Lucene search
K
CharmSoft Serve

7 matches found

CVE
CVE
added 2023/10/04 8:40 p.m.66 views

CVE-2023-43809

CVE-2023-43809 affects Soft Serve (Git server) prior to v0.6.2. The vulnerability stems from insufficient validation of the public-key step during the SSH handshake when keyboard-interactive authentication is enabled, allowing an unauthenticated, remote attacker to bypass public-key authenticatio...

7.5CVSS7.6AI score0.0089EPSS
CVE
CVE
added 2025/01/08 3:43 p.m.66 views

CVE-2025-22130

CVE-2025-22130 affects the Soft Serve Git server. Prior to version 0.8.2, a path traversal vulnerability lets existing non-admin users access and take over other users’ repositories, enabling modification, deletion, and arbitrary admin-like actions on repositories without explicit permissions. Th...

8.8CVSS6.5AI score0.00654EPSS
CVE
CVE
added 2026/03/07 3:57 p.m.30 views

CVE-2026-30832

CVE-2026-30832 — Soft Serve : A authenticated SSH user could force the server to perform HTTP requests to internal/private IPs by importing a crafted --lfs-endpoint URL, enabling access to internal targets. The initial batch request is blind and metadata endpoint parsing may not yield valid LFS J...

9.1CVSS5.7AI score0.00328EPSS
CVE
CVE
added 2026/01/08 6:39 p.m.21 views

CVE-2026-22253

Soft Serve (github.com/charmbracelet/soft-serve) contains an authorization bypass in the LFS lock deletion endpoint (serviceLfsLocksDelete) prior to version 0.11.2. When a request with the force flag is processed, the code deletes a lock before loading the user context, bypassing ownership valida...

5.4CVSS6.5AI score0.00273EPSS
CVE
CVE
added 2026/01/22 10:1 p.m.21 views

CVE-2026-24058

Soft Serve (github.com/charmbracelet/soft-serve) is affected by a critical authentication bypass vulnerability in versions

9.8CVSS5.6AI score0.00532EPSS
CVE
CVE
added 2025/11/10 10:11 p.m.16 views

CVE-2025-64522

CVE-2025-64522 affects Soft Serve, a self-hosted Git server. The SSRF vulnerability arises from unvalidated webhook URLs, enabling repository admins to configure webhooks that target internal services, private networks, and cloud metadata endpoints. Affected components include Webhook Creation (p...

9.1CVSS6.5AI score0.00307EPSS
CVE
CVE
added 2026/03/24 7:39 p.m.14 views

CVE-2026-33353

CVE-2026-33353 affects Soft Serve: from v0.6.0 to before v0.11.6 an authorization flaw in repo import permits any authenticated SSH user to clone a server-local Git repository (even another user’s private repo) into a new repository under their control. The issue is mitigated by upgrading to v0.1...

7.1CVSS5.8AI score0.00364EPSS