Advisories

Sep 2025

Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. Remediation We released a patch in Codex …

Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and command execution where the Codex process has permissions - this did not impact the network-disabled sandbox restriction. Remediation We released a patch in Codex …

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages

We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability.

InvokeAI has External Control of File Name or Path

Path Traversal Vulnerability in InvokeAI A path traversal vulnerability in InvokeAI (versions < 6.7.0) allows an unauthenticated remote attacker to read files outside the intended media directory via the bulk downloads API. The endpoint accepts a user-controlled file/item name and concatenates it into a filesystem path without proper canonicalization or allow-listing. By supplying sequences such as ../ (or absolute paths), an attacker can cause the server to traverse directories and …

Pingora update for MadeYouReset HTTP/2 vulnerability

Pingora deployments that include HTTP/2 server support may be affected by the vulnerability described in CVE-2025-8671. Under certain conditions, Pingora applications may allocate buffers before the HTTP/2 reset and resulting stream cancellation is processed by the server. Repeated resets can force excessive memory consumption and lead to denial-of-service. Impact: On affected versions, malicious clients could trigger unusually high memory consumption, which may result in service instability or process termination. Credits: …

Kubernetes C# client accepts certificates from any CA without properly verifying the trust chain

A vulnerability exists in the Kubernetes C# client where the certificate validation logic accepts properly constructed certificates from any Certificate Authority (CA) without properly verifying the trust chain. This flaw allows a malicious actor to present a forged certificate and potentially intercept or manipulate communication with the Kubernetes API server, leading to possible man-in-the-middle attacks and API impersonation.

Keycloak SMTP Inject Vulnerability

Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for …

jinjava has Sandbox Bypass via JavaType-Based Deserialization

jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as getClass(), and block instantiation of Class objects. However, these protections can be bypassed. By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate …

Jenkins is missing a permission check in the authenticated users' profile menu

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check for the authenticated user profile dropdown menu. This allows attackers without Overall/Read permission to obtain limited information about the Jenkins configuration by listing available options in this menu (e.g., whether Credentials Plugin is installed). Jenkins 2.528, LTS 2.516.3 requires Overall/Read permission to list various items in authenticated user profile dropdown menus.

Jenkins has a missing permission check, allowing users to obtain agent names

Jenkins 2.527 and earlier, LTS 2.516.2 and earlier does not perform a permission check in the sidepanel of a page intentionally accessible to users lacking Overall/Read permission. This allows attackers without Overall/Read permission to list agent names through its sidepanel executors widget. Jenkins 2.528, LTS 2.516.3 removes the sidepanel from the affected view.

Jenkins has a log message injection vulnerability

In Jenkins 2.527 and earlier, LTS 2.516.2 and earlier, the log formatter that prepares log messages for console output (including jenkins.log and equivalent) does not restrict or transform the characters that can be inserted from user-specified content in log messages. This allows attackers able to control log message contents to insert line break characters, followed by forged log messages that may mislead administrators reviewing log output. Jenkins 2.528, LTS 2.516.3 …

esm.sh has File Inclusion issue

A Local File Inclusion (LFI) issue was identified in the esm.sh service URL handling. An attacker could craft a request that causes the server to read and return files from the host filesystem (or other unintended file sources). Severity: High — LFI can expose secrets, configuration files, credentials, or enable further compromise. Impact: reading configuration files, private keys, environment files, or other sensitive files; disclosure of secrets or credentials; information …

esm.sh has arbitrary file write via path traversal in `X-Zone-Id` header

A path-traversal flaw in the handling of the X-Zone-Id HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying ../ sequences in X-Zone-Id causes files to be written to arbitrary directories (example observed: ~/.esmd/modules/transform/<id>/ instead of …

Duplicate Advisory: Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references. Original Description An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner …

Duplicate Advisory: Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7qq-56ww-84cr. This link is maintained to preserve external references. Original Description A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of …

Duplicate Advisory: Picklescan Bypass is Possible via File Extension Mismatch

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgw4-cr84-mqxg. This link is maintained to preserve external references. Original Description An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe …

DragonFly's tiny file download uses hard coded HTTP protocol

The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed. // DownloadTinyFile downloads tiny file from peer without range. …

DragonFly's tiny file download uses hard coded HTTP protocol

The code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. Due to the use of weak integrity checks (TOB-DF2-15), this modification of the data may go unnoticed. // DownloadTinyFile downloads tiny file from peer without range. …

Dragonfly's manager makes requests to external endpoints with disabled TLS authentication

The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification. func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped] client := &http.Client{ Timeout: defaultHTTPRequesttimeout, Transport: &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, }, } [skipped] } A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the …

Dragonfly's manager makes requests to external endpoints with disabled TLS authentication

The Manager disables TLS certificate verification in two HTTP clients (figures 3.1 and 3.2). The clients are not configurable, so users have no way to re-enable the verification. func getAuthToken(ctx context.Context, header http.Header) (string, error) { [skipped] client := &http.Client{ Timeout: defaultHTTPRequesttimeout, Transport: &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, }, } [skipped] } A Manager processes dozens of preheat jobs. An adversary performs a network-level Man-in-the-Middle attack, providing invalid data to the …

DragonFly's manager generates mTLS certificates for arbitrary IP addresses

A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. if addr, ok := p.Addr.(*net.TCPAddr); ok { ip = addr.IP.String() …

DragonFly's manager generates mTLS certificates for arbitrary IP addresses

A peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager’s Certificate gRPC service does not validate if the requested IP addresses “belong to” the peer requesting the certificate—that is, if the peer connects from the same IP address as the one provided in the certificate request. if addr, ok := p.Addr.(*net.TCPAddr); ok { ip = addr.IP.String() …

Dragonfly's directories created via os.MkdirAll are not checked for permissions

DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. Eve has unprivileged access to the machine where Alice uses …

Dragonfly's directories created via os.MkdirAll are not checked for permissions

DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broad permissions before DragonFly2 does so, potentially allowing the attacker to tamper with the files. Eve has unprivileged access to the machine where Alice uses …

Dragonfly vulnerable to timing attacks against Proxy’s basic authentication

The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation. if user …

Dragonfly vulnerable to timing attacks against Proxy’s basic authentication

The access control mechanism for the Proxy feature uses simple string comparisons and is therefore vulnerable to timing attacks. An attacker may try to guess the password one character at a time by sending all possible characters to a vulnerable mechanism and measuring the comparison instruction’s execution times. The vulnerability is shown in figure 8.1, where both the username and password are compared with a short-circuiting equality operation. if user …

Dragonfly vulnerable to server-side request forgery

There are multiple server-side request forgery (SSRF) vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the Manager’s API. The API allows users to create jobs. When creating a Preheat type of a job, users provide a URL that the Manager connects to (see figures …

Dragonfly vulnerable to server-side request forgery

There are multiple server-side request forgery (SSRF) vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the Manager’s API. The API allows users to create jobs. When creating a Preheat type of a job, users provide a URL that the Manager connects to (see figures …

DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error

We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug. request, err := source.NewRequestWithContext(ctx, parentReq.Url, parentReq.UrlMeta.Header) if err != nil { log.Errorf("generate url [%v] request error: %v", request.URL, err) span.RecordError(err) …

DragonFly vulnerable to panics due to nil pointer dereference when using variables created alongside an error

We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug. request, err := source.NewRequestWithContext(ctx, parentReq.Url, parentReq.UrlMeta.Header) if err != nil { log.Errorf("generate url [%v] request error: %v", request.URL, err) span.RecordError(err) …

DragonFly vulnerable to arbitrary file read and write on a peer machine

A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine. file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode) if err != nil …

DragonFly vulnerable to arbitrary file read and write on a peer machine

A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine. file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode) if err != nil …

Dragonfly incorrectly handles a task structure’s usedTrac field

The processPieceFromSource method (figure 4.1) is part of a task processing mechanism. The method writes pieces of data to storage, updating a Task structure along the way. The method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. var n int64 result.Size, err = pt.GetStorage().WritePiece([skipped]) result.FinishTime = time.Now().UnixNano() if n > 0 …

Dragonfly incorrectly handles a task structure’s usedTrac field

The processPieceFromSource method (figure 4.1) is part of a task processing mechanism. The method writes pieces of data to storage, updating a Task structure along the way. The method does not update the structure’s usedTraffic field, because an uninitialized variable n is used as a guard to the AddTraffic method call, instead of the result.Size variable. var n int64 result.Size, err = pt.GetStorage().WritePiece([skipped]) result.FinishTime = time.Now().UnixNano() if n > 0 …

DragonFly has weak integrity checks for downloaded files

The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the …

DragonFly has weak integrity checks for downloaded files

The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios where lack of the collision resistance would compromise the system. There are no clear benefits to keeping the MD5 hash function in the …

Dragonfly doesn't have authentication enabled for some Manager’s endpoints

The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators.

Dragonfly doesn't have authentication enabled for some Manager’s endpoints

The /api/v1/jobs and /preheats endpoints in Manager web UI are accessible without authentication. Any user with network access to the Manager can create, delete, and modify jobs, and create preheat jobs. An unauthenticated adversary with network access to a Manager web UI uses /api/v1/jobs endpoint to create hundreds of useless jobs. The Manager is in a denial-of-service state, and stops accepting requests from valid administrators.

@sequa-ai/sequa-mcp has Command Injection vulnerability

A vulnerability was detected in sequa-ai sequa-mcp up to 1.0.13. This affects the function redirectToAuthorization of the file src/helpers/node-oauth-client-provider.ts of the component OAuth Server Discovery. Performing manipulation results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 1.0.14 is able to mitigate this issue. The patch is named e569815854166db5f71c2e722408f8957fb9e804. It is recommended to upgrade the affected …

Timing Attack Vulnerability in SCRAM Authentication

A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are …

Timing Attack Vulnerability in SCRAM Authentication

A timing attack vulnerability exists in the SCRAM Java implementation. The issue arises because Arrays.equals was used to compare secret values such as client proofs and server signatures. Since Arrays.equals performs a short-circuit comparison, the execution time varies depending on how many leading bytes match. This behavior could allow an attacker to perform a timing side-channel attack and potentially infer sensitive authentication material. All users relying on SCRAM authentication are …

Spring Security annotation detection mechanism has authorization bypass

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue when using @PreAuthorize and other method security annotations, resulting in an authorization bypass. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or …

Spring Framework annotation detection mechanism may result in improper authorization

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions. Your application may be affected by this if you are using Spring Security's @EnableMethodSecurity feature. You are not affected by this if you are not using @EnableMethodSecurity or if you do not use …

Spring Expression language property modification using Spring Cloud Gateway Server WebFlux

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server Webflux (Spring Cloud Gateway Server WebMVC is not vulnerable). Spring Boot actuator is a dependency. The Spring Cloud Gateway Server Webflux actuator web endpoint is enabled via management.endpoints.web.exposure.include=gateway. The actuator endpoints are available to attackers. The actuator …

Malicious code in ngx-ws (npm)

This package was compromised by the Shai-Hulud NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub before propogating itself to NPM packages the user owns.

Malicious code in db-evo (npm)

This package was compromised by the Shai-Hulud NPM worm. The malicious payload steals tokens and credentials and publishes them to GitHub before propogating itself to NPM packages the user owns.

Liferay Portal has unchecked input for loop condition vulnerability in XML-RPC

Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.

Liferay has Insecure Default Initialization of Resource issue

In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site.

@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode

The MCP Server provided by ExecuteAutomation at https://github.com/executeautomation/mcp-database-server provides an MCP interface for agentic workflows to interact with different kinds of database servers such as PostgreSQL database. However, the mcp-database-server MCP Server distributed via the npm package @executeautomation/database-server fails to implement proper security control that properly enforce a "read-only" mode and as such it is vulnerable to abuse and attacks on the affected database servers such as PostgreSQL (and potentially …

Temporal OSS Server Vulnerable to Allocation of Resources Without Limits or Throttling

Insufficiently specific bounds checking on authorization header could lead to denial of service in the Temporal server on all platforms due to excessive memory allocation. This issue affects all platforms and versions of OSS Server prior to 1.26.3, 1.27.3, and 1.28.1 (i.e., fixed in 1.26.3, 1.27.3, and 1.28.1 and later). Temporal Cloud services are not impacted.

Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter

A stored Cross-Site Scripting (XSS) vulnerability was identified in the @n8n/n8n-nodes-langchain.chatTrigger node in n8n. If an authorized user configures the node with malicious JavaScript in the initialMessages field and enables public access, the script will be executed in the browser of anyone who visits the resulting public chat URL. This vulnerability could be exploited for phishing or to steal cookies or other sensitive data from users who access the public …

simple-swizzle@0.2.3 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for simple-swizzle was taken over after a phishing attack. Version 0.2.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

serde_yml crate is unsound and unmaintained

Using serde_yml::ser::Serializer.emitter can cause a segmentation fault, which is unsound. The GitHub project for serde_yml was archived after unsoundness issues were raised. If you rely on this crate, it is highly recommended switching to a maintained alternative.

MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency

Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application: Installed MetaMask SDK into a project with a lockfile for the first time Installed MetaMask SDK in a project without a lockfile Updated a lockfile to pull in debug@4.4.2 (e.g., via npm update or …

MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency

Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application: Installed MetaMask SDK into a project with a lockfile for the first time Installed MetaMask SDK in a project without a lockfile Updated a lockfile to pull in debug@4.4.2 (e.g., via npm update or …

MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency

Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application: Installed MetaMask SDK into a project with a lockfile for the first time Installed MetaMask SDK in a project without a lockfile Updated a lockfile to pull in debug@4.4.2 (e.g., via npm update or …

mcp-kubernetes-server has an OS Command Injection vulnerability

feiskyer/mcp-kubernetes-server through 0.1.11 allows OS command injection via the /mcp/kubectl endpoint. The handler constructs a shell command with user-supplied arguments and executes it with subprocess using shell=True, enabling injection through shell metacharacters (e.g., ;, &&, $()), even when the server is running in read-only mode. A remote, unauthenticated attacker can execute arbitrary OS commands on the host, resulting in full compromise of confidentiality, integrity, and availability. This issue is distinct …

mcp-kubernetes-server has a Command Injection vulnerability

mcp-kubernetes-server does not correctly enforce the –disable-write / –disable-delete protections when commands are chained. The server only inspects the first token to decide whether an operation is write/delete, which allows a read-like command to be followed by a write action using shell metacharacters (e.g., kubectl version; kubectl delete pod <name>). A remote attacker who can invoke the server may therefore bypass the intended write/delete restrictions and perform state-changing operations against …

Liferay Portal vulnerable to Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 36 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a "Rich Text" type field to (1) a web content structure, (2) a Documents and Media Document Type , or (3) custom assets that uses …

Liferay Portal Uses Default Password

Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has changed their initial password, which allows remote users to access and edit content via the API.

Liferay Portal has stored cross-site scripting (XSS) vulnerability

Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote authenticated attackers with the instance administrator role to inject arbitrary web script or HTML into all pages via a crafted payload injected into the Instance Configuration's (1) CDN Host HTTP text field …

Liferay Portal has Improper Validation of Specified Quantity in Input

Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.

Liferay Portal has Improper Validation of Specified Quantity in Input

Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.

Liferay Portal has External Control of System or Configuration Settings

Remote staging in Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly obtain the remote address of the live site from the database which, which allows remote authenticated users to exfiltrate data to an attacker controlled server (i.e., a fake “live site”) via the _com_liferay_exportimport_web_portlet_ExportImportPortlet_remoteAddress and …

is-arrayish@0.3.3 contains malware after npm account takeover

On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability

A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters. This allows malicious users to: Redirect API calls to internal network services Potentially access sensitive internal endpoints Perform network reconnaissance through the server Bypass network access controls The vulnerability affects the HTTP transport …

FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes the potential exposure of sensitive internal administrative endpoints.

FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability

A Server-Side Request Forgery (SSRF) vulnerability was discovered in the /api/v1/fetch-links endpoint of the Flowise application. This vulnerability allows an attacker to use the Flowise server as a proxy to access internal network web services and explore their link structures. The impact includes the potential exposure of sensitive internal administrative endpoints.

FlowiseAI Pre-Auth Arbitrary Code Execution

An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync() to launch reverse shells, access environment secrets, or perform any OS-level command execution. This results in full server compromise and severe breach of trust boundaries between frontend input and backend execution logic.

FlowiseAI Pre-Auth Arbitrary Code Execution

An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync() to launch reverse shells, access environment secrets, or perform any OS-level command execution. This results in full server compromise and severe breach of trust boundaries between frontend input and backend execution logic.

Flowise has unsandboxed remote code execution via Custom MCP

The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, the default installation of Flowise operates without authentication unless explicitly configured using the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables. This combination presents a significant security risk, potentially allowing users on the platform to …

Flowise has Remote Code Execution vulnerability

The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs …

Flowise has Remote Code Execution vulnerability

The CustomMCP node allows users to input configuration settings for connecting to an external MCP (Model Context Protocol) server. This node parses the user-provided mcpServerConfig string to build the MCP server configuration. However, during this process, it executes JavaScript code without any security validation. Specifically, inside the convertToValidJSONString function, user input is directly passed to the Function() constructor, which evaluates and executes the input as JavaScript code. Since this runs …

Flowise has an Arbitrary File Read

An arbitrary file read vulnerability in the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints allows unauthenticated users to read unintended files on the local filesystem. In the default Flowise configuration this allows reading of the local sqlite db and subsequent compromise of all database content.

error-ex@1.3.3 contains malware after npm account takeover

On 8 September 2025, an npm publishing account for error-ex was taken over after a phishing attack. Version 1.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hvq2-wf92-j4f3. This link is maintained to preserve external references. Original Descripton The express-xss-sanitizer package for Node.js has an unbounded recursion in the sanitize function (lib/sanitize.js) when processing JSON request bodies. A remote attacker can send a deeply nested payload to any endpoint that applies this sanitizer, driving excessive recursion and resource consumption (CPU) until the process becomes …

debug@4.4.2 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

color@5.0.1 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for color was taken over after a phishing attack. Version 5.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

color-string@2.1.1 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for color-string was taken over after a phishing attack. Version 2.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

color-name@2.0.1 contains malware after npm account takeover

On 8 September 2025, an npm publishing account for color-name was taken over after a phishing attack. Version 2.0.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

color-convert@3.1.1 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for color-convert was taken over after a phishing attack. Version 3.1.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

backslash@0.2.1 contains malware after npm account takeover

On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments. Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a …

Apache Fory Deserialization of Untrusted Data vulnerability

A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the insecure deserialization of untrusted data. An attacker can supply a large, specially crafted data payload that, when processed, consumes an excessive amount of CPU resources during the deserialization process. This leads to CPU exhaustion, rendering the application or system using the Apache Fory library unresponsive and unavailable to legitimate …

Hugging Face Transformers library has Regular Expression Denial of Service

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the normalize_numbers() method of the EnglishNormalizer class. This vulnerability affects versions up to 4.52.4 and is fixed in version 4.53.0. The issue arises from the method's handling of numeric strings, which can be exploited using crafted input strings containing long sequences of digits, leading to excessive CPU consumption. This vulnerability impacts text-to-speech …

Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect

Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter. Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA …

Liferay Portal's System, Instance and Site Settings are vulnerable to Open Redirect

Open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter. Open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA …

Liferay Portal's selection modal is vulnerable to XSS

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q3.0, 2025.Q2.0 through 2025.Q2.12, 2025.Q1.0 through 2025.Q1.17, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the organization site names. The malicious payload is stored and executed without proper sanitization or escaping.

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically affecting the MarianTokenizer's remove_language_code() method. This vulnerability is present in version 4.52.4 and has been fixed in version 4.53.0. The issue arises from inefficient regex processing, which can be exploited by crafted input strings containing malformed language code patterns, leading to excessive CPU consumption and potential denial of service.

Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

The forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker to generate a reset token for arbitrary users and directly reset their password, leading to a complete account takeover (ATO). This vulnerability applies to both the cloud service (cloud.flowiseai.com) and self-hosted/local Flowise deployments that expose the same API. CVSS v3.1 Base Score: 9.8 (Critical) Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggering the notification. This allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorised records within …

SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggering the notification. This allows a record or guest user with permissions to run live query subscriptions on a table to observe unauthorised records within …

Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack through Authentication Bypass

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Vulnerability in jsondiffpatch Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page. Affected versions: >= 0, < 0.7.2 Patched version: 0.7.2 Remediation Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection. …

Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods

When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider.

Axios is vulnerable to DoS attack through lack of data size check

When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even …

Neo4j Cypher MCP server is vulnerable to DNS rebinding

DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool invocations against locally running Neo4j MCP instances. The attack relies on the user being enticed to visit a malicious website and spend sufficient time there for DNS rebinding to succeed.

WebSocket endpoint `/api/v2/ws/logs` reachable without authentication even when --auth is enabled

Hoverfly’s admin WebSocket endpoint /api/v2/ws/logs is not protected by the same authentication middleware that guards the REST admin API. Consequently, an unauthenticated remote attacker can: Stream real-time application logs (information disclosure). Gain insight into internal file paths, request/response bodies, and other potentially sensitive data emitted in logs.

Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which …

Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which …

Webrecorder packages are vulnerable to XSS through 404 error handling logic

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the 404 error handling logic of wabac.js v2.23.10 and below. The parameter requestURL (derived from the original request target) is directly embedded into an inline <script> block without sanitization or escaping. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim’s browser. The scope may be limited by CORS policies, depending on the situation in which …

Shopware: Reflective Cross Site-Scripting (XSS) in CMS components

When an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user's web browser. This allows malicious actors to perform malicious actions in the …

Shopware: Reflective Cross Site-Scripting (XSS) in CMS components

When an application uses input fields, it is important that user input is adequately filtered for malicious HTML and JavaScript characters. When adequate input validation is not applied, Cross-Site Scripting (XSS) vulnerabilities may arise. These allow malicious actors to inject malicious code into application pages. When a user visits the page, the code is executed in the user's web browser. This allows malicious actors to perform malicious actions in the …

PyInstaller has local privilege escalation vulnerability

Due to a special entry being appended to sys.path during the bootstrap process of a PyInstaller-frozen application, and due to the bootstrap script attempting to load an optional module for bytecode decryption while this entry is still present in sys.path, an application built with PyInstaller < 6.0.0 may be tricked by an unprivileged attacker into executing arbitrary python code when all of the following conditions are met: Application is built …

Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often …

Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Picklescan's ability to scan ZIP archives for malicious pickle files is compromised when the archive contains a file with a bad Cyclic Redundancy Check (CRC). Instead of attempting to scan the files within the archive, whatever the CRC is, Picklescan fails in error and returns no results. This allows attackers to potentially hide malicious pickle payloads within ZIP archives that PyTorch might still be able to load (as PyTorch often …

Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.

Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

The vulnerability allows malicious actors to bypass PickleScan's unsafe globals check, leading to potential arbitrary code execution. The issue stems from PickleScan's strict check for full module names against its list of unsafe globals. By using subclasses of dangerous imports instead of the exact module names, attackers can circumvent the check and inject malicious payloads.

Picklescan Bypass is Possible via File Extension Mismatch

Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would …

Picklescan Bypass is Possible via File Extension Mismatch

Picklescan can be bypassed, allowing the detection of malicious pickle files to fail, when a standard pickle file is given a PyTorch-related file extension (e.g., .bin). This occurs because the scanner prioritizes PyTorch file extension checks and errors out when parsing a standard pickle file with such an extension instead of falling back to standard pickle analysis. This vulnerability allows attackers to disguise malicious pickle payloads within files that would …

Liferay Portal is vulnerable to Reflected XSS attack through get_editor path

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

Decap CMS Cross Site Scripting (XSS) vulnerability

Decap CMS through 3.8.3 is vulnerable to stored Cross-Site Scripting (XSS) in the admin preview pane. User-controlled fields (e.g., title, description, tags, and body) are rendered in the preview without sufficient sanitization/escaping. An attacker with low-privilege author/contributor access can persist a JavaScript payload in content; when a maintainer or reviewer opens the preview, the payload executes in the CMS admin origin, enabling token/session theft or the execution of privileged actions …

Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email

At startup, Claude Code constructed a shell command that interpolated the value of git config user.email from the current workspace. If an attacker controlled the repository’s Git config (e.g., via a malicious .git/config) and set user.email to a crafted payload, the unescaped interpolation could trigger arbitrary command execution before the user accepted the workspace-trust dialog. The issue affects versions prior to 1.0.105. The fix in 1.0.105 avoids executing commands built …

Claude Code rg vulnerability does not protect against approval prompt bypass

Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. Thank you to the NVIDIA AI …

Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered …

Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered …

Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered …

TYPO3 Workspaces Module Information Disclosure

Missing authorization checks in the Workspace Module of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke the corresponding AJAX backend route to disclose sensitive information without having access.

TYPO3 CMS has an open‑redirect vulnerability

An open‑redirect vulnerability in GeneralUtility::sanitizeLocalUrl of TYPO3 CMS 9.0.0–9.5.54, 10.0.0–10.4.53, 11.0.0–11.5.47, 12.0.0–12.4.36, and 13.0.0–13.4.17 allows an attacker to redirect users to arbitrary external sites, enabling phishing attacks by supplying a manipulated, sanitized URL.

toodee is vulnerable to Heap Buffer Overflow through its DrainCol Destructor

An off-by-one error in the DrainCol::drop destructor could cause an unsafe memory copy operation to exceed the bounds of the associated vector. The error was related to the size of the data being copied in one of the ptr::copy invocations inside the destructor. When removing the first column from a TooDee object, the DrainCol return object could cause a heap buffer overflow vulnerability when it is dropped. The issue was …

SGLang Remote Code Execution Vulnerability via Unsafe Deserialization in update_weights_from_tensor

A security flaw has been discovered in lmsys sglang 0.4.6. Affected by this vulnerability is the function main of the file /update_weights_from_tensor. The manipulation of the argument serialized_named_tensors results in deserialization. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload

OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an …

Monai: Unsafe use of Pickle deserialization may lead to RCE

The pickle_operations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads() . This function also lacks any security measures. When verified using the following proof-of-concept, arbitrary code execution can occur.

MONAI: Unsafe torch usage may lead to arbitrary code execution

In model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True) in monai/bundle/scripts.py , weights_only=True is loaded securely. However, insecure loading methods still exist elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from platforms like huggingface. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. The following proof-of-concept demonstrates …

MONAI does not prevent path traversal, potentially leading to arbitrary file writes

The extractall function zip_file.extractall(output_dir) is used directly to process compressed files. It is used in many places in the project. When the Zip file containing malicious content is decompressed, it will overwrite the system files. In addition, the project allows the download of the zip content through the link, which increases the scope of exploitation of this vulnerability. When reproducing locally, follow the process below to create a malicious zip …

Magento Community Edition Improper Input Validation vulnerability

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high. Exploitation of this issue does not require user interaction.

Magento Community Edition Improper Input Validation vulnerability

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact to high. Exploitation of this issue does not require user interaction.

listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can …

Liferay Portal is vulnerable to XSS attack through fieldset name in Kaleo Forms Admin

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.11, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 allows an remote authenticated attacker to inject JavaScript through the name of a fieldset in Kaleo Forms Admin. The malicious payload is stored and executed without proper sanitization or escaping.

Liferay Portal is vulnerable to SSRF through custom object attachment fields

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.

Liferay Portal exposes 500 status when attempting login with a deleted client secret

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret.

Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Liferay Portal and Liferay DXP vulnerable to store Cross-site Scripting

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

Element Plus Link component (el-link) implements insufficient input validation for the href attribute

Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware (along with several other packages). An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: @duckdb/node-api@1.3.3 @duckdb/node-bindings@1.3.3 duckdb@1.3.3 @duckdb/duckdb-wasm@1.29.2 Note: The current release version of DuckDB is 1.3.2, with 1.4.0 expected to be released on Sept 10th, 2025 (tomorrow as of this writing). …

copyparty: Sharing a single file does not fully restrict access to other files in source folder

There was a missing permission-check in the shares feature (the shr global-option). When a share is created for just one file inside a folder, it was possible to access the other files inside that folder by guessing the filenames. It was not possible to descend into subdirectories in this manner; only the sibling files were accessible. This issue did not affect filekeys or dirkeys.

XWiki Blog Application: Privilege Escalation (PR) from account through blog content

The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type Blog.BlogPostClass to any page and to add some script macro with the exploit code to the "Content" field of that object.

pREST has a Systemic SQL Injection Vulnerability

pREST provides a simple way for users to expose access their database via a REST-full API. The project is implemented using the Go programming language and is designed to expose access to Postgres database tables. During an independent review of the project, Doyensec engineers found that SQL injection is a systemic problem in the current implementation (version v2.0.0-rc2). Even though there are several instances of attempts to sanitize user input …

MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server

An XSS flaw exists in the MCP Inspector local development tool when it renders a redirect URL returned by a remote MCP server. If the Inspector connects to an untrusted server, a crafted redirect can inject script into the Inspector context and, via the built-in proxy, be leveraged to trigger arbitrary command execution on the developer machine. Version 0.16.6 hardens URL handling/validation and prevents script execution. Thank you to the …

Malware in wrap-ansi

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in supports-hyperlinks

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in supports-color

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in strip-ansi

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in slice-ansi

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in simple-swizzle

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in proto-tinker-wc

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in is-arrayish

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in has-ansi

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in error-ex

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in debug

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in color-string

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in color-name

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in color-convert

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in color

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in chalk-template

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in chalk

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in backslash

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in ansi-styles

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Malware in ansi-regex

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Fides' Admin UI User Password Change Does Not Invalidate Current Session

Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors (such as XSS) can maintain access even after password reset. This issue is not directly exploitable on its own and requires a prerequisite vulnerability to obtain valid session tokens in the first place.

Fides Webserver API Rate Limiting Vulnerability in Proxied Environments

The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a shared store. This allows attackers to bypass intended rate limits and potentially cause denial of service. This vulnerability only affects deployments relying on Fides's built-in rate limiting for …

Fides has a Lack of Brute-Force Protections on Authentication Endpoints

The Fides Admin UI login endpoint relies on a general IP-based rate limit for all API traffic and lacks specific anti-automation controls designed to protect against brute-force attacks. This could allow attackers to conduct credential testing attacks, such as credential stuffing or password spraying, which poses a risk to accounts with weak or previously compromised passwords.

Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data

There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to …

Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data

There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons. This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1. Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to …

TkEasyGUI Vulnerable to OS Command Injection

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

secrets-store-sync-controller discloses service account tokens in logs

Hello Kubernetes Community, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged when there is a specific error marshaling the parameters sent to the providers.

internetarchive Vulnerable to Directory Traversal in File.download()

What kind of vulnerability is it? This is a Critical severity directory traversal (path traversal) vulnerability in the File.download() method of the internetarchive library. Who is impacted? All users of the internetarchive library versions < 5.5.1 are impacted. The vulnerability is particularly critical for users on Windows systems, but all operating systems are affected. Description of the vulnerability: The vulnerability existed because the file.download() method did not properly sanitize user-supplied …

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

ImageMagick BlobStream Forward-Seek Under-Allocation

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

FS2 half-shutdown of socket during TLS handshake may result in spin loop on opposite side

When establishing a TLS session using fs2-io on the JVM using the fs2.io.net.tls package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack …

Duplicate Advisory: Keycloak error_description injection on error pages that can trigger phishing attacks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gc-wj6x-9w55. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., …

Duplicate Advisory: Keycloak error_description injection on error pages that can trigger phishing attacks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gc-wj6x-9w55. This link is maintained to preserve external references. Original Description A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., …