7035 matches found
MobSF has SQL Injection in its SQLite Database Viewer Utils
DescriptionMobSF's readsqlite function in mobsf/MobSF/utils.py lines 542-566 uses Python string formatting % to construct SQL queries with table names read from a SQLite database's sqlitemaster table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafte...
Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite
SummaryAny authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via GET /api/v1/knowledge/id/files an...
pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. PatchesThis has been fixed in pypdf==6.9.2. WorkaroundsIf users cannot upgrade yet, consider applying the changes from PR 3693...
NVIDIA NeMo Framework contains a vulnerability leading to Remote Code Execution
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering...
MindSQL is vulnerable to Code Injection through its ask_db function
A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function askdb of the file mindsql/core/mindsqlcore.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was...
Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
SummaryPySpector versions = 0.1.6 are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads i.e. inside a string passed to eval , the flagged code snippet is interpolated into the HTML report...
Denial of service via non-terminating SYLT frame parsing loop in tinytag
Summarytinytag 2.2.0 allows an attacker who can supply MP3 files for parsing to trigger a non-terminating loop while the library parses an ID3v2 SYLT synchronized lyrics frame. In server-side deployments that automatically parse attacker-supplied files, a single 498-byte MP3 can cause the parsing...
Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit
SummaryAn issue has been identified in the Bedrock AgentCore Starter Toolkit versions prior to v0.1.13 that may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. ImpactA remote actor could inject code during the build process, leadin...
pypdf has inefficient decoding of array-based streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes and/or large memory usage. This requires accessing an array-based stream with lots of entries. PatchesThis has been fixed in pypdf==6.9.1. WorkaroundsIf you cannot upgrade yet, consider applying the changes...
PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution
SummaryPySpector versions = 0.1.6 are affected by a security validation bypass in the plugin system. The validateplugincode function in pluginsystem.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolvename helper only...
Arbitrary file write via tar traversal in mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...
DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
SummaryThe pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have constructors that allocate memory proportional to their input builtins.bytes, builtins.list, builtins.range. A 40-byte pick...
PyMuPDF has a path traversal in _main_.py
A path traversal and arbitrary file write vulnerability exist in the embedded get function in 'main.py' in PyMuPDF version, 1.26.5...
Vanna has a SQL injection in the remove_training_data function
A flaw has been found in vanna-ai vanna up to 2.0.2. This impacts the function removetrainingdata of the file src/vanna/legacy/google/bigqueryvector.py. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used...
Frigte has broken access control viewer user can delete admin and other users account
SummaryUsers with the viewer role can delete admin and other users account. It this leads to denial of service and affects data integrity. DetailsEndpoint DELETE /api/users/admin is enable to anonymous user. PoCI deleted admin user on demo.frigate.video: ImpactIt this leads to denial of service a...
ha-mcp OAuth 2.1 DCR mode enables network reconnaissance via an error oracle
SummaryThe ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network reconnaissance via an error oracle. Two additional cod...
multipart vulnerable to ReDoS in `parse_options_header()`
SummaryThe parseoptionsheader function in multipart.py uses a regular expression with an ambiguous alternation, which can cause exponential backtracking ReDoS when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for denial of service DoS attacks against web...
MLflow has a command injection in mlflow/sagemaker/__init__.py
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the mlflow/sagemaker/init.py file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, whic...
django-unicorn affected by component state manipulation via unvalidated attribute access
SummaryComponent state manipulation is possible in django-unicorn due to missing access control checks during property updates and method calls. An attacker can bypass the intended ispublic protection to modify internal attributes such as templatename or trigger protected methods. Vulnerability...
ha-mcp has XSS via Unescaped HTML in OAuth Consent Form
SummaryThe ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...
pypdf: manipulated stream length values can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing a content stream with a rather large /Length value, regardless of the actual data length inside the stream. PatchesThis has been fixed in pypdf==6.8.0. WorkaroundsIf you cannot...
SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization
SGLangs replayrequestdump.py contains an insecure pickle.load without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script...
Graphiti vulnerable to Cypher Injection via unsanitized node_labels in search filters
SummaryGraphiti versions before 0.28.2 contained a Cypher injection vulnerability in shared search-filter construction for non-Kuzu backends. Attacker-controlled label values supplied through SearchFilters.nodelabels were concatenated directly into Cypher label expressions without validation.In M...
Magic Wormhole: "wormhole receive" allows arbitrary local file overwrite
ImpactWhat kind of vulnerability is it? Who is impacted?Receiving a file wormhole receive from a malicious party could result in overwriting critical local files, including /.ssh/authorizedkeys and .bashrc. This could be used to compromise the receiver's computer.Only the sender of the file the...
FastMCP OAuth Proxy token reuse across MCP servers
While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the baseurl passed to...
mcp-memory-service Vulnerable to System Information Disclosure via Health Endpoint
SummaryThe /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCPALLOWANONYMOUSACCESS=true is set required for the HTTP server to function without OAuth/API key,...
vLLM has SSRF Protection Bypass
SummaryThe SSRF protection fix for https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc can be bypassed in the loadfromurlasync method due to inconsistent URL parsing behavior between the validation layer and the actual HTTP client. Affected Component- File:...
MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers
SummaryAn unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an Authorization header. No authentication is required. The vulnerabili...
Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator
A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is...
Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass
In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL.This allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.You shoul...
mcp-memory-service's Wildcard CORS with Credentials Enables Cross-Origin Memory Theft
SummaryWhen the HTTP server is enabled MCPHTTPENABLED=true, the application configures FastAPI's CORSMiddleware with alloworigins='', allowcredentials=True, allowmethods="", and allowheaders="". The wildcard Access-Control-Allow-Origin: header permits any website to read API responses cross-origi...
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
Server-Side Request Forgery SSRF in Azure MCP Server allows an authorized attacker to elevate privileges over a network...
Django vulnerable to Uncontrolled Resource Consumption
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial of...
MS-Agent vulnerable to Command Injection
A Command Injection vulnerability in ModelScope's MS-Agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input...
OpenChatBI has a Path Traversal Vulnerability in save_report Tool
ImpactThe savereport tool in openchatbi/tool/savereport.py suffers from a critical path traversal vulnerability due to insufficient input sanitization of the fileformat parameter. The function only removes leading dots of fileformat using fileformat.lstrip"." but allows path traversal sequences...
RAGAS has an Arbitrary File Read vulnerability
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrievedcontexts parameter when handling multimodal inputs...
OpenViking contains a Path Traversal vulnerability
OpenViking versions 0.2.1 and prior, fixed in commit46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...
Django has a Race Condition vulnerability
An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29.Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's...
dbt-common's commonprefix() doesn't protect against path traversal
ImpactWhat kind of vulnerability is it? Who is impacted?A path traversal vulnerability exists in dbt-common's safeextract function used when extracting tarball archives. The function uses os.path.commonprefix to validate that extracted files remain within the intended destination directory...
pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /ASCIIHexDecode filter. PatchesThis has been fixed in pypdf==6.7.5. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3666...
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
Arbitrary File Write via Symlink Path Traversal in Tar Extraction SummaryThe safeextracttarfile function validates that each tar member's path is within the destination directory, but for symlink members it only validates the symlink's own path, not the symlink's target. An attacker can create a...
LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution
ContextA Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to langgraph-checkpoint 4.0.0, BaseCache defaults to JsonPlusSerializerpicklefallback=True. When...
joserfc's PBES2 p2c Unbounded Iteration Count enables Denial of Service (DoS)
Summary A resource exhaustion vulnerability in joserfc allows an unauthenticated attacker to cause a Denial of Service DoS via CPU exhaustion. When the library decrypts a JSON Web Encryption JWE token using Password-Based Encryption PBES2 algorithms, it reads the p2c PBES2 Count parameter directl...
wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup
SummaryThree nutritionalvalues action endpoints fetch objects via Model.objects.getpk=pk — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition plan data, including caloric intake and full macro breakdown, by supplying an arbitrar...
pypdf: Manipulated RunLengthDecode streams can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. PatchesThis has been fixed in pypdf==6.7.4. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3664...
wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data
SummaryFive routine detail action endpoints check a cache before calling self.getobject. Cache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API, an attacker can retrieve the cached response for the same PK without any ownership...
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries
In mcp-server-git versions prior to 2026.1.14, the gitadd tool did not validate that file paths provided in the files argument were within the repository boundaries. The tool used GitPython's repo.index.add, which did not enforce working-tree boundary checks for relative paths. As a result,...
OpenEXR's CompositeDeepScanLine integer-overflow leads to heap OOB write
SummaryFunction: CompositeDeepScanLine::readPixels, reachable from high-level multipart deep read flows MultiPartInputFile + DeepScanLineInputPart + CompositeDeepScanLine.Vulnerable lines src/lib/OpenEXR/ImfCompositeDeepScanLine.cpp:- totalsizesptr += countsjptr; line 511- overallsamplecount +=...
zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
SummaryAll rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing throttling that degrades service for that entity — and potentially co-located entities in...
wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data
SummaryRepetitionsConfigViewSet and MaxRepetitionsConfigViewSet return all users' repetition config data because their getqueryset calls .all instead of filtering by the authenticated user. Any registered user can enumerate every other user's workout structure. Detailswger/manager/api/views.py:49...