● Live advisory feed
Security Advisory Fusion for CSIRTs, SOCs & Defenders
Security advisories from 24 sources — CISA, CERT-EU, NCSC-UK, BSI, CERT-FR, NCSC-NL, JPCERT/CC, JVN, HKCERT, the Canadian Cyber Centre, NVD, GitHub, Microsoft, Cisco, Fortinet, Palo Alto Networks and more — normalized, translated to English and flagged against the CISA KEV catalog. One global feed for CSIRTs, SOCs and defenders.
Summary
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escape the intended temporary directories.
Impact
An authenticated user with …
Summary
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated users with permissions to create or upload themes can abuse this to execute…
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Mautic Focus component (MauticFocusBundle). Under certain conditions, insufficiency in validating user-supplied URLs allows authenticated users to trigger outbound HTTP requests from the hosting server.
Imp…
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node processes blocks past the checkpoint height (non-finalized state is active).
3. The network has NU5 or later activated.
All default configurations are affected.
Summary
Chain::push …
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node processes blocks on any Zcash network.
Summary
The finalized transparent address balance writer processes all newly-created outputs (credits) before processing spent outputs (debits)…
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node accepts inbound P2P connections and is syncing or catching up to the chain tip.
Summary
A malicious peer can answer Zebra's outbound getblocks/FindBlocks request with a small two-has…
Am I affected
You are affected if:
1. You run any version of zebrad up to and including v4.4.1.
2. Your node validates blocks on mainnet, testnet, or any network where both Zebra and zcashd nodes participate.
All default configurations are affected. No feature flags, non-defau…
Description
Am I affected
You are affected if:
1. You run any version of zebrad up to and including v4.4.1.
2. Your node accepts inbound P2P connections (network.listen_addr is set, which is the default).
3. Your node processes blocks past the checkpoint height (non-finalized …
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node accepts inbound P2P connections (network.listen_addr is set, which is the default).
Summary
The P2P codec's Codec::decode() method calls src.reserve(body_len + HEADER_LEN) after pars…
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node accepts inbound P2P connections (network.listen_addr is set, which is the default).
3. Your node's mempool is active (node is synced near the chain tip).
All default configurations ar…
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
3. An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the…
Summary
Authorization for scoped (agent) MCP callers is enforced inline, per tool, and is applied inconsistently — several mutating tools silently omit the ancestry/workspace check that their siblings perform. Because the MCP server authenticates all outbound gRPC with the full …
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your node accepts inbound P2P connections.
Summary
The read_getblocks and read_getheaders codec paths accepted block locator vectors up to approximately 65,535 entries (the generic TrustedPrea…
Am I affected
You are affected if:
1. You run zebrad up to and including v4.4.1.
2. Your zebrad.toml sets rpc.listen_addr to a TCP address (RPC server is enabled).
3. An attacker can authenticate to the RPC endpoint. With the default enable_cookie_auth = true, this requires the…
Summary
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input filtering and inject arbitrary SQL commands.
Impact
An authenticated user …
Summary
The Mysqls.add API command (lib/Froxlor/Api/Commands/Mysqls.php) accepts a customer-controlled mysql_server parameter and only validates that the value is numeric and that the server index exists in userdata.inc.php. It never checks the value against the calling customer…
Summary
An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enable_allow_sender is enabled. customer_email.php loads allowed_sender by global auto-increment senderid alone, so a customer can enumerat…
Impact
A command injection vulnerability exists in electerm's file system operations (rmrf, mv, cp) in src/app/lib/fs.js. These functions construct shell commands by interpolating file paths directly into command strings without escaping shell metacharacters.
Vulnerable functio…
Summary
The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the client_secret field. Any network-reachable attacker can read the OAuth client s…
Impact
A path traversal vulnerability exists in the Zmodem and Trzsz file download handlers in electerm. When receiving files via Zmodem or Trzsz protocols, electerm uses the remote-supplied filename directly in path.join() with the user-selected download directory without sanit…
A CPU exhaustion vulnerability exists in Conform's parseSubmission future API when parsing FormData or URLSearchParams submissions with many unique field names. The parser previously looked up values by field name, which could require repeated scans of the submitted entries and c…
Summary
The default git executor used for all worktree operations spawns git through a shell, and the untrusted task branch name flows into the command unsanitized. A caller able to reach the PowerLine SpawnSession RPC (a malicious or compromised agent acting through the orchest…
Summary
joserfc.jwt.decode accepts attacker-forged HMAC-signed tokens when the
caller-supplied verification key is the empty string or None.
HMACAlgorithm.sign and HMACAlgorithm.verify in
src/joserfc/_rfc7518/jws_algs.py:62-70 feed whatever
OctKey.get_op_key(...) produced into h…
Summary
The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin (st…
Summary
The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as t…
Finding
Location: core/src/server/render-to-string.ts:307-311
CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp//ression().
Mitigating Factor: The…
Finding
Location: core/src/shared/secure-fetch.ts
assertSecureUrl validated only the initial request URL. The fetch() API follows redirects by default (up to 20 hops). A request to a valid https:// URL could redirect to http://internal-service/ or other unvalidated destinations…
Finding
Location: core/src/shared/secure-fetch.ts:33-35
data: URIs were allowed without any restriction. While data: URIs don't make network requests, they can be used for memory exhaustion via very large data URIs.
Status
Fixed in v0.2.136 — data: URIs are now limited to 1MB…
Finding
Location: core/src/shared/secure-fetch.ts:52-54
The localhost exception allowed localhost and 127.0.0.1 but did not cover 0.0.0.0, [::1] (IPv6 localhost), or the full 127.0.0.0/8 loopback range.
Status
Fixed in v0.2.136 — Localhost detection now covers localhost, 127.…
Finding
Location: core/src/core/scheduler.ts:23, core/src/hooks/dispatcher.ts:100, core/src/client/graphql.ts:71
Several console.warn calls are not gated behind DEV and will fire in production builds, potentially exposing internal framework state such as queue sizes, component …
Finding
Location: core/src/client/graphql.ts:66-80
The gql template tag function warned about interpolated values containing GraphQL metacharacters ({}():) but still concatenated them into the query string, enabling potential GraphQL injection.
Status
Fixed in v0.2.136 — The …
Finding
Location: core/src/shared/secure-fetch.ts:42-45
When new URL() throws a parse error, the assertSecureUrl function returned without throwing, silently allowing the request to proceed without HTTPS validation.
Status
Fixed in v0.2.136 — The catch block now throws an err…
Summary
AssetsController::actionDeleteFolder() only requires the deleteAssets:<volume-uid> permission for the target folder. It never enforces deletePeerAssets:<volume-uid>, even though Assets::deleteFoldersByIds() cascades deletion to every descendant folder and every asset ins…
We have identified an authorization issue in Craft CMS AssetsController::actionReplaceFile that can delete a source asset without source delete permission by supplying both assetId and sourceAssetId.
Description
Craft CMS’s craft\\controllers\\AssetsController::actionReplaceFil…
Summary
The EntriesController::actionMoveToSection() endpoint checks only whether the current user can view the destination section, but it does not require permission to save entries into that section. A low-privileged authenticated control-panel user who can move an entry out …
Summary
EntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current …
Command injection via dotfiles URI parameter combined with workspace auto-creation
Summary
The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfiles_ur…
Summary
Stored XSS through wikitext can be performed by inserting malicious HTML into the overlays parameter of the display_map parser function when using the leaflet service.
Details
The maps extension doesn't escape overlay names before passing them to leaflet.
Leaflet then in…
Summary
dulwich.porcelain.submodule_update, and by extension porcelain.clone(..., recurse_submodules=True), materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious .gitmodules plus a matching tree gitlink whose pat…
Summary
SQLChatAgent in langroid ships a _validate_query defense-in-depth layer
whose _DANGEROUS_SQL_PATTERNS regex blocklist enumerates dangerous SQL
primitives by specific function name. The list misses the canonical
PostgreSQL filesystem-disclosure family pg_read_file(), pg_s…
Summary
Langroid's ReadFileTool and WriteFileTool appear to treat curr_dir as the intended working-directory boundary for file operations. However, the tools only change the process working directory to curr_dir and then operate on the user-supplied file_path without resolving a…
Summary
The Kerberos Hub upload path sends the agent's Hub credentials in the custom X-Kerberos-Hub-PrivateKey and X-Kerberos-Hub-PublicKey request headers to the operator-configured Hub URL (config.HubURI). The HTTP client used (&http.Client{} in UploadKerberosHub) is construct…
Summary
Native command authorization could skip owner-command enforcement. In affected versions, a sender able to trigger native command handling could authorize a native command without enforcing the configured owner-only command policy.
This advisory is scoped to the named fe…
Summary
PowerShell encoded-command aliases could miss exec allowlist checks. In affected versions, a command request using abbreviated encoded-command flags could use an alias form not recognized by the allowlist parser.
This advisory is scoped to the named feature and configur…
Summary
Trusted retry endpoint checks could match hostname prefixes. In affected versions, a retry endpoint URL chosen by lower-trust input could pass validation by using a hostname prefix that resembled a trusted host.
This advisory is scoped to the named feature and configura…
Summary
Telegram interactive callbacks could skip commands.allowFrom. In affected versions, a Telegram user able to invoke an affected callback could mark the callback as an authorized sender before applying commands.allowFrom.
This advisory is scoped to the named feature and c…
Summary
The aarch64 implementations of Cmov and CmovEq seem to assume that the high bits when loading a value of size smaller than a register into a register are zero-extended. However, this is not the case and these bits are unspecified. This can result in a left.cmovz(&right, …
Impact
When an HTTPProxy is configured with incompatible combination of both .spec.virtualhost.tls.enableFallbackCertificate: true and .spec.virtualhost.jwtProviders, Contour does not reject the configuration. Consequently, requests from clients that do not send TLS SNI or send …
Summary
Matrix allowFrom could bind to mutable display names. In affected versions, a Matrix account able to change display name metadata could match a policy entry through mutable display metadata.
This advisory is scoped to the named feature and configuration. It does not cha…
Summary
Mattermost slash token revocation could lag until monitor refresh. In affected versions, a caller with an old Mattermost slash token during the refresh window could continue accepting the old token until the monitor refreshed.
This advisory is scoped to the named featur…