5612 matches found
Open Redirect Vulnerability in Taguette
SummaryAn Open Redirect vulnerability exists in Taguette that allows attackers to craft malicious URLs that redirect users to arbitrary external websites after authentication. This can be exploited for phishing attacks where victims believe they are interacting with a trusted Taguette instance bu...
Weblate has improper validation upon invitation acceptance
ImpactIt was possible to accept an invitation opened by a different Weblate user. Patches https://github.com/WeblateOrg/weblate/pull/16913 WorkaroundsUsers should avoid leaving Weblate sessions with an unattended opened invitation. ReferencesThanks to Nahid0x for responsibly disclosing this...
ComposioHQ has a directory traversal vulnerability
Directory Traversal vulnerability in ComposioHQ v.0.7.20 allows a remote attacker to obtain sensitive information via the downloadfileordir function...
HTTP/HTTPS Traffic Interception Bypass in mad-proxy
A vulnerability in mad-proxy versions = 0.3 allows attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic...
Pyrofork has a Path Traversal in download_media Method
SummaryThe downloadmedia method in Pyrofork does not sanitize filenames received from Telegram messages before using them in file path construction. This allows a remote attacker to write files to arbitrary locations on the filesystem by sending a specially crafted document with path traversal...
urllib3 streaming API improperly handles highly compressed data
Impacturllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once.When streaming a compressed response, urllib3 can perform decoding or decompression based on the HTTP...
urllib3 allows an unbounded number of links in the decompression chain
Impacturllib3 supports chained HTTP encoding algorithms for response content according to RFC 9110 e.g., Content-Encoding: gzip, zstd.However, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leadi...
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection
SummaryA Cross-Site Scripting XSS vulnerability exists in ui.addcss, ui.addscss, and ui.addsass functions in NiceGUI v3.3.1 and earlier.These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An...
Peppol-py is vulnerable to XXE attacks due to Saxon configuration
Peppol-py before 1.1.1 allows XXE attacks because of the Saxon configuration. When validating XML-based invoices, the XML parser could read files from the filesystem and expose their content to a remote host...
Keras Directory Traversal Vulnerability
SummaryKeras's keras.utils.getfile function is vulnerable to directory traversal attacks despite implementing filtersafepaths. The vulnerability exists because extractarchive uses Python's tarfile.extractall method without the security-critical filter="data" parameter. A PATHMAX symlink resolutio...
Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default
DescriptionThe Model Context Protocol MCP Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication using FastMCP with streamable HTTP or SSE transport, and has not configured...
Spotipy has a XSS vulnerability in its OAuth callback server
SummaryXSS vulnerability in OAuth callback server allows JavaScript injection through unsanitized error parameter. Attackers can execute arbitrary JavaScript in the user's browser during OAuth authentication. DetailsVulnerable Code: spotipy/oauth2.py lines 1238-1274 RequestHandler.doGETThe...
arcade-mcp-server Has Default Hardcoded Worker Secret That Allows Full Unauthorized Access to All HTTP MCP Worker Endpoints
SummaryThe arcade-mcp HTTP server uses a hardcoded default worker secret "dev" that is never validated or overridden during normal server startup. As a result, any unauthenticated attacker who knows this default key can forge valid JWTs and fully bypass the FastAPI authentication layer. This gran...
Calibre-Web Has a Stored Cross-Site Scripting (XSS) Vulnerability via the 'username' Field During User Creation
A Stored Cross-Site Scripting XSS vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed...
vLLM vulnerable to remote code execution via transformers_utils/get_config
Summaryvllm has a critical remote code execution vector in a config class named NemotronNanoVLConfig. When vllm loads a model config that contains an automap entry, the config class resolves that mapping with getclassfromdynamicmodule... and immediately instantiates the returned class. This fetch...
trytond does not enforce access rights for data export
Tryton trytond 6.0 before 7.6.11 does not enforce access rights for data export. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...
fontTools is Vulnerable to Arbitrary File Write and XML injection in fontTools.varLib
SummaryThe fonttools varLib or python3 -m fontTools.varLib script has an arbitrary file write vulnerability that leads to remote code execution when a malicious .designspace file is processed. The vulnerability affects the main code path of fontTools.varLib, used by the fonttools varLib CLI and a...
trytond allows remote attackers to obtain sensitive trace-back (server setup) information
Tryton trytond before 7.6.11 allows remote attackers to obtain sensitive trace-back server setup information. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.70...
Werkzeug safe_join() allows Windows special device names
Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory. sendfromdirectory uses safejoin to safely serve files at user-specified paths under a director...
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input (via CPU)
ImpactIn affected versions, a specially crafted Brotli-compressed envelope can cause Bugsink to spend excessive CPU time in decompression, leading to denial of service.This can be done if the DSN is known, which it is in many common setups JavaScript, Mobile Apps. PatchesPatched in Bugsink 2.0.6...
vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`
SummaryThe /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chattemplatekwargs parameters, it is possible to block processing of the API server for long...
Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc
🚀 OverviewThis report demonstrates a real-world privilege escalation vulnerability in pdfminer.six due to unsafe usage of Python's pickle module for CMap file loading.It shows how a low-privileged user can gain root access or escalate to any service account by exploiting insecure deserialization ...
vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs
SummaryUsers can crash the vLLM engine serving multimodal models by passing multimodal embedding inputs with correct ndim but incorrect shape e.g. hidden dimension is wrong, regardless of whether the model is intended to support such inputs as defined in the Supported Models page.The issue has...
Bugsink is vulnerable to unauthenticated remote DoS via crafted Brotli input
ImpactIn affected versions, brotli "bombs" highly compressed brotli streams, such as many zeros can be sent to the server. Since the server will attempt to decompress these streams before applying various maximums, this can lead to exhaustion of the available memory and thus a Denial of...
vLLM deserialization vulnerability leading to DoS and potential RCE
SummaryA memory corruption vulnerability that leading to a crash denial-of-service and potentially remote code execution RCE exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using...
pgAdmin is affected by an LDAP injection vulnerability
pgAdmin = 9.9is affected by an LDAP injection vulnerability in the LDAP authentication flow that allows an attacker to inject special LDAP characters in the username, causing the DC/LDAP server and the client to process an unusual amount of data DOS...
pgAdmin has vulnerability in LDAP authentication mechanism that allows bypassing TLS certificate verification
pgAdmin = 9.9is affected by avulnerability in the LDAP authentication mechanism allows bypassing TLS certificate verification...
Apache Doris-MCP-Server: Improper Access Control results in bypassing a "read-only" mode
An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions.Impact:Bypasses read-only mode; attackers with read-only access may perform unauthorized...
LangGraph Checkpoint affected by RCE in "json" mode of JsonPlusSerializer
SummaryPrior to langgraph-checkpoint version 3.0 , LangGraph’s JsonPlusSerializer used as the default serialization protocol for all checkpointing contains a remote code execution RCE vulnerability when deserializing payloads saved in the "json" serialization mode.If an attacker can cause your...
Dosage vulnerable to a Directory Traversal through crafted HTTP responses
ImpactWhen downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic page URL, image URL, page content, etc.. While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header...
Agno session state overwrites between different sessions/users
ImpactUnder certain conditions under high concurrency, when sessionstate is passed to an Agent or Team during run or arun calls, a race condition can occur, causing a sessionstate to be assigned and persisted to the incorrect session. This may result in user data from one session being exposed to...
Apache Airflow `/api/v2/dagReports` executes DAG Python in API
API users via /api/v2/dagReports could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available...
cryptidy allows code execution via untrusted data due to pickle.loads
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aesdecryptmessage in symmetricencryption.py...
AstrBot contains a directory traversal vulnerability
AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function installpluginupload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to filepath without checking the validi...
DSPy does not properly restrict file reads
The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build an AI agent which consumes user input and uses the “PythonInterpreter” class...
OctoPrint vulnerable to XSS in Action Commands Notification and Prompt
ImpactOctoPrint versions up to and including 1.11.3 are affected by a vulnerability that allows injection of arbitrary HTML and JavaScript into Action Command notification and prompt popups generated by the printer.An attacker who successfully convinces a victim to print a specially crafted file...
CKAN vulnerable to fixed session IDs
ImpactSession ids could be fixed by an attacker if the site is configured with server-side session storage CKAN uses cookie-based session storage by default. The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers a...
aiomysql allows arbitrary access to client files through vulnerability of a malicious MySQL server
SummaryThe client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. DetailsIt is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary...
FastMCP vulnerable to reflected XSS in client's callback page
SummaryWhile setting up an oauth client, it was noticed that the callback page hosted by the client during the flow embeds user-controlled content without escaping or sanitizing it. This leads to a reflected Cross-Site-Scripting vulnerability. DetailsThe affected code is located in...
Keras is vulnerable to arbitrary local file loading and Server-Side Request Forgery
The Keras.Model.loadmodel method, including when executed with the intended security mitigation safemode=True, is vulnerable to arbitrary local file loading and Server-Side Request Forgery SSRF.This vulnerability stems from the way the StringLookup layer is handled during model loading from a...
pypdf possibly loops infinitely when reading DCT inline images without EOF marker
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires parsing the content stream of a page which has an inline image using the DCTDecode filter. PatchesThis has been fixed in pypdf==6.1.3. WorkaroundsIf you cannot upgrade yet, consider applyi...
LangGraph SQLite Checkpoint Filter Key SQL Injection POC for SqliteStore
SummaryLangGraph's SQLite store implementation contains SQL injection vulnerabilities using direct string concatenation without proper parameterization, allowing attackers to inject arbitrary SQL and bypass access controls. Details/langgraph/libs/checkpoint-sqlite/langgraph/store/sqlite/base.pyTh...
BBOT's gitlab.py exposes globally configured "gitlab" API key
Summarybbot's gitlab.py sends the user's "gitlab" API key to on-premise GitLab instances.If a user has configured a gitlab.com API key using this mechanism, it may be leaked to an attacker-controlled server. ImpactA user with a "gitlab" API key configured who uses bbot to scan a malicious webserv...
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.The specific flaw...
MLflow Weak Password Requirements Authentication Bypass Vulnerability
MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.The specific flaw exists within the handling of passwords. T...
pg8000 SQL injection vulnerability via a specially crafted Python list input
SQL injection vulnerability in tlocke pg8000 1.31.4 allows remote attackers to execute arbitrary SQL commands via a specially crafted Python list input to function pg8000.native.literal...
Starlette vulnerable to O(n^2) DoS via Range header merging in ``starlette.responses.FileResponse``
SummaryAn unauthenticated attacker can send a crafted HTTP Range header that triggers quadratic-time processing in Starlette's FileResponse Range parsing/merging logic. This enables CPU exhaustion per request, causing denial‑of‑service for endpoints serving files e.g., StaticFiles or any use of...
pypdf can exhaust RAM via manipulated LZWDecode streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream of a page using the LZWDecode filter. PatchesThis has been fixed in pypdf==6.1.3. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR...
llama-index has Insecure Temporary File
The llamaindex library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, dat...
Synapse's invalid device keys degrade federation functionality
ImpactLack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. PatchesPatched in Synapse 1.138.3, 1.138.4, 1.139.1...