7 matches found
CVE-2023-43809
CVE-2023-43809 affects Soft Serve (Git server) prior to v0.6.2. The vulnerability stems from insufficient validation of the public-key step during the SSH handshake when keyboard-interactive authentication is enabled, allowing an unauthenticated, remote attacker to bypass public-key authenticatio...
CVE-2025-22130
CVE-2025-22130 affects the Soft Serve Git server. Prior to version 0.8.2, a path traversal vulnerability lets existing non-admin users access and take over other users’ repositories, enabling modification, deletion, and arbitrary admin-like actions on repositories without explicit permissions. Th...
CVE-2026-30832
CVE-2026-30832 — Soft Serve : A authenticated SSH user could force the server to perform HTTP requests to internal/private IPs by importing a crafted --lfs-endpoint URL, enabling access to internal targets. The initial batch request is blind and metadata endpoint parsing may not yield valid LFS J...
CVE-2026-22253
Soft Serve (github.com/charmbracelet/soft-serve) contains an authorization bypass in the LFS lock deletion endpoint (serviceLfsLocksDelete) prior to version 0.11.2. When a request with the force flag is processed, the code deletes a lock before loading the user context, bypassing ownership valida...
CVE-2026-24058
Soft Serve (github.com/charmbracelet/soft-serve) is affected by a critical authentication bypass vulnerability in versions
CVE-2025-64522
CVE-2025-64522 affects Soft Serve, a self-hosted Git server. The SSRF vulnerability arises from unvalidated webhook URLs, enabling repository admins to configure webhooks that target internal services, private networks, and cloud metadata endpoints. Affected components include Webhook Creation (p...
CVE-2026-33353
CVE-2026-33353 affects Soft Serve: from v0.6.0 to before v0.11.6 an authorization flaw in repo import permits any authenticated SSH user to clone a server-local Git repository (even another user’s private repo) into a new repository under their control. The issue is mitigated by upgrading to v0.1...