Skip to main content
CVE-2026-46339 CRITICAL POC PATCH GHSA Act Now

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent attackers to execute arbitrary OS commands by chaining two unprotected API endpoints. The Next.js authentication middleware in src/proxy.js uses a narrow route allowlist that excludes /api/cli-tools/* and /api/mcp/*, letting an attacker register an arbitrary command via POST /api/cli-tools/cowork-settings and then trigger spawn() via GET /api/mcp/[plugin]/sse. Publicly available exploit code exists (PoC published with the GHSA advisory), with CVSS 10.0 reflecting maximum severity across confidentiality, integrity, and availability.

Python Denial Of Service Docker Command Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-31072 CRITICAL POC PATCH GHSA Act Now

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).

Deserialization Python RCE N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-46725 CRITICAL POC PATCH GHSA Act Now

Remote code execution in the TYPO3 'Content Element Selector' extension allows unauthenticated attackers to execute arbitrary PHP code by sending a crafted cookie that the extension feeds directly into PHP's unserialize(). The flaw (CWE-502, CVSS 4.0 score 9.2) is exploitable only on installations where a content element is configured with 'Persistent Mode: Static'. No public exploit identified at time of analysis, though the deserialization pattern is well-understood and typically rapid to weaponize.

Deserialization PHP RCE
NVD
CVSS 4.0
9.2
EPSS
0.4%
CVE-2026-31071 CRITICAL POC Act Now

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. Publicly available exploit code exists, though EPSS rates exploitation probability at only 0.06% (17th percentile), consistent with a low-deployment open-source project rather than mass exploitation.

Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34234 CRITICAL PATCH Act Now

Unauthenticated remote code execution in CtrlPanel billing software (versions 1.1.1 and prior) allows attackers to execute arbitrary OS commands via the web-based installer endpoint, even on already-installed instances. The flaw combines a control-flow bug (install.lock gate runs after handler execution) with command injection through unsanitized user input passed into shell commands. The advisory reports active exploitation in the wild, though no CISA KEV listing is present in the supplied data.

PHP RCE Command Injection
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-46412 CRITICAL GHSA MAL Act Now

Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.

Node.js Information Disclosure Hashicorp
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-33642 CRITICAL PATCH Act Now

Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.

Buffer Overflow Integer Overflow Kitty
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-37281 CRITICAL Act Now

Remote command execution in hitarth-gg Zenshin before 2.7.0 allows unauthenticated attackers to run arbitrary OS commands by sending a crafted url query parameter to the /stream-to-vlc Express route, which passed user input directly into a Node.js child_process.exec shell invocation. No public exploit identified at time of analysis, but a detailed write-up gist and the upstream fix commit publicly expose the vulnerable code path. EPSS is low (0.13%, 32nd percentile) but CVSS is 9.8 reflecting the trivial nature of the injection.

Command Injection N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-45434 CRITICAL PATCH Act Now

Remote code execution in Apache OFBiz before 24.09.06 stems from an improper authentication flaw in the password-change logic that allows unauthenticated remote attackers to bypass authentication and ultimately execute arbitrary code on the server. The CVSS 9.8 rating reflects network-reachable, no-interaction exploitation against a widely deployed open-source ERP platform, though EPSS sits at only 0.07% and SSVC currently marks exploitation as 'none' - meaning no public exploit identified at time of analysis despite the severe technical impact.

Apache Authentication Bypass RCE Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4885 CRITICAL Act Now

Unauthenticated arbitrary file upload in the Piotnet Addons for Elementor Pro WordPress plugin (versions through 7.1.70) allows remote attackers to upload dangerous file types and potentially achieve remote code execution. The flaw stems from an incomplete extension blacklist in the 'pafe_ajax_form_builder' AJAX handler that fails to block executable wrappers such as .phar and .phtml. No public exploit identified at time of analysis, but the CVSS 9.8 score and unauthenticated network attack vector make this a high-priority issue for any WordPress site running the plugin with a file-upload form field.

File Upload WordPress RCE Elementor
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-8956 CRITICAL PATCH Act Now

Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Buffer Overflow Integer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-47323 CRITICAL PATCH GHSA Act Now

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy implementations filtering only outbound Camel-internal headers while leaving inbound traffic unfiltered, letting unauthenticated attackers inject control headers such as CamelExecCommandExecutable and CamelFileName through HTTP requests to CXF-RS, CXF-SOAP, or Knative HTTP endpoints. When such routes pipe into header-driven components like camel-exec or camel-file, the injected headers override configured values, yielding RCE or arbitrary file writes. No public exploit identified at time of analysis, but EPSS sits at only 0.04% despite the 9.8 CVSS - this is the fifth iteration of the same header-injection pattern (CVE-2025-27636, 2025-29891, 2025-30177, 2026-40453), so prior PoCs for sibling CVEs are likely portable.

Apache RCE Apache Camel
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31070 CRITICAL Act Now

Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.

Privilege Escalation N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30118 CRITICAL Act Now

Server-side request forgery in scalar/astro v0.1.13 allows remote unauthenticated attackers to coerce the backend into making HTTP requests to attacker-controlled destinations via the scalar_url query parameter of the Scalar Proxy endpoint. Exploitation can expose authentication cookies and headers forwarded by the proxy, enabling account takeover and potential privilege escalation. Publicly available exploit code exists, though EPSS is low (0.03%) suggesting limited mass exploitation at this time.

Privilege Escalation SSRF N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30117 CRITICAL Act Now

Arbitrary code execution in Scalar Astro v0.1.13 allows remote unauthenticated attackers to upload malicious SVG files through the scalar_url query parameter of the Scalar Proxy endpoint. The flaw stems from inadequate validation in the proxy's file handling logic and, per CVSS, requires no authentication or user interaction, though EPSS rates real-world exploitation probability at only 0.02%. No public exploit identified at time of analysis, though a related XSS/Open-Redirect proof-of-concept repository is referenced.

File Upload Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43493 CRITICAL PATCH Act Now

Improper handling of MAY_BACKLOG requests in the Linux kernel's pcrypt (parallel crypto) module can cause incorrect processing of EBUSY return codes and EINPROGRESS notifications, potentially leading to instability or undefined behavior in cryptographic operations. The issue affects Linux kernel versions dating back to 2.6.34 and has been resolved upstream across multiple stable branches including 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. There is no public exploit identified at time of analysis and EPSS scoring (0.02%, 5th percentile) suggests very low real-world exploitation likelihood despite the CVSS 9.8 rating.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-8495 CRITICAL PATCH Act Now

Forceful browsing in the Drupal Date iCal contributed module (versions prior to 4.0.15) allows remote unauthenticated attackers to bypass authorization checks and access protected calendar resources. Despite a CVSS score of 9.8, the EPSS exploitation probability sits at just 0.02% (4th percentile) and no public exploit has been identified at time of analysis. The flaw is a CWE-862 missing authorization issue patched by the Drupal Security Team in version 4.0.15.

Authentication Bypass Date Ical
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-45695 CRITICAL PATCH GHSA Act Now

Remote code execution in Kopia backup server (≤ 0.22.3) allows unauthenticated attackers to run arbitrary OS commands as the Kopia process user via a single HTTP request to /api/v1/repo/exists when the server is launched with --without-password. Publicly available exploit code exists through the published GHSA advisory and PR diff; no public exploit identified at time of analysis as being weaponized in the wild, but the trivially exploitable vector (CVSS 9.8) and detailed write-up make weaponization straightforward. The bug stems from naive space-splitting of attacker-controlled sshArguments that is fed to exec.CommandContext("ssh"), letting an -oProxyCommand= token trigger $SHELL -c execution before any SSH transport is established.

SSH Command Injection Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-4883 CRITICAL Act Now

Arbitrary file upload in the Piotnet Forms WordPress plugin (all versions up to and including 2.1.40) allows unauthenticated remote attackers to upload dangerous file types such as .phar and .phtml, potentially leading to remote code execution on the underlying web server. The flaw stems from an incomplete extension blacklist in the piotnetforms_ajax_form_builder AJAX handler, and exploitation requires that a form on the site include a file upload field. No public exploit identified at time of analysis, but the CVSS 9.8 severity and unauthenticated network attack vector make this a high-priority WordPress plugin issue.

File Upload WordPress RCE
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-36829 CRITICAL Act Now

An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication.

Path Traversal Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-2587 CRITICAL PATCH GHSA Act Now

{7*7} which the server evaluates to 49. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

RCE Eclipse Glassfish
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-8959 CRITICAL PATCH Act Now

Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Information Disclosure Mozilla Red Hat Suse
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-45758 CRITICAL GHSA MAL Act Now

Supply chain compromise in the guardrails-ai Python package allows attackers to execute embedded malicious code on any developer or production host that installed version 0.10.1 from PyPI on May 11, 2026. The malicious release was live for roughly two hours before PyPI quarantined it, and the vendor reports no observed callbacks to Guardrails AI infrastructure, but any system that pulled 0.10.1 should be treated as compromised. No public exploit identified at time of analysis as a separate artifact - the package itself is the exploit, and exploitation requires user interaction (the install action) per the CVSS UI:R designation.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-2611 CRITICAL PATCH GHSA Act Now

Cross-origin request forgery in MLflow 3.9.0's Assistant feature allows remote attackers to bypass loopback-only protections on /ajax-api endpoints when a victim visits a malicious webpage, ultimately achieving arbitrary command execution through the Claude Code sub-agent. The flaw stems from improper origin validation (CWE-346) and is fixed in version 3.10.0; no public exploit identified at time of analysis, though a detailed huntr.com report and an upstream commit are publicly available.

RCE Mlflow Mlflow
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-8953 CRITICAL PATCH Act Now

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Information Disclosure Mozilla Use After Free Memory Corruption Red Hat +1
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-43633 CRITICAL PATCH Act Now

Unauthenticated root-level remote code execution affects HestiaCP versions 1.9.0 through 1.9.4 when the optional web terminal feature is enabled, stemming from a session-handling format mismatch (CWE-502) between the PHP backend and the Node.js web terminal. Remote attackers can inject crafted HTTP header data that PHP writes into session storage but Node.js parses with naive string splitting, yielding arbitrary command execution as root; no public exploit identified at time of analysis, though VulnCheck has published a technical advisory and the upstream patch is publicly diffable.

Deserialization PHP Node.js RCE Hestiacp
NVD GitHub
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-42097 CRITICAL Act Now

Unauthenticated SQL execution affects Sparx Pro Cloud Server when attackers omit the 'model' query parameter from the URL and instead supply the model name inside the binary POST body, bypassing the URL-based authentication check. Version 6.1 (build 167) and earlier are confirmed vulnerable, with broader version coverage unknown because the vendor did not respond to coordinated disclosure by CERT-PL. Publicly available exploit code exists via the researcher's blog write-up, though there is no CISA KEV listing of active in-the-wild exploitation.

Authentication Bypass Pro Cloud Server
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-46396 CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in HAX CMS (versions <= 25.0.0) allows authenticated users to inject malicious `<iframe>` elements with `javascript:` URIs or `srcdoc` payloads that execute in viewers' browsers, enabling theft of JWTs exposed via window.appSettings and full account takeover. A working proof-of-concept is published in the GHSA advisory demonstrating JWT exfiltration, and a vendor patch is available in 26.0.0. No public exploit identified at time of analysis beyond the published PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-8950 CRITICAL PATCH Act Now

Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Mozilla Authentication Bypass Red Hat Suse
NVD VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-46395 CRITICAL PATCH GHSA Act Now

Private key disclosure in HAXcms Node.js backend (@haxtheweb/haxcms-nodejs <= 25.0.0) lets unauthenticated remote attackers extract the master JWT signing secret via a single GET to /system/api/connectionSettings and forge admin-level JWTs for complete site takeover. The broken hmacBase64() function appends the raw privateKey+salt to its output, exposing it through any token the server emits. Publicly available exploit code exists in the GHSA advisory PoC, and the CVSS 4.0 score of 9.3 reflects trivial network exploitation with no privileges or user interaction.

Information Disclosure PHP Node.js
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-46496 CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in HAX CMS (npm packages @haxtheweb/haxcms-nodejs and @haxtheweb/video-player versions <= 25.0.0) allows any authenticated user to inject a `<video-player>` element whose `source` or `source-data` attribute carries a `javascript:` URI that executes when other users render the page. A public PoC in the vendor's GHSA advisory demonstrates JWT theft from localStorage, enabling session hijacking and full account takeover - especially severe when an administrator views the malicious page. No public exploit identified at time of analysis beyond the advisory PoC, and the issue is not listed in CISA KEV.

Information Disclosure XSS
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44159 CRITICAL Monitor

Use of default administrative credentials in Tyler Identity Local (TID-L) allows remote unauthenticated attackers to gain full administrative access to affected deployments. The credentials are publicly documented and users are not forced to change them at install time, and because the product was discontinued in December 2020 and unsupported since 2021, no vendor patch is available. CVSS 4.0 rates this 9.3 (Critical); no public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure Tid L
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-8711 CRITICAL PATCH Act Now

Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.

RCE Buffer Overflow Nginx Heap Overflow
NVD VulDB
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-47358 CRITICAL Act Now

Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released.

Hashicorp SSRF
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-47357 CRITICAL Act Now

Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.

Hashicorp SSRF
NVD GitHub
CVSS 4.0
9.2
EPSS
0.0%
CVE-2026-2586 CRITICAL PATCH GHSA Act Now

Remote code execution in Eclipse GlassFish allows attackers with administrative access to the Administration Console to execute arbitrary operating system commands as the application service user. The flaw stems from improper input handling in admin panel requests (CWE-94), and while CVSS rates it 9.1 due to scope change and full CIA impact, exploitation requires high privileges (PR:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Code Injection RCE Eclipse Glassfish
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-41919 CRITICAL PATCH Act Now

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Apache LDAP Code Injection
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-8948 CRITICAL PATCH Act Now

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

Mozilla Authentication Bypass Cors Misconfiguration
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-46354 CRITICAL PATCH GHSA Act Now

Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.

Microsoft Jwt Attack Hashicorp RCE Gitlab
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-31986 CRITICAL PATCH Act Now

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

Information Disclosure Apache
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-45721 CRITICAL PATCH GHSA Act Now

Pre-authenticated remote code execution in Algernon web server (≤ 1.17.6) allows attackers who can place a handler.lua file anywhere in a parent directory of the server root to execute arbitrary Lua - including shell commands via run3() and os.execute - in the server process on the next HTTP request. The flaw stems from DirPage walking up to 100 ancestor directories past the configured server root searching for handler.lua, and the permission middleware does not gate this lookup, so an anonymous GET / suffices to trigger execution. Publicly available exploit code exists (the reporter published three working PoC variants and a live verification against 1.17.6).

Microsoft Redis RCE Canonical
NVD GitHub
CVSS 3.1
9.0
EPSS
0.2%
CVE-2026-45568 CRITICAL GHSA Act Now

Server-side request forgery in the zrok Python SDK's ProxyShare component (versions 0.4.47 through 1.1.11) allows remote unauthenticated users to redirect proxied requests to arbitrary hosts by submitting absolute URLs in the request path. Because the Flask handler concatenates user input with the configured target via urllib.parse.urljoin, an attacker (Bob) can replace the share owner's (Alice's) intended target with any host including internal cloud metadata endpoints, and the response is returned to the attacker. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-jh67-hwqw-m5r7 documents the technique in detail.

Path Traversal Python
NVD GitHub
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy