7035 matches found
pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode. PatchesThis has been fixed in pypdf==6.13.0. WorkaroundsIf you cannot upgrade yet, consider applying the changes from PR 3830...
Galaxy NG: command injection vulnerability
A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...
Tornado: Authorization header forwarded across cross-origin redirects in SimpleAsyncHTTPClient
SummaryWhen SimpleAsyncHTTPClient follows a 3xx redirect, it shallow-copies the original HTTPRequest, rewrites the URL, decrements maxredirects, and removes only the Host header. It does not clear Authorization, authusername, authpassword, or authmode when the redirect target changes origin.As a...
Tornado has out-of-bounds memory access via C extension
SummaryTornado's optional native extension tornado.speedups implements websocketmask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided...
tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)
Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...
PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing
SummaryPDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir, attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins.Th...
pypdf: Possible large memory usage for large offsets for layout mode text
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. PatchesThis has been fixed in pypdf==6.12.0. WorkaroundsIf developers are unable to immediately upgrade, they should consider...
python-zeroconf: Unbounded TC-deferred queue allows LAN-local memory exhaustion via spoofed-source flood
ImpactAsyncListener.handlequeryordefer retained every truncated TC-bit incoming query in self.deferredaddr and armed a per-addr timer in self.timersaddr that flushed the reassembled query within 500 ms RFC 6762 §18.5. Neither the per-addr list nor the number of distinct addr keys was capped, and...
PDM: Project-Local State and Config Writes Follow Symlinks
SummaryPDM writes several project-local state or configuration files without symlink protection. If a malicious repository places those files as symlinks, local PDM operations can overwrite the symlink targets.This creates an arbitrary file clobber primitive relative to the privileges of the...
Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset
SummarySeveral Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...
pypdf: Possible long runtimes for zero-only width values in cross-reference streamsuntimes for zero-only width values in cross-reference streams
ImpactAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W 0 0 0 values and large /Size values. PatchesThis has been fixed in pypdf==6.12.0. WorkaroundsIf developers are unable to upgrade their apps immediately, they...
PDM wheel installation leads to Path Traversal via overridden write_to_fs
InstallDestination.writetofs in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but replaces the safe pathwithdestdir which validates via Path.resolve + isrelativeto with a bare os.path.join that performs no path validation. A malicious wheel with travers...
WsgiDAV encoded dot segments can escape filesystem share roots
ImpactWsgiDAV 4.3.3 can allow a WebDAV request path containing an encoded parent-directory segment to escape the configured filesystem share root in a specific path layout. PatchesThe issue is fixed with version 4.3.4. PreconditionsThe practical impact depends on the deployment.The deployment use...
Bugsink: Issue bulk actions can affect another project’s issue if its UUID is known
DescriptionBugsink’s issue list supports bulk actions such as resolving or muting selected issues. In affected versions, the issue list view authorizes access through the project in the URL, but applies the requested bulk action to the submitted issue IDs without also requiring those issues to...
Bugsink: Project scoping missing in sourcemap and debug-file lookup
SummaryBugsink before 2.2.0 resolved sourcemaps and debug files by debug ID without scoping that lookup to the project that owned the uploaded metadata. An authenticated user with access to one project could cause event processing in that project to use sourcemap/debug-file metadata uploaded for...
Vantage6: Set admin user and password from environment or configuration
ImpactVantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons:- Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights- The initial password is very weak and it is possible...
vantage6 node has an Improper Access Control issue
ImpactMalicious algorithms can potentially access other algorithms input and output files. PatchesTodo WorkaroundsVerify and restrict the algorithm containers that are allowed to run on your node. See here on how to do this. Referenceshttps://docs.vantage6.ai/usage/running-the-node/security For...
Litestar has HTML Injection Through its CSRF Token
OverviewLitestar instances which use a template engine in conjunction with CSRF protection are vulnerable to HTML Injection which can be escalated to Cross Site Scripting due to the contents of the CSRF cookie being excluded from automatic escaping by the template engine when configured inline wi...
Litestar: AllowedHostsMiddleware bypasses host validation via client-controlled X-Forwarded-Host header
SummaryAllowedHostsMiddleware trusts the X-Forwarded-Host header as a fallback when the Host header is absent. Since X-Forwarded-Host is a client-controllable header, an attacker can bypass the allowed hosts validation by omitting the Host header and supplying an X-Forwarded-Host header set to a...
Dulwich doesn't sanitize commit subjects in `porcelain.format_patch`
Impactdulwich.porcelain.formatpatchoutdir=... derives each patch filename from the commit's subject line. Prior to this fix, getsummary only replaced spaces with dashes - path separators /, \, parent-directory components .., and other filename-hostile characters e.g. : were preserved verbatim and...
Bugsink: Issue event views can show an event from another project if its UUID is known
DescriptionBugsink issue event pages accept a direct event identifier from the URL and, in affected versions, look up that event without also requiring it to belong to the issue in the URL.This is a project-boundary authorization issue: a logged-in user with access to one project can view another...
Bugsink: DOS using large numbers of event tags
SummaryIn affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large numberof custom i.e. supplied by an attacker tags can therefore make ingestion spend more time than intended writing tag rows.Bugsink uses a single-writer database architecture...
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
ImpactAn uncontrolled-resource-consumption memory exhaustion denial-of-service vulnerability CWE-400 / CWE-789.A client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack / applydelta, it would...
praisonai-platform: Agent endpoints accept any agent_id without workspace ownership check, cross-workspace read/update/delete IDOR
SummaryType: Insecure Direct Object Reference. The agent CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/agents/agentid gate access on requireworkspacememberworkspaceid only, then resolve agentid through AgentService.getagentid which is a primary-key lookup with no workspace constrain...
malla: Stored XSS via Meshtastic node names in multiple frontend pages
Node names longname, shortname received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping.Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor.Affected...
Docling Core: Unsafe remote filename resolution
ImpactIn versions = 1.5.0, = 2.74.1 WorkaroundsIf upgrading is not immediately possible, avoid passing untrusted URLs into remote fetch functionality. References- Fix release: v2.74.1...
Code Index MCP is vulnerable to Uncontrolled Resource Consumption
A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function issaferegexpattern of the component searchcodeadvanced. Executing a manipulation of the argument regex can lead to inefficient regular expression complexity. It is possible to launch the attack...
Vantage6: 2FA can be circumvented with hacked email access
ImpactIf an attacker hacks into a vantage6 user's email account, they can 1 reset the password via email and then 2 reset the 2FA token via email. This way they reduce 2FA to 1FA email access. Note that most email providers require 2FA to access email, so this issue is not very likely to cause...
Docling Core: Insufficient validation of image reference URIs
ImpactIn versions = 2.5.0, = 2.74.1 WorkaroundsIf upgrading is not immediately possible:- reject file: and data: image references from untrusted input- allow only approved local or remote image sources- apply input size and memory limits to processing workers References- Fix release: v2.74.1...
OpenMed vulnerable to remote code injection through privacy-filter model loading path
OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...
Vantage6: No limit on emails sent for password/MFA reset
ImpactUsers can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam...
kas's late signature validation may allow unnoticed repository manipulations
ImpactSo far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions.First of all, the attacker must...
Jupyter Server vulnerable to Path Traversal via incorrect root directory boundary check in _get_os_path()
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the getospath function within jupyterserver/services/contents/fileio.py. The check uses startswithroot without appending a trailing path separator, allowing sibling...
FoundationAgents MetaGPT: Deserialization through flawed argument mapping via Message.check_instruct_content()
A weakness has been identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function Message.checkinstructcontent of the file metagpt/schema.py. Executing a manipulation of the argument mapping can lead to deserialization. The attack is restricted to local execution. The exploit has...
MLflow: Any authenticated user can enumerate all gateway secrets, endpoints, and model definitions
MLflow 3.9.0 with basic-auth --app-name basic-auth fails to enforce authorization checks for multiple Gateway API 'list' endpoints. Specifically, the BEFOREREQUESTHANDLERS dictionary in mlflow/server/auth/init.py does not include entries for ListGatewaySecretInfos, ListGatewayEndpoints, and...
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
SummaryType: Authorization bypass enabling destructive action. The DELETE /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project, issu...
Apache Airflow has an Authorization Bypass Through User-Controlled Key
The Event Log detail endpoint GET /api/v2/eventLogs/eventlogid in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the collection endpoint GET /api/v2/eventLogs applied per-Dag scoping. An authenticated UI/API user with audit-lo...
Apache Airflow: Execution API JWT leaked via KubernetesExecutor worker command-line args
A bug in Apache Airflow's KubernetesExecutor caused JWT tokens used by worker pods to authenticate against the Execution API to be passed to the worker container as command-line arguments visible in the pod spec. An authenticated UI/API user with Kubernetes read-only access to the cluster e.g...
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}
SummaryType: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. The...
praisonai-platform: Comment endpoints accept any issue_id without workspace ownership check, cross-workspace comment read and post IDOR
SummaryType: Insecure Direct Object Reference. The comment endpoints POST /workspaces/workspaceid/issues/issueid/comments and GET .../comments gate access on requireworkspacememberworkspaceid only, then call CommentService.createissueid=issueid, ... and CommentService.listforissueissueid without...
rattler has an entry-point path traversal in noarch:python install (arbitrary file write)
SummaryEntryPoint::FromStr in rattlercondatypes performs only .trim on the command field before the linker joins it onto the install prefix and writes an executable Python script. A malicious noarch:python package can ship an info/link.json with an entry-point name containing .., /, \, or an...
praisonai-platform: Project endpoints accept any project_id without workspace ownership check, cross-workspace read/update/delete IDOR
SummaryType: Insecure Direct Object Reference. The project CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/projects/projectid and GET .../projectid/stats gate access on requireworkspacememberworkspaceid only, then resolve projectid through ProjectService.getprojectid / updateprojectid...
SGLang: Reachable Assertion via lora_path in LoRAManager enables remote Denial of Dervice
A security vulnerability has been detected in SGLang 0.5.10.post1. Impacted is an unknown function of the file python/sglang/srt/lora/loramanager.py of the component Inference HTTP Endpoint. Such manipulation of the argument lorapath leads to reachable assertion. The attack can be launched...
praisonai-platform: Issue endpoints accept any issue_id without workspace ownership check, cross-workspace read/update/delete IDOR
SummaryType: Insecure Direct Object Reference. The issue CRUD endpoints GET / PATCH / DELETE /workspaces/workspaceid/issues/issueid gate access on requireworkspacememberworkspaceid only, then resolve issueid through IssueService.getissueid which is a primary-key lookup with no workspace constrain...
kas checks out SHA-like git branches as valid commits
ImpactWhen relying solely on a git commit ID SHA-1 or SHA-256 to qualify if a checkout of a repository is equivalent to the state validated while adding its commit ID to a kas configuration, users may be tricked to check out a branch of the same name from this repository. This implies that the...
praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership
SummaryType: Insecure Direct Object Reference. The GET /workspaces/workspaceid/issues/issueid/activity endpoint is gated by requireworkspacememberworkspaceid and dispatches to ActivityService.listforissueissueid, which executes SELECT FROM activity WHERE issueid = :issueid with no workspace...
hermes-agent has an Injection issue
A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function sanitizeenvlines of the file hermescli/config.py. The manipulation results in injection. It is possible to launch the attack remotely. The attack requires a high level of...
praisonai-platform: IDOR in dependency endpoints allows cross-workspace issue linking, reading, and deletion due to missing ownership checks
SummaryType: Insecure Direct Object Reference. The dependency endpoints POST/GET /workspaces/workspaceid/issues/issueid/dependencies and DELETE .../dependencies/depid gate access on requireworkspacememberworkspaceid only, then dispatch to DependencyService calls that take URL/body-supplied issue...
PraisonAI has an Arbitrary File Write in Python API
Bug Report: Arbitrary File Write in Python API SummaryHidden metadata in a webpage causes PraisonAI agents to write attacker-controlled content to arbitrary paths. writefile skips path validation when workspace=None always None in production. AffectedPraisonAI = 4.6.37 pip install praisonai Root...
Aider is vulnerable to Code Injection via editor_coder.run function
A security flaw has been discovered in Aider-AI Aider 0.86.3.dev. Affected by this vulnerability is the function editorcoder.run of the file auth.py of the component Architect Mode. Performing a manipulation results in code injection. Remote exploitation of the attack is possible. The exploit has...