● Live advisory feed
Security Advisory Fusion for CSIRTs, SOCs & Defenders
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-p6rv-2qpm-fwvg. This link is maintained to preserve external references.
Original Description
An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-pmf6-rcx4-v53v. This link is maintained to preserve external references.
Original Description
A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions …
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4x34-chg5-mwjj. This link is maintained to preserve external references.
Original Description
The recursive mode (-R) of the chmod utility in uutils coreutils incorrectly handles exit codes whe…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2w8r-9xj7-69j5. This link is maintained to preserve external references.
Original Description
The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variabl…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-4c7q-4928-8445. This link is maintained to preserve external references.
Original Description
A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2x2h-fw32-rq7v. This link is maintained to preserve external references.
Original Description
A flaw in the ChownExecutor used by uutils coreutils chown and chgrp causes the utilities to return…
uefi-firmware contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, ReadCLen() reads Number = GetBits(Sd, CBIT) with CBIT = 9, so Number can be as large as 511, while the destination array Sd->mCLe…
uefi-firmware contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, MakeTable() does not validate that bit-length values read from the compressed bitstream are within the expected range (0..16). a…
Summary
A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library (pkg/cel/libs/http/) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to…
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the sec…
Summary
The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are pr…
Summary
Scriban's expression evaluation contains three distinct code paths that allow an attacker who can supply a template to cause denial of service through unbounded memory allocation or CPU exhaustion. The existing safety controls (LimitToString, LoopLimit) do not protect th…
Summary
The LimitToString safety limit (default 1MB since commit b5ac4bf) can be bypassed to allocate approximately 1GB of memory by exploiting the per-call reset of _currentToStringLength in ObjectToString. Each template expression rendered through TemplateContext.Write(SourceS…
Summary
The object.to_json builtin function in Scriban performs recursive JSON serialization via an internal WriteValue() static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing…
Summary
The built-in string.pad_left and string.pad_right template functions in Scriban perform no validation on the width parameter, allowing a template expression to allocate arbitrarily large strings in a single call. When Scriban is exposed to untrusted template input — as i…
Summary
Scriban's LoopLimit only applies to script loop statements, not to expensive iteration performed inside operators and builtins. An attacker can submit a single expression such as {{ 1..1000000 | array.size }} and force large amounts of CPU work even when LoopLimit is set…
Summary
TemplateContext caches type accessors by Type only, but those accessors are built using the current MemberFilter and MemberRenamer. When a TemplateContext is reused and the filter is tightened for a later render, Scriban still reuses the old accessor and continues exposi…
Summary
TemplateContext.Reset() claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previou…
Summary
StackOverflowException via nested array initializers bypasses ExpressionDepthLimit fix (GHSA-wgh7-7m3c-fx25)
Details
The recent fix for GHSA-wgh7-7m3c-fx25 (uncontrolled recursion in parser) added ExpressionDepthLimit defaulting to 250. However, deeply nested array initi…
Summary
The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing…
TemplateContext.LimitToString defaults to 0 (unlimited). While Scriban implements a default LoopLimit of 1000, an attacker can still cause massive memory allocation via exponential string growth. Doubling a string for just 30 iterations generates over 1GB of text, instantly exhau…
When Scriban renders an object that contains a circular reference, it traverses the object's members infinitely. Because the ObjectRecursionLimit property defaults to unlimited, this behavior exhausts the thread's stack space, triggering an uncatchable StackOverflowException that…
Scriban is vulnerable to an uncontrolled process crash resulting in a Denial of Service. Because the recursive-descent parser does not enforce a default limit on expression depth, an attacker who controls template input can craft a heavily nested template that triggers a StackOve…
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-794g-x443-36f7. This link is maintained to preserve external references.
Original Description
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint …
melange update-cache downloads URIs from build configs via io.Copy without any size limit or HTTP client timeout (pkg/renovate/cache/cache.go). An attacker-controlled URI in a melange config can cause unbounded disk writes, exhausting disk on the build runner. Affected versions <…
Summary
It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution (RCE).
The issue has been fixed in version 2.11.1.
Details
It is possible to obtain the native Object constructor (instead of the SafeObject w…
I. Summary
A Stored Cross-Site Scripting (XSS) vulnerability exists in the file upload module of TypiCMS. The application allows users with file upload permissions to upload SVG files. While there is a MIME type validation, the content of the SVG file is not sanitized. An attack…
Impact
There is a potential vulnerability in Traefik managing STARTTLS requests.
An unauthenticated client can bypass Traefik entrypoint respondingTimeouts.readTimeout by sending the 8-byte Postgres SSLRequest (STARTTLS) prelude and then stalling, causing connections to remain …
Summary
Milvus exposes TCP port 9091 by default with two critical authentication bypass vulnerabilities:
1. The /expr debug endpoint uses a weak, predictable default authentication token derived from etcd.rootPath (default: by-dev), enabling arbitrary expression evaluation.
2. …
Summary
A Server-Side Request Forgery (SSRF) Protection Bypass exists in WeasyPrint's default_url_fetcher. The vulnerability allows attackers to access internal network resources (such as localhost services or cloud metadata endpoints) even when a developer has implemented a cus…