● Live advisory feed
Security Advisory Fusion for CSIRTs, SOCs & Defenders
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
Summary
The date filter's strftime implementation parses width specifiers like %9999999d and forwards the captured width unchecked into pad()/padStart() in src/util/underscore.ts. The pad loop performs unbounded string concatenation without consulting the Context's memoryLimit o…
Summary
Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdav{path} without adding an authentication plugin in the WebDAV controller. The Tree::move() implementation then performs asset mutation and deletion before checking a current Pimcore user or any a…
GitHub Security Advisory Draft — GM-374
Summary
Multiple locations in Pimcore v11 call PHP's unserialize() on data from database columns and filesystem files without the allowed_classes restriction, enabling object injection if an attacker can control the serialized data source.…
GitHub Security Advisory Draft — GM-369
Summary
SQL injection in Pimcore's translation grid date filter — the user-supplied property field from the filter JSON is interpolated directly into a UNIX_TIMESTAMP(DATE(FROM_UNIXTIME(...))) SQL expression without parameterization or all…
Summary
The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reports_config permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter c…
Summary
Context.spawn() in liquidjs creates a child Context for the {% render %} tag but does not propagate the parent context's resolved ownPropertyOnly value. The new context re-derives ownPropertyOnly from opts.ownPropertyOnly (the instance-level option), silently discarding …
Summary
The renderLimit option — documented in docs/source/tutorials/dos.md as the mechanism that "mitigates this by limiting the time consumed by each render() call" — can be fully bypassed by a {% for %} (or {% tablerow %}) tag whose body is empty. The per-iteration time check…
Summary
The strip_html filter in liquidjs is intended to remove HTML tags from a string before rendering, and is widely used as an XSS sanitizer. The implementation uses a regex whose catch-all branch (<.*?>) does not match line terminators, so any HTML tag containing a \n or \r…
Summary
CarrierWave's content_type_denylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block.
Note: CarrierWave is aware #content_type_denylist is deprecated for the security reason…
Impact
yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary…
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login.
In affected versions, insufficient validation of this client-controlled value could allow an attacker to influence the redirect target in applications using the Ja…
HTTP transports expose unauthenticated PowerShell control with wildcard CORS
There is an issue in the SSE and Streamable HTTP transport modes. The default stdio mode is not affected, but the documented HTTP modes expose the MCP control plane without authentication and add wildca…
Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.2.0 and up contain a configu…
Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4…
Summary
The /__nuxt_island/* endpoint accepts attacker-controlled props query/body parameters and renders any island component without verifying that the URL-resident hash (<Name>_<hashId>.json) was actually issued for those inputs by <NuxtIsland>. The hash is computed and embed…
Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system
Summary
This is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the developer opens a malicious site on the same network.
Detai…
Summary
navigateTo() with external: true generates a server-side HTML redirect body containing a <meta http-equiv="refresh"> tag. The destination URL is only sanitized by replacing " with %22, leaving <, >, &, and ' unencoded. An attacker who can influence the URL passed to navig…
This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to proc…
Executive Summary:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Improper…
Impact
_Local code execution without UI interaction: any same-user process can send a JSON payload to electerm's single-instance socket/pipe, causing the app to create tabs and potentially spawn attacker-controlled local processes. Affects electerm single-instance installs on the…
Summary
Type: Mass assignment via Object.assign(entity, body) -> client-controlled workspaceId (and on create, id) overwritten on the Evaluation entity -> cross-workspace data takeover and IDOR.
File: packages/server/src/services/evaluations/index.ts
Root cause: The Evaluation c…
Summary
Type: Mass assignment via Object.assign(entity, body) -> client-controlled workspaceId (and on create, id) overwritten on the DatasetRow entity -> cross-workspace data takeover and IDOR.
File: packages/server/src/services/dataset/index.ts
Root cause: The DatasetRow contr…
Summary
Type: Mass assignment via Object.assign(entity, body) -> client-controlled workspaceId (and on create, id) overwritten on the Dataset entity -> cross-workspace data takeover and IDOR.
File: packages/server/src/services/dataset/index.ts
Root cause: The Dataset controller/…
An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with administrative privileges can perform a Path Traversal attack to create or overwrite arbitrary files anywhere on the…
In Bouncy Castle LTS for Java, the AES/GCM native implementation used on Intel CPUs with AES PAA instruction sets (AVX / VAES / VAESF variants) can intermittently produce an incorrect authentication tag verification result during decryption when the ciphertext is fed in via a mix…
Impact
A vulnerability has been identified in the SUSE Virtualization (Harvester) Rancher integration mechanism where by default the registration client uses an insecure TLS option that fails to verify the remote server’s certificate. This security gap could allow the execution …
Summary
TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTa…
The /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE.
When PUB…
An issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space.
Older, unsuppo…
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
- the application is using Spring MVC or Spring WebFlux
- the application is configuring the …
OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-jcjr-rh8q-7xqf. This link is maintained to preserve external references.
Original Description
A logic error in the ln utility of uutils coreutils causes the program to reject source paths conta…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-47c7-qrm7-mqw7. This link is maintained to preserve external references.
Original Description
The id utility in uutils coreutils miscalculates the groups= section of its output. The implementat…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xv5w-cw7x-72gj. This link is maintained to preserve external references.
Original Description
The id utility in uutils coreutils exhibits incorrect behavior in its "pretty print" output when th…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-pmfc-4wjj-gmhx. This link is maintained to preserve external references.
Original Description
A logic error in the cut utility of uutils coreutils causes the utility to ignore the -s (only-deli…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-r9hw-mj3w-phcq. This link is maintained to preserve external references.
Original Description
The mknod utility in uutils coreutils fails to handle security labels atomically by creating device…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gwm6-q8ch-hcfr. This link is maintained to preserve external references.
Original Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the install utility of uutils coreu…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-239g-2685-54x3. This link is maintained to preserve external references.
Original Description
The install utility in uutils coreutils is vulnerable to a Time-of-Check to Time-of-Use (TOCTOU) ra…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-3wfc-mgpm-9rq6. This link is maintained to preserve external references.
Original Description
The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before …
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mj6p-44ch-cq69. This link is maintained to preserve external references.
Original Description
The mkdir utility in uutils coreutils incorrectly applies permissions when using the -m flag by cre…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wv33-5pxh-r7j7. This link is maintained to preserve external references.
Original Description
The cut utility in uutils coreutils incorrectly handles the -s (only-delimited) option when a newli…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-6gcw-w7cp-94g9. This link is maintained to preserve external references.
Original Description
The comm utility in uutils coreutils silently corrupts data by performing lossy UTF-8 conversion on…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-p7h3-7q52-72w8. This link is maintained to preserve external references.
Original Description
The printenv utility in uutils coreutils fails to display environment variables containing invalid …
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w6xc-g9qj-vp32. This link is maintained to preserve external references.
Original Description
The safe_traversal module in uutils coreutils, which provides protection against Time-of-Check to T…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-h444-6j9x-p8vh. This link is maintained to preserve external references.
Original Description
The mv utility in uutils coreutils improperly handles directory trees containing symbolic links dur…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-8vrf-r662-2w2v. This link is maintained to preserve external references.
Original Description
The cp utility in uutils coreutils, when performing recursive copies (-R), incorrectly treats chara…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-89p7-7cq3-hhr2. This link is maintained to preserve external references.
Original Description
A vulnerability in the rm utility of uutils coreutils allows the bypass of safeguard mechanisms int…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-7cr3-h577-g38j. This link is maintained to preserve external references.
Original Description
A vulnerability in the rm utility of uutils coreutils allows a bypass of the --preserve-root protec…