7035 matches found
Python Liquid: Infinite loop when parsing malformed `{% case %}` tags
ImpactGiven a malformed % case % tag without associated % when % or % else % block, and no terminating % endcase % tag, Python Liquid hangs in an infinite loop at parse time. This allows malicious template authors to craft templates for a denial of service attack. PatchesThe issue is fixed in...
py7zr: Arbitrary File Write Vulnerability
SummaryThere exists an arbitrary file write vulnerability in py7zr 1.1.0, latest, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linki...
PGHoard: Password written to debug log
ImpactWhen using .pgpass, database connection information including the username and password will be logged at the debug level. PatchesUpgrade to version 2.7.1 or greater. WorkaroundsFilter out debug-level logs. ReferencesThis issue was discovered by BugCrowd user DRAKOKORIAN...
jupyterlab-git excluded_paths Case-Sensitivity Bypass Allows Reading Excluded Directories
Summaryjupyterlab-git 0.53.0 latest, 2026-04-30 uses fnmatch.fnmatchcase in GitHandler.prepare jupyterlabgit/handlers.py:91 to enforce the admin-configured excludedpaths security control. Because fnmatchcase is unconditionally case-sensitive, an authenticated user on a case-insensitive filesystem...
jupyterlab-git extension: Stored XSS leading to RCE
OverviewAmazon Web Services AWS Security has identified a stored cross-site scripting XSS issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution RCE. The issue exists in thePlainTextDiff.ts component, where the createHeader method passes Git filenames directly to...
BBOT: Arbitrary File Write in postman_download Module
The postmandownload module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory, allowing an attacker...
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID SummaryThe pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who c...
BBOT: Server-Side Request Forgery (SSRF) in docker_pull module via WWW-Authenticate realm parsing
The dockerpull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the authentication reques...
Hermes Agent creates response_store.db and webhook_subscriptions.json with world-readable permissions (mode 0o644)
Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...
pdfkit: Path traversal in from_string
In JazzCore python-pdfkit 1.0.0, the fromstring method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files...
Hermes Agent contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling...
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...
marimo contains a reflected cross-site scripting vulnerability in the notebook page
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal...
OpenStack Horizon RC file generation does not escape special characters in project names
OpenStack Horizon before 25.7.4 produces scripts for OpenStack RC file downloading that may have a crafted project name with shell metacharacters. NOTE: some parties consider this a security hardening opportunity to address certain types of user error, not a vulnerability...
BBOT: Path traversal (Zip-Slip) in unarchive module - incomplete fix for CVE-2025-10284
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools e.g. GNU tar which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the underlying archive extractio...
Open WebUI: Cross-origin postMessage confirmation bypass via action:submit
SummaryThe chat message listener allows non-same-origin input:prompt and action:submit messages, so an external site can set prompt text and trigger submitPrompt in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted messages and caused unauthorize...
Open WebUI: Cross-user file disclosure via /api/chat/completions image_url field
summaryPOST /api/chat/completions accepts an imageurl.url value that, when it does NOT start with http://, https://, or data:image/, is interpreted as a file id and resolved against the global file table with no ownership check. An authenticated user can therefore set imageurl.url to another user...
Open WebUI: Stored XSS in Mermaid Markdown Preview
SummaryOpen WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML.Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload...
Open WebUI: Authenticated users can target arbitrary configured Ollama backends via unguarded url_idx path parameter
SummarySeveral direct, index-addressed Ollama proxy routes accept a caller-supplied urlidxpath parameter and use it as a raw index into the admin-configured OLLAMABASEURLSlist. Access control on these routes validates only whether the user may use therequested model, never which backend the reque...
Open WebUI: Sibling-Prefix Path Traversal via /cache/{path}
SummaryA path traversal vulnerability exists in open-webui's cache file serving endpoint that allows any authenticated user to read files from sibling directories outside the intended cache directory, by exploiting an incomplete startswith containment check that lacks a trailing path separator.Th...
Open WebUI: Stored XSS to Account Takeover via Model Profile Images
Stored XSS to Account Takeover via Model Profile Images in Open WebUIAffected: Open WebUI = 0.9.5Bypass of: GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc--- TL;DROpen WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply the same fix to model profile images. The...
Open WebUI Prompt history IDOR: unbound history_id allows cross-prompt read and deletion
SummaryOpen WebUI's prompt version-history endpoints authorize the promptid in the URL but then act on caller-supplied history IDs without verifying that the history row belongs to that prompt historyentry.promptid == prompt.id. Three operations are affected:- GET...
Open WebUI: Path traversal / SSRF in terminal server proxy via encoded path traversal
SummaryThe terminal-server reverse proxy in backend/openwebui/routers/terminals.py does not fully confine the user-controlled path segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal server can craft path values...
Open WebUI: Forged model meta.knowledge allows cross-user file read and deletion
SummaryOpen WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two...
Open WebUI: Redirect-Bypass SSRF in OAuth `_process_picture_url` (incomplete-fix sibling of CVE-2026-45401)
Summarybackend/openwebui/utils/oauth.py::processpictureurl v0.9.5, lines 1435-1470 calls validateurlpictureurl on the initial URL only, then invokes aiohttp.ClientSession.getpictureurl, ... without allowredirects=False. aiohttp's default is allowredirects=True, maxredirects=10; the function does...
Open WebUI: Any authenticated user can read other users' private notes via Socket.IO
SummaryThe ydoc:document:join Socket.IO handler checks note ownership only when the documentid starts with note: colon. However, the YdocManager storage layer normalizes all document IDs by replacing colons with underscores documentid.replace":", "". An attacker can join a document room using not...
Open WebUI: Forged chat-file link allows cross-user file read and deletion
SummaryOpen WebUI v0.9.5 lets an authenticated user attach arbitrary fileid values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, hasaccesstofile treats the victim file as accessible...
Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration
SummaryOpen WebUI has a Broken Object Level Authorization BOLA vulnerability in the builtin searchknowledgefiles tool.When native function calling is enabled and the selected model has no attached knowledge bases, an authenticated user can call searchknowledgefiles with an arbitrary knowledgeid...
Open WebUI: SSRF Protection Bypass in Playwright Web Loader via HTTP Redirects
SummaryThe SafePlaywrightURLLoader implements a validateurl function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL.Since Playwright automatically follows HTTP redirects 301/302 by default, an attacker can...
Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode
RAG ACL Bypass in Milvus Multitenancy Mode SummaryThis is a bypass of the fix for:- GHSA-h36f-rqpx-j5wx- CVE-2026-44560- "Unauthorized File and Knowledge Base Content Access via RAG Vector Search"Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus...
Open WebUI IDOR: Calendar event re-parenting allows writing events into another user's calendar
SummaryPOST /api/v1/calendars/events/eventid/update validates that the caller has write access to the calendar the event currently belongs to, but does not validate the destination calendarid supplied in the request body. The model layer then persists the new calendarid unconditionally.A regular...
vLLM: image EXIF Rotation & PNG tRNS Transparency Not Normalized, Causing Mismatch Between Model Input and Expectations
SummaryIssue 1: EXIF orientation not normalized → The image orientation processed by the model differs from how humans view it, introducing interpretation bias.Issue 2: PNG tRNS not explicitly flattened before converting to RGB → After conversion, transparent/semi-transparent pixels are rendered...
vLLM: GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
SummaryInteger truncation of tensor dimensions in vLLM's GGUF dequantize kernels csrc/quantization/gguf/ggufkernel.cu causes partial tensor processing. The output tensor is allocated at full size via torch::empty uninitialized memory, but the dequantize CUDA kernel processes only a truncated numb...
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router
vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API routerResearcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security ResearchSeverity: CVSS 3.1 5.3 Medium AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTarget: https://github.com/vllm-project/vllm---...
vLLM: OOM Denial of Service via Audio Decompression Bomb
SummaryvLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to 14.9GB of float32 PCM at decode time. Tested on vLLM v0.19.0. DetailsSpeechToTextProcessor rejects uploads over VLLMMAXAUDIOCLIPFILESIZEMB default 25MB based on...
yt-dlp: File Downloader cookie leak with curl
SummaryIf curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is...
vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
SummaryAll temperature validation gates use comparison operators , which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors that...
OpenStack Nova: Nova scheduler hint injection bypasses Placement resource claims and scheduling constraints
Affects- Nova: =18.0.0 =32.0.0 =33.0.0 33.0.2 DescriptionErichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova's server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling...
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
SummaryIf aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code...
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
SummaryA vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. DetailsThe fix for CVE-2024-38519 enforced an allowlist for file extensions, in order ...
python-multipart: Quadratic-time querystring parsing with semicolon separators causes CPU denial of service
SummaryWhen parsing application/x-www-form-urlencoded bodies, QuerystringParser located the field separator with a two step lookup: it first scanned the entire remaining buffer for &, and only when no & existed anywhere ahead did it fall back to scanning for ;. For a body that uses ; as the...
python-multipart: Content-Disposition parameter smuggling via RFC 2231/5987 extended parameters
Summaryparseoptionsheader parsed Content-Disposition and Content-Type headers with email.message.Message, which transparently applies RFC 2231/5987 decoding. The extended parameter syntax filename=charset'lang'value, name=..., and the filename0/filename1 continuation form is decoded and surfaced...
python-multipart: Negative Content-Length in parse_form buffers the entire body in memory
Summaryparseform did not validate the Content-Length header before using it to bound its chunked read of the request body. A negative Content-Length turned the bounded read into a read-until-EOF, so the entire body was loaded into memory in a single read instead of in fixed-size chunks...
pypdf: Inefficient decoding of FlateDecode PNG predictor streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the /FlateDecode filter with a PNG predictor. PatchesThis has been fixed in pypdf==6.12.2. WorkaroundsIf you cannot upgrade yet, consider applying the changes fr...
pypdf: Possible infinite loop when processing outlines/bookmarks in writer
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer. PatchesThis has been fixed in pypdf==6.13.0. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3830...
pypdf: Manipulated XMP metadata streams can exhaust RAM
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. PatchesThis has been fixed in pypdf==6.12.1. WorkaroundsIf you cannot upgrade yet, consider applying the changes...
pypdf: Possible large memory usage for form XObjects during text extraction
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. PatchesThis has been fixed in pypdf==6.12.2. WorkaroundsIf you cannot upgrade yet, consider applying the...
python-multipart: Semicolon treated as querystring field separator enables parameter smuggling
SummaryQuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes a...
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
SummaryLangflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw ...
LangChain: Path traversal and sandbox escape in LangChain file-search middleware and loaders
SummarySeveral LangChain components that resolve filesystem paths or expand search patterns do not consistently confine the resolved path to the intended root directory. Affected behaviors include: a file-search agent middleware that validates a starting directory but not the search pattern or th...