● Live advisory feed
Security Advisory Fusion for CSIRTs, SOCs & Defenders
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
Impact
Weblate's VCS_RESTRICT_PRIVATE did not properly account for some transitional IPv6 ranges, multicast addresses, or some semi-private IPv4 ranges, which allowed some addresses to bypass private range restrictions.
Patches
- https://github.com/WeblateOrg/weblate/pull/1976…
Summary
From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path …
Summary
pkg/scalers/postgresql_scaler.go builds libpq-style connection strings by concatenating key=value pairs separated by spaces. Each tenant-controllable field (host, port, userName, dbName, sslmode) is passed through escapePostgreConnectionParameter:
func escapePostgreConne…
Summary
Flask-Security-Too 5.8.0 and 5.8.1 mark a session as reauthentication-fresh after processing a WebAuthn assertion whose proven credential belongs to a different user than the currently authenticated session user. The check that GHSA-97r5-pg8x-p63p added on the OAuth reau…
Click here to jump to the Simplified Chinese version (点击跳转到简体中文版本)
Goploy System Arbitrary File Read Vulnerability
Basic Information
- Vulnerability Name: Goploy Endpoints Arbitrary File Read via Path Traversal
- Vulnerability Type: Path Traversal (CWE-22) / Arbitrary File Read
…
Summary
Project.AddFile, Project.EditFile, Project.RemoveFile, and Project.Edit in cmd/server/api/project/handler.go accept a project or project-file row id from the JSON body and act on it without checking that the project belongs to the caller's namespace. The corresponding mo…
Summary
In add-on mode, the ha-mcp settings UI routes are mounted both under the MCP secret path and at the bare root of the published port (:9583), so Home Assistant ingress can serve the "Open Web UI" button. The root-mounted routes perform no authentication — no secret, no Or…
Resolved: https://github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3
Summary
plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature.
When ServeDir is configured with DirectoryServeMode::HtmlFileLi…
Summary
aiosmtplib's SMTP.mail(), SMTP.rcpt(), SMTP.vrfy() and SMTP.expn() send the caller-supplied email address to the server without rejecting embedded CR/LF (\r\n) bytes. An address that contains a CR/LF is written verbatim onto the SMTP control connection, so the bytes afte…
Summary
Authenticated Kite users with any role can request /api/v1/overview for a cluster that their roles do not permit by selecting that cluster with x-cluster-name. The overview route is registered before middleware.RBACMiddleware() and GetOverview only checks len(user.Roles)…
Impact
Webauthn\SimpleFakeCredentialGenerator is the library-provided default implementation of the FakeCredentialGenerator interface. It returns a stable list of decoy PublicKeyCredentialDescriptor objects for a given username so that an assertion request for an unknown user lo…
Summary
RaTeX’s recursive-descent parser recurses one (or more) native stack frame per nesting level at {, \left, \sqrt{, ^{, etc, with no maximum depth limit. A short, ~10 KB input of nested groups overflows the 8 MB main-thread stack and aborts the process. With panic = "abort…
Summary
The public parser entrypoint ratex_parser::parse(&str) panics on the 9-byte input \verbéxé (i.e. \verb followed by the non-ASCII delimiter é). When handling a \verb command, the parser slices the verbatim argument with byte indices (arg[1..arg.len() - 1]); if the delimit…
Am I affected?
Users are affected if all of these hold:
- They install and register the @better-auth/scim plugin (plugins: [scim()]).
- They create SCIM providers without an organizationId, that is, non-organization ("personal") providers. Organization-scoped providers are not …
Am I affected?
Users are affected if all of the following are true:
- They configure secondaryStorage on betterAuth(...) (Redis, KV, or any external session cache).
- session.storeSessionInDatabase is left unset or set to false (the default).
- Their application's deployment us…
Am I affected?
Users are affected if all of the following are true:
- Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, < 1.6.11, or uses the embedded plugin in better-auth >= 1.4.8-beta.7, < 1.6.0, or enables the legacy oidc-provider or mcp plugins fr…
Am I affected?
Users are affected if all of the following are true:
- Their application uses @better-auth/sso at a version >= 0.1.0, < 1.6.11 on the stable line, or any 1.7.0-beta.x on the pre-release line.
- The sso() plugin is added to their application's betterAuth({ plugins…
Am I affected?
Users are affected if all of the following are true:
- Their project depends on @better-auth/oauth-provider at a version >= 1.6.0, < 1.6.11, or uses the embedded plugin in better-auth >= 1.4.8-beta.7, < 1.6.0.
- At least one OAuth client served by their applicati…
Am I affected?
Users are affected if all of the following are true:
- Their application uses better-auth at a version below the patched release.
- Their application enables oidcProvider() from better-auth/plugins/oidc-provider or mcp() from better-auth/plugins/mcp (the mcp plug…
Am I affected?
Check each condition. Users are affected when all of the first three hold.
- Their application enables the oidc-provider plugin or the mcp plugin from better-auth/plugins. The mcp plugin wraps the same provider and carries the same defect. Both are on the migrati…
Am I affected?
Users are affected if all of the following are true:
- Their application uses better-auth at a version < 1.6.11 on the stable line, or any current next pre-release.
- emailAndPassword.enabled: true is set in their application's betterAuth({ ... }) configuration.
…
Am I affected?
Users are affected if all of the following are true:
- Their application uses better-auth with the organization plugin (import { organization } from "better-auth/plugins/organization").
- Their application enables a sign-up surface that allows arbitrary unverifie…
Am I affected?
Users are affected if all of the following hold:
- Their application depends on @better-auth/oauth-provider on any stable 1.6.x release (the stable line is not patched) or on a pre-release before 1.7.0-beta.4.
- Their application either configures validAudiences …
Am I affected?
Users are affected if all of the following are true:
- Their application uses better-auth and has enabled at least one of: oidcProvider() (imported from better-auth/plugins/oidc-provider), or mcp() (imported from better-auth/plugins/mcp).
- Their application has …
Summary
Domain names were written to the log without first being validated to contain allowed characters.
Impact
Depends on how the logs were used.
Summary
When an entry was removed from the LRU cache, a pointer to the removed element was not properly cleaned up.
Impact
A local attacker can get netfoil to use more memory. By default this is limited to 100MB via systemd, which would trigger service restarts when reached.
Summary
Potential bypass of domain name filter by crafting a DNS request with multiple questions, with the first question being legitimate.
Impact
Depends on a local attackers ability to craft multiple questions and the remote DoH server supporting them.
determine_backup_mode in src/uucore/src/lib/features/backup_control.rs only checks --backup/-b and returns BackupMode::None when only --suffix is given. GNU enables backup mode when --suffix is used alone (defaulting to existing/numbered, or $VERSION_CONTROL). Affects cp, install…
Summary
A known vulnerability CVE-2026-33060 indicated tools including ckan_package_search and sparql_query that accept a base_url parameter had the risk of making HTTP requests to arbitrary endpoints without restriction. A fix was applied to filter out ip addresses. However, a m…
Summary
There is a blind server side request forgery in the functionality that allows editing an image via a prompt. The affected function will perform a GET request on the URL provided by the user. There is no restriction on the domain of the provided URL allowing the local addr…
Summary
Manually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts and allow-same-origin set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This ena…
Summary
Manually modifying chat history allows setting the html property within document metadata. This causes the frontend to enter a code path that treats document contents as HTML, and render them in an iFrame when the citation is previewed. This allows stored XSS via a weapon…
Summary
A vulnerability in the way certain html tags in chat messages are rendered allows attackers to inject JavaScript code into a chat transcript. The JavaScript code will be executed in the user's browser every time that chat transcript is opened, allowing attackers to retri…
Summary
Low privileged users can upload HTML files which contain JavaScript code via the /api/v1/files/ backend endpoint. This endpoint returns a file id, which can be used to open the file in the browser and trigger the JavaScript code in the user's browser. Under the default se…
Summary
The function processes image URLs embedded in an HTML email body without validating or restricting URI schemes. The check !str_starts_with($myUrl, 'http') evaluates to true for file:// URIs, causing file_get_contents($basedir . urldecode($myUrl)) to read arbitrary files f…
Summary
Null pointer dereference (SIGSEGV) in Upsample_6_7::adapt_upsample_6_7() (onnx/version_converter/adapters/upsample_6_7.h:31) when convert_version() processes a model with an Upsample node that has zero inputs. The adapter accesses node->inputs()[0]->sizes() without check…
Summary
The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email…
Summary
An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.
The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with…
Impact
With Jetty 12+ a user can craft a URL to access any resource the Jetty instance is allowed to access.
For example http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd allows downloading the content of the /etc/passwd file, prov…
Summary
The default SSRF protection configuration did not apply IP filtering to hostnames. With ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/block rules but did not resolve a hostname and validate the resolved IP address. Authenticated users co…
Summary
A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE).
The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable with…
cut routes -z -d '' through a special newline-delimiter path that ignores the -s only-delimited flag, emitting whole undelimited records (plus NUL) that should be suppressed. Pipelines relying on cut -s to drop undelimited records process data that should be filtered.
printf 'ab…
uutils calls mknod *before* setting the SELinux context (GNU uses setfscreatecon first, labeling atomically). If set_selinux_security_context fails, cleanup uses std::fs::remove_dir, which cannot remove device nodes or FIFOs, leaving the mislabeled node behind.
Impact: on SELinu…
When mkfifo() fails (e.g. target already exists), the code shows an error but is missing a continue;, so it falls through to fs::set_permissions and changes the permissions of the pre-existing file to the default FIFO mode (0o666 & umask -> 0644).
$ touch secret; chmod 000 secre…
Summary
agentConn.apiClient() used the default redirect behavior of http.Client while its custom transport dialed the host from the request URL as long as the port was the workspace agent HTTP API port (4). Agent tailnet IPs are deterministic from agent UUIDs, so a malicious wor…
Summary
The datapoint export API builds a PostgreSQL crosstab export query by concatenating asset display names into raw SQL. An authenticated user who can create or rename an asset and then request a crosstab datapoint export can inject SQL through the asset name. The injected …
Summary
In Kiwi TCMS the fields TestCase.extra_link and TestPlan.extra_link were meant to represent URLs to external resources however in versions prior to 16.1 user input was not being sanitized and values were rendered verbatim which represents an opportunity for cross-site sc…
Summary
The 9router dashboard login rate limiter derives the client identity from the attacker-controlled X-Forwarded-For HTTP header. When 9router is directly exposed, or deployed behind a reverse proxy that does not overwrite untrusted forwarding headers, a remote attacker can…
Summary
The /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which onl…
Requirements:
- Control panel access
- Permissions to edit an entry
Details
Control panel users with the ability to edit entries can execute unsandboxed Twig code via the HTTP Referrer header.
The issue happens when a user is saving entries. Strings for a signed redirect URL …