VYPR
Vendor

Charmbracelet

Products
3
CVEs
12
Across products
12
Status
Private

Products

3

Recent CVEs

12
  • CVE-2026-41589CriMay 7, 2026
    risk 0.55cvss 9.6epss 0.00

    Wish is an SSH server with defaults and a collection of middlewares. From version 2.0.0 to before version 2.0.1, the SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary…

  • CVE-2024-41956HigAug 1, 2024
    risk 0.46cvss 8.1epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment…

  • CVE-2025-58355HigSep 4, 2025
    risk 0.43cvss 7.7epss 0.00

    Soft Serve is a self-hostable Git server for the command line. In versions 0.9.1 and below, attackers can create or override arbitrary files with uncontrolled data through its SSH API. This issue is fixed in version 0.10.0.

  • CVE-2025-64494MedNov 8, 2025
    risk 0.23cvss 4.6epss 0.00

    Soft Serve is a self-hostable Git server for the command line. In versions prior to 0.10.0, there are several places where the user can insert data (e.g. names) and ANSI escape sequences are not being removed, which can then be used, for example, to show fake alerts. In the same…

  • CVE-2026-33353Mar 24, 2026
    risk 0.00cvss epss 0.00

    Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository…

  • CVE-2026-30832Mar 7, 2026
    risk 0.00cvss epss 0.00

    Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial…

  • CVE-2026-24058Jan 22, 2026
    risk 0.00cvss epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before…

  • CVE-2026-22253Jan 8, 2026
    risk 0.00cvss epss 0.00

    Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The…

  • CVE-2025-64522Nov 10, 2025
    risk 0.00cvss epss 0.00

    Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata…

  • CVE-2025-22130Jan 8, 2025
    risk 0.00cvss epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an…

  • CVE-2023-43809Oct 4, 2023
    risk 0.00cvss epss 0.01

    Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the…

  • CVE-2022-29180May 7, 2022
    risk 0.00cvss epss 0.01

    A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We…