex pattern in cssparser.py enters exponential...
Open WebUI has Blind Server Side Request Forgery in its Image Edit Functionality
SummaryThere is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local address space to be...
Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
SummaryManually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts and allow-same-origin set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS on...
pyLoad: Unbounded Memory Growth Leading to DoS and Potential DDoS in EventManager
Description:The EventManager module in pyload manages a list of Client instances for subscribing to events. The addition of each unique uuid from the getevents API causes the creation of a Client instance that gets appended to the clients list. Although there is a clean method available in the...
aiosmtplib vulnerable to SMTP command injection via CR/LF in sender/recipient address
Summaryaiosmtplib's SMTP.mail, SMTP.rcpt, SMTP.vrfy and SMTP.expn send the caller-supplied email address to the server without rejecting embedded CR/LF \r\n bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes after the CRLF are framed by the...
ONNX has Null Pointer Dereference in Upsample Version Converter Adapter (Zero Inputs)
SummaryNull pointer dereference SIGSEGV in Upsample67::adaptupsample67 onnx/versionconverter/adapters/upsample67.h:31 when convertversion processes a model with an Upsample node that has zero inputs. The adapter accesses node-inputs0-sizes without checking input count. 107-byte PoC crashes on...
`lxml_html_clean.Cleaner` does not strip `javascript:` URLs from namespaced URL attributes
lxmlhtmlclean.Cleaner does not strip javascript: URLs from namespaced URL attributes xlink:hrefReporter: Guillem Lefait · Date: 2026-05-10Affected: lxml ≤ 6.1.0 and lxmlhtmlclean ≤ 0.4.4 latest stableConfirmed against: lxml 6.1.0 + lxmlhtmlclean 0.4.4 on Python 3.13.5, 3.14.4, and 3.15.0a8 libxml...
Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE
SummarySerena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port TCP 24282, hardcoded as 0x5EDA in constants.py. The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach...
Open WebUI allows limited stored XSS vila uploaded html file
SummaryLow privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default settings, files...
Weblate SSRF: outbound URL guard misses some private ranges
ImpactWeblate's VCSRESTRICTPRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions. Patches https://github.com/WeblateOrg/weblate/pull/19768 ResourcesThe issue was...
Open WebUI vulnerable to Stored XSS via iFrame in citations model
SummaryManually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weaponised document...
pyLoad: SSRF guard bypass via IPv6 6to4/NAT64 transition wrappers of internal IPs
Summaryisglobaladdress in src/pyload/core/utils/web/check.py is the central guard against SSRF-style outbound connections in pyload-ng. It tests whether a given IP is "globally routable" via Python's ipaddress.ipaddressvalue.isglobal, and callers treat not isglobal as "deny":pythondef...
Open WebUI vulnerable to stored XSS via unescaped markdown token in MarkdownTokens.svelte leading to full account takeover and RCE via functions
SummaryA vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be executed in the user's browser every time that chat transcript is opened, allowing attackers to retrieve the user's acce...
Langroid: handle_message() executes user-supplied tool JSON without sender verification
SummaryA Langroid application exposing a chat interface to untrusted users may allow direct tool invocation via raw JSON payloads, even when tools are registered with use=False, handle=True. Detailsenablemessage..., use=False, handle=True only prevents the LLM from being instructed to generate th...
Linuxfabrik Monitoring Plugins have local privilege escalation using embedded command
SummaryWhen a check plugin places user provided input inside a command which is passed to shellexec, an attacker can abuse this to run arbitrary commands. This is mainly dangerous for plugins which are listed in the sudoers file, because this allows an attacker controlling the nagios user to get...
WeasyPrint has CSS Injection via Presentational Hints
SummaryA CSS injection issue exists in WeasyPrint when HTML presentational hints are enabled. Unescaped attribute values are embedded into CSS, allowing injection of arbitrary CSS declarations. This affects applications processing untrusted HTML input. DetailsFile: weasyprint/css/init.pyThe...
Langroid: Neo4jChatAgent executes LLM-generated Cypher without validation (prompt-to-Cypher injection; config-conditional RCE), mirroring the SQLChatAgent bug fixed in CVE-2026-25879
Neo4jChatAgent passes LLM-generated Cypher queries straight to the Neo4j driver with no validation, no statement-type allowlist, and no opt-out gate. The query text is influenceable by prompt injection direct user input or indirect content the agent reads back via RAG, so an attacker who can...
Langroid: Sandbox Escape to Remote Code Execution via Incomplete `eval()` Mitigation in TableChatAgent
Advisory DetailsTitle: Sandbox Escape to Remote Code Execution via Incomplete eval Mitigation in TableChatAgentDescription: SummaryLangroid is vulnerable to a critical Sandbox Escape leading to Remote Code Execution RCE in its TableChatAgent and VectorStore capabilities. When these agents evaluat...
Kiwi TCMS has an Open Redirect via unvalidated next parameter in account confirmation endpoint
SummaryAn open redirect vulnerability in the account confirmation endpoint allows an unauthenticated attacker to craft a URL hosted on a legitimate Kiwi TCMS instance that redirects victims to an arbitrary external domain. The attack surface is particularly relevant for phishing campaigns targeti...
flyto-core has SSRF guard bypass via IPv6 transition addresses (IPv4-mapped / 6to4 / NAT64) in validate_url_ssrf
Summaryflyto-core's SSRF protection validateurlssrf / isprivateip in src/core/utils.py blocks private and metadata destinations by resolving the host and testing the resulting IP for membership in a hardcoded PRIVATEIPRANGES list. That list contains only the native RFC 1918 / loopback / link-loca...
Kiwi TCMS vulnerable to stored XSS via JavaScript: URI in extra_link field (TestPlan & TestCase)
SummaryIn Kiwi TCMS the fields TestCase.extralink and TestPlan.extralink were meant to represent URLs to external resources however in versions prior to 16.1 user input was not being sanitized and values were rendered verbatim which represents an opportunity for cross-site scripting exploitation...
Langroid: SQLChatAgent dangerous-function blocklist can be bypassed with quoted or schema-qualified pg_read_file calls
SQLChatAgent validatequery dangerous-pattern regex is bypassable via quoted/commented/qualified function names SummaryThe SQLChatAgent SQL-injection mitigation, with default allowdangerousoperations=False, combines a raw-text regex blocklist DANGEROUSSQLPATTERNS with a sqlglot SELECT-only stateme...
flyto-core has Unauthenticated Command Execution via HTTP MCP `execute_module`
Unauthenticated Command Execution via HTTP MCP executemodule SummaryThe HTTP MCP endpoint POST /mcp in flyto-core accepts unauthenticated JSON-RPC tools/call requests and dispatches them to arbitrary registered modules, including sandbox.executeshell, which passes attacker-controlled input direct...
Linuxfabrik Monitoring Plugins allow insecure creation of SQLite databases
SummaryThe SQLite databases are created at predictable static paths in /tmp. Any user can therefore create a symlink at these paths in /tmp pointing to arbitrary files. The monitoring scripts then follows these symlinks and then creates their database at the symlink target.This becomes really...
Langroid: Path traversal in the file tools allows read/write outside configured current directory
SummaryLangroid's ReadFileTool and WriteFileTool appear to treat currdir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to currdir and then operate on the user-supplied filepath without resolving and enforcing that the...
joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (cross-language sibling of CVE-2026-45363)
Summaryjoserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when thecaller-supplied verification key is the empty string or None.HMACAlgorithm.sign and HMACAlgorithm.verify insrc/joserfc/rfc7518/jwsalgs.py:62-70 feed whateverOctKey.getopkey... produced into hmac.new..., and...
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use. ImpactThe /init-db/ page does not require any user...
Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
Summarydulwich.porcelain.submoduleupdate, and by extension porcelain.clone..., recursesubmodules=True, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious .gitmodules plus a matching tree gitlink whose path is .git/hooks or any...
Open Babel has out-of-bounds write in MOPAC translationVectors[] (UNIT CELL TRANSLATION)
SummaryA memory-safety vulnerability in Open Babel's MOPAC output parserallowed an out-of-bounds write into the translationVectors arraywhen reading the "UNIT CELL TRANSLATION" block of a crafted inputfile. DetailsThe MOPAC output reader stored translation vectors from the UNIT CELLTRANSLATION...
Recce server has unauthenticated SQL execution that allows local file read/write through DuckDB
ImpactRecce OSS server deployments that expose the server to an untrusted network without authentication are vulnerable to unauthenticated SQL execution through the query run API.When Recce is configured with a DuckDB-backed project, an attacker can use DuckDB filesystem primitives to read and...
Linuxfabrik Monitoring Plugins: Sudoers may be able to obtain privilege escalation via /usr/bin/apt-get arguments
SummaryIn the Debian.sudoers file, apt-get is allowed for the nagios user. The full command including the arguments are not enforced and can therefore be choosen arbitrarily. This allows to easily get a root shell as the nagios user: PoCBy choosing a particular argument, you can get as a nagios...
Langroid: SQLChatAgent _validate_query blocklist misses pg_read_file family enabling arbitrary file read
SummarySQLChatAgent in langroid ships a validatequery defense-in-depth layerwhose DANGEROUSSQLPATTERNS regex blocklist enumerates dangerous SQLprimitives by specific function name. The list misses the canonicalPostgreSQL filesystem-disclosure family pgreadfile, pgstatfile,pglslogdir, pglswaldir,...
fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
Summaryfast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP clien...
Open Babel has uninitialized pointer dereference in PQS pFormat
SummaryA memory-safety vulnerability in Open Babel's PQS parser caused anuninitialized pointer dereference when reading a crafted input file. DetailsThe flaw was in the pFormat handling of the PQS reader. A malformedinput caused the parser to dereference a format pointer that hadnever been...
Open Babel has out-of-bounds write in MOPAC IN translationVectors[] (Tv atom)
SummaryA memory-safety vulnerability in Open Babel's MOPAC input parserallowed an out-of-bounds write into the translationVectors arraywhen reading Tv translation-vector atoms from a crafted inputfile. DetailsThe MOPAC IN reader stored Tv-atom translation vectors into afixed-size translationVecto...
Open Babel has out-of-bounds write in PQS coord_file parser
SummaryA memory-safety vulnerability in Open Babel's PQS parser allowed anout-of-bounds write when reading a crafted input file. DetailsThe flaw was in the coordfile parsing path of the PQS reader. Amalformed coord file specifier caused the parser to write past theend of its destination buffer...
Open Babel has out-of-bounds write in MOPAC translationVectors[] (FINAL POINT)
SummaryA memory-safety vulnerability in Open Babel's MOPAC output parserallowed an out-of-bounds write into the translationVectors arraywhen reading the "FINAL POINT" block of a crafted input file. DetailsThe MOPAC output reader stored translation vectors from the FINALPOINT block into a fixed-si...
Open Babel has out-of-bounds write in ORCA nAtoms parser (second variant)
SummaryA memory-safety vulnerability in Open Babel's ORCA parser allowed anout-of-bounds write when reading a crafted input file. DetailsA second variant of the nAtoms out-of-bounds write in the ORCAreader: a different malformed-input path produced the same class ofwrite past the end of the...
Open Babel has uninitialized pointer dereference in MSI atom parser
SummaryA memory-safety vulnerability in Open Babel's MSI parser caused anuninitialized pointer dereference when reading a crafted input file. DetailsThe flaw was in the atom handling of the MSI reader. A malformedrecord caused the parser to dereference an atom pointer that hadnever been...
Open Babel has out-of-bounds write in ORCA nAtoms parser
SummaryA memory-safety vulnerability in Open Babel's ORCA parser allowed anout-of-bounds write when reading a crafted input file. DetailsThe flaw was in the nAtoms handling of the ORCA reader. A malformedinput caused the parser to write past the end of its destinationbuffer. ImpactOpen Babel is a...
Open Babel has out-of-bounds write in Gaussian translationVectors[]
SummaryA memory-safety vulnerability in Open Babel's Gaussian output parserallowed an out-of-bounds write into the translationVectors arraywhen reading a crafted input file. DetailsThe Gaussian reader stored periodic-cell translation vectors into afixed-size translationVectors array. A malformed...
Open Babel has uninitialized pointer dereference in GRO residue parser
SummaryA memory-safety vulnerability in Open Babel's GRO parser caused anuninitialized pointer dereference when reading a crafted input file. DetailsThe flaw was in the residue handling of the GRO reader. A malformedrecord caused the parser to use a residue pointer that had never beeninitialized...
Open Babel has out-of-bounds write in MOL2 attribute/value parser
SummaryA memory-safety vulnerability in Open Babel's MOL2 parser allowed anout-of-bounds write when reading a crafted input file. DetailsThe flaw was in the attribute/value parsing path of the MOL2 reader.An over-long attribute or value caused the parser to write past theend of a fixed-size...