Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in BurtTheCoder mcp-dnstwist up to 1.0.4. Affected by this vulnerability is the function fuzz_domain of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument Request can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
OS command injection in PolarVista xcode-mcp-server 1.0.0 allows remote unauthenticated attackers to execute arbitrary system commands via crafted MCP requests to the build_project or run_tests functions. The vulnerability stems from insufficient input validation in src/index.ts when processing Request parameters. A publicly available exploit code exists (GitHub), and the vendor has not responded to early vulnerability disclosure attempts, leaving users without an official patch. EPSS data not available, but public exploit combined with network-accessible attack vector (CVSS AV:N/AC:L/PR:N) indicates elevated real-world risk for exposed instances.
A vulnerability was found in Algovate xhs-mcp 0.8.11. This affects the function xhs_publish_content of the file src/server/mcp.server.ts of the component MCP Interface. Performing a manipulation of the argument media_paths results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Path traversal in mcpo-simple-server 0.2.0 and earlier enables unauthenticated remote attackers to delete arbitrary files via the delete_shared_prompt function. The vulnerability affects the prompt_manager module's base_manager.py file, where improper validation of the 'detail' parameter allows directory traversal sequences. A public proof-of-concept exploit exists (GitHub issue #4), making this an immediate threat to internet-exposed instances. EPSS data not available, but the combination of network exploitability (AV:N), no authentication required (PR:N), and public POC significantly elevates real-world risk despite moderate CVSS 7.3 score. Vendor has not responded to early disclosure.
Path traversal in geldata gel-mcp 0.1.0 allows remote unauthenticated attackers to read arbitrary files via manipulation of the rule_name argument in the list_rules and fetch_rule functions. The vulnerability has a CVSS score of 5.3 (Low confidentiality impact) with network accessibility and no authentication requirements. Public exploit code exists and the vendor has not responded to early disclosure.
A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
A vulnerability was identified in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/wecom.py of the component WeChat Work Platform Adapter. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.
A vulnerability was detected in ezequiroga mcp-bases 357ca19c7a49a9b9cb2ef639b366f03aba8bea39/c630b8ab0f970614d42da8e566e9c0d15a16414c. This impacts the function search_papers of the file research_server.py. Performing a manipulation of the argument topic results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application.
{"active": true}` for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the calling resource server and no validation of the submitted token. Any resource server that relies on this introspection endpoint to validate access tokens will accept all requests as authorized, enabling complete authentication bypass. Additionally, the OIDC token revocation endpoint (`/oidc/revoke`) returns `{"revoked": true}` without actually revoking any token, preventing resource servers from invalidating compromised credentials. The vulnerability is in `src/SSO/Service/OIDCService.php`, lines 604-619: ```php public function handleIntrospectionRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["active" => true]); } public function handleRevocationRequest() { // TODO_RK if (!$this->isServiceSetup) { $this->setupService(); } return new JsonResponse(["revoked" => true]); } ``` The introspection endpoint is routed at `modules/sso/index.php`, line 58-59: ```php } elseif (strpos($requestUri, '/oidc/introspect') !== false) { $response = $oidcService->handleIntrospectionRequest(); ``` The router comment at line 35 says "Login checks will be done in the individual endpoint handler functions!" but neither `handleIntrospectionRequest` nor `handleRevocationRequest` perform any authentication or authorization checks. Per RFC 7662 (OAuth 2.0 Token Introspection), the introspection endpoint: 1. MUST authenticate the calling resource server (Section 2.1) 2. MUST validate the submitted token against its database 3. MUST return `{"active": false}` for invalid, expired, or revoked tokens The current implementation violates all three requirements. **Attack flow:** 1. Attacker obtains a resource server's endpoint URL that uses Admidio as its OIDC provider 2. Attacker crafts any arbitrary string as a Bearer token 3. Resource server sends the fabricated token to `/oidc/introspect` for validation 4. Admidio returns `{"active": true}` without any checks 5. Resource server accepts the fabricated token as valid and grants access **The revocation bypass compounds this:** If a legitimate token is stolen, the resource server or client application cannot revoke it. Calling `/oidc/revoke` returns success without actually revoking the token in the database, so the stolen token remains usable indefinitely (until its expiry time). ```bash curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=COMPLETELY_FABRICATED_TOKEN_12345" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=" curl -X POST https://TARGET/modules/sso/index.php/oidc/revoke \ -d "token=any_valid_token_here" curl -X POST https://TARGET/modules/sso/index.php/oidc/introspect \ -d "token=any_valid_token_here" ``` - **Authentication Bypass on Resource Servers**: Any application (wiki, CMS, project management tool, etc.) configured to validate tokens against this Admidio OIDC introspection endpoint will accept completely fabricated tokens. An attacker can impersonate any user on all connected resource servers. - **Inability to Revoke Compromised Tokens**: If a legitimate access token is leaked or stolen, there is no way to revoke it through the standard OIDC revocation flow. The token remains valid until its 1-hour expiry. - **Scope Change (S:C)**: The vulnerability in the Admidio authorization server directly impacts the security of all connected resource servers (different security authority), which is why the CVSS scope is Changed. Replace the stub implementations with proper token introspection and revocation logic: ```php public function handleIntrospectionRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // 1. Authenticate the resource server (RFC 7662 Section 2.1) // The resource server MUST authenticate using client credentials $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } // 2. Get and validate the token $tokenValue = $request->getParsedBody()['token'] ?? ''; if (empty($tokenValue)) { return new JsonResponse(['active' => false]); } try { // Validate the token using the resource server $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); // Check if token is revoked if ($this->accessTokenRepository->isAccessTokenRevoked($tokenId)) { return new JsonResponse(['active' => false]); } $token = $this->accessTokenRepository->getToken($tokenId); // Check expiry if ($token->getExpiryDateTime() < new \DateTimeImmutable()) { return new JsonResponse(['active' => false]); } return new JsonResponse([ 'active' => true, 'sub' => $token->getUserIdentifier(), 'client_id' => $token->getClient()->getIdentifier(), 'exp' => $token->getExpiryDateTime()->getTimestamp(), 'scope' => implode(' ', array_map(fn($s) => $s->getIdentifier(), $token->getScopes())), ]); } catch (\Exception $e) { return new JsonResponse(['active' => false]); } } public function handleRevocationRequest() { if (!$this->isServiceSetup) { $this->setupService(); } $request = $this->getRequest(); // Authenticate the client $clientId = $request->getParsedBody()['client_id'] ?? null; $clientSecret = $request->getParsedBody()['client_secret'] ?? null; if (!$clientId || !$this->clientRepository->validateClient($clientId, $clientSecret, null)) { return new JsonResponse(['error' => 'invalid_client'], 401); } $tokenValue = $request->getParsedBody()['token'] ?? ''; if (!empty($tokenValue)) { try { $validatedRequest = $this->resourceServer->validateAuthenticatedRequest( $request->withHeader('Authorization', 'Bearer ' . $tokenValue) ); $tokenId = $validatedRequest->getAttribute('oauth_access_token_id'); $this->accessTokenRepository->revokeAccessToken($tokenId); } catch (\Exception $e) { // RFC 7009: The server responds with HTTP 200 even for invalid tokens } } return new JsonResponse([], 200); } ```
Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation would require the Endpoint DLP module to be enabled in the client configuration. A successful exploit can potentially result in a denial-of-service for the local machine.
A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services.
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212.
CKAN fails to validate SMTP server certificates, allowing attackers to spoof the configured mail server with any certificate including self-signed ones and intercept SMTP credentials and email content via man-in-the-middle attack. Versions below 2.10.10 and 2.11.0 through 2.11.4 are affected. Vendor-released patches are available in CKAN 2.10.10 and 2.11.5.
Cockpit CMS versions 2.13.5 and earlier allow authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets via directory traversal in the Buckets component. The vulnerability requires valid user authentication and does not impact confidentiality, but enables integrity compromise through malicious file placement or asset replacement. A proof-of-concept exists, though the SSVC framework rates automatable exploitation as unlikely, suggesting manual attack steps are required.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For input bytes such as 0xFF, the formatting can emit "ffffffff" (8 chars) instead of "ff" (2 chars), causing an out-of-bounds write past a fixed 2049-byte stack buffer. The vulnerable path is reachable remotely prior to any agent authentication/registration logic via TCP/1514 when an oversized length prefix causes the “unexpected message (hex)” diagnostic path to run. Additionally, the same unauthenticated oversized-message diagnostic path logs an attacker-controlled hex dump to /var/ossec/logs/ossec.log for each trigger, allowing remote log amplification that can degrade monitoring fidelity and consume disk/I/O. This log amplification is reachable even without triggering the sign-extension overflow (e.g., using bytes < 0x80). This issue has been patched in version 4.14.4.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4.
Path traversal in Admidio ecard_preview.php allows authenticated users to read arbitrary server files including database credentials by bypassing filename validation on the ecard_template POST parameter. An authenticated attacker can supply path traversal payloads such as ../config.php to read adm_my_files/config.php containing unencrypted database host, username, and password, or traverse further to access system files. Exploitation requires only a regular member account with no special privileges, making this a high-impact vulnerability accessible to any registered user.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1.
Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategies, without restricting the classes that can be instantiated, allowing attackers with Item/Configure permission to instantiate arbitrary types, which may lead to information disclosure or other impacts depending on the classes available on the classpath.
A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.
Admidio inventory module allows any authenticated user to permanently delete inventory items and modify associated data by bypassing authorization checks present only in the UI layer. The backend handlers for item_delete, item_retire, item_reinstate, and picture operations validate CSRF tokens but never verify the requesting user is an inventory administrator, enabling destructive operations on any item visible to the user. This affects Admidio versions through 5.0.8, and no active exploitation has been reported at the time of analysis.
n8n Chat Trigger's Hosted Chat feature fails to verify WebSocket connection authorization on the /chat endpoint, allowing unauthenticated remote attackers to hijack workflow executions in waiting state by obtaining the execution ID, intercept intended user prompts, and submit arbitrary input to influence downstream workflow behavior. This affects instances configured with authentication set to None. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1. No public exploit code identified at time of analysis.
Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write
The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Reflected cross-site scripting (XSS) in Admidio's msg_window.php endpoint allows unauthenticated attackers to execute arbitrary JavaScript in any user's browser by exploiting incomplete output encoding. The vulnerability chains htmlspecialchars() (which does not encode square brackets) with a subsequent Language::prepareTextPlaceholders() call that converts brackets to angle brackets, producing executable HTML markup. Publicly available proof-of-concept demonstrates the attack requires only victim click (no authentication), and Admidio sets no Content-Security-Policy headers to block inline script execution.
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 and fixed in v.7.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the virtual network template parameter.
A stored cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the user information parameter.
A cross-site scripting (XSS) vulnerability in opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the zone attribute parameter.
A cross-site scripting (XSS) vulnerability in the custom authenticator driver of opennebula v6.10.0.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.
CKAN versions 2.10.0 through 2.10.9 and 2.11.0 through 2.11.4 allow unauthenticated requests to permanently disable CSRF protection on endpoints for the lifetime of the server process by triggering a state mutation in the flask-wtf CSRFProtect middleware. Combined with cross-site scripting, an attacker can exploit this to perform authenticated actions using other users' credentials. The vulnerability affects network-accessible CKAN instances with default configurations and has CVSS 6.1 with user interaction required.
During code logic analyis, an area that may lead to unintended behavior under specific conditions was discovered. - Verified Version: `80cd21554124da07d17a4f962c7d770a4f70d0f2` - Vulnerability Type: Stored XSS - Affected Location: `beetsplug/web/templates/index.html:42` - Trigger Scenario: Metadata fields such as `title`, `lyrics`, or `comments` are rendered with raw template interpolation and inserted into DOM via `.html(...)`. The bundled web UI uses Underscore template interpolation mode `<%= ... %>` for untrusted metadata fields. In this runtime, `<%= ... %>` is raw insertion and HTML escaping is only performed by `<%- ... %>`. Rendered output is then inserted with `.html(...)`, allowing attacker-controlled markup to become active DOM. 1. Source (attacker-controlled input) - Item metadata values (for example `title`, `lyrics`, `comments`) can contain attacker HTML payload. 2. Data flow - Templates in `beetsplug/web/templates/index.html:42-46,87-91` render metadata with `<%= ... %>`. - Underscore runtime defines `<%= ... %>` as raw interpolation (`beetsplug/web/static/underscore.js:890-907`). 3. Sink (security-sensitive action) - Frontend inserts rendered template output into DOM via `$(this.el).html(this.template(this.model.toJSON()));` in `beetsplug/web/static/beets.js:182,208,220`. 1. Victim opens the web UI page that renders attacker-controlled metadata. 2. Metadata includes executable HTML/JS payload. Stored payload executes in the web UI context and can perform actions available to that origin. Attacker can run arbitrary JavaScript in the victim browser, exfiltrate viewable data, and perform UI-driven actions as the victim session. 1. Replace raw interpolation `<%= ... %>` with escaped output `<%- ... %>` for untrusted fields. 2. Avoid `.html(...)` for untrusted template output; use text-safe rendering. 3. Sanitize metadata values on ingest and before rendering, including attribute contexts.
Insecure Direct Object Reference (IDOR) in n8n's public API variables endpoint allows authenticated users with variable:list API key scope to read project variables from any project regardless of membership by manipulating the projectId query parameter. The API handler bypassed project membership authorization checks present in the enterprise service layer, enabling cross-project secret disclosure. This affects only licensed enterprise or team deployments with multiple projects and variables feature enabled. Vendor-released patches: versions 1.123.32, 2.17.4, and 2.18.1.
Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size. To mitigate this issue, users should upgrade to the fixed version when available.
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.
`OpenTelemetry.Resources.Azure` reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle (MitM) to cause excessive memory allocation and possible process termination (via Out of Memory (OOM)). The [`AzureVmMetaDataRequestor`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Resources.Azure/AzureVmMetaDataRequestor.cs) class makes HTTP requests to the relevant Azure VM instance metadata service (`http://169.254.169.254`) to obtain metadata about the running process and its infrastructure. An attacker who controls the configured endpoint, or who can intercept traffic to them (MiTM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an `OutOfMemoryException` that terminates the process. Denial of Service (DoS). An attacker can destabilize or crash the application by forcing unbounded memory allocation through the Azure VM instance metadata HTTP response paths. The application's reachable Azure VM metadata endpoint needs to behave maliciously or be subject to MitM. In normal usage response bodies should not be excessively large. Fixed in `OpenTelemetry.Resources.Azure` version `1.15.0-beta.2`. The fix (#4121) introduce changes that introduce limits to `HttpClient` requests so that the response body is streamed rather than buffered entirely in memory. Responses greater than 4 MiB are ignored. - Disable the Azure VM resource detector. - Use network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle (MitM) attacks on the Azure VM instance metadata endpoint. - [#4121](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through <= 4.4.11.
Roadiz OpenID Connect authentication fails to store and validate the nonce parameter, allowing attackers to replay valid ID tokens or inject tokens from compromised identity providers to impersonate users. The package generates a nonce during authorization request initiation but never validates the returned nonce claim in the ID token, violating OIDC Core 1.0 specification requirements. Publicly available proof-of-concept demonstrates token replay within the token's validity window, affecting all Roadiz applications using the roadiz/openid package versions before 2.7.18, 2.6.31, 2.5.45, or 2.3.43.
A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The manipulation of the argument sort_asc leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.