Monthly
CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.
Cross-site scripting in twig/markdown-extra and twig/cssinliner-extra arises from three filters - html_to_markdown, markdown_to_html, and inline_css - being incorrectly registered with is_safe => ['all'], which instructs Twig's autoescaper to suppress output encoding in every context including JS, CSS, and URL. When attacker-controlled content flows through these filters and the result is interpolated into a non-HTML context such as an inline script block, the autoescaper emits the raw output verbatim, enabling XSS without the developer ever using the explicit |raw bypass. Notably, html_to_markdown has an additional entity-decoding gadget via league/html-to-markdown that converts encoded HTML entities back to live markup during code span generation, creating a secondary injection path even in HTML contexts. No public exploit identified at time of analysis and no CISA KEV listing.
Cross-site scripting in Twig's PHP templating engine allows attacker-controlled HTML markup to bypass autoescaping when rendered through the `|spaceless` filter. The filter was incorrectly registered with `is_safe => ['html']`, signaling to the autoescaper that its output is already safe and requires no HTML encoding - even when the input is user-supplied and autoescape is globally enabled. All `twig/twig` Composer installations prior to 3.26.0 are affected, as are downstream packages (notably certain Drupal modules) that independently copied the `spaceless` filter and inherited the same erroneous flag. No public exploit or active exploitation is identified at time of analysis.
HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.
Shell command injection in go-git's SSH transport allows attackers who control repository path values to execute arbitrary shell commands on SSH servers that evaluate exec commands through a login shell. go-git wraps repository paths in single quotes without escaping embedded single-quote characters, diverging from canonical Git's sq_quote_buf behavior. When a go-git client connects to an SSH server whose exec command passes through /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND, an attacker-influenced path containing a single quote can break out of the quoted region and append arbitrary shell tokens. No public exploit identified at time of analysis.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.
Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.
Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.
CarrierWave's `content_type_denylist` silently fails to block MIME types containing regex metacharacters - most critically `image/svg+xml` - because string entries are interpolated directly into a regex without `Regexp.quote` or anchoring, causing the `+` character to be treated as a quantifier rather than a literal. Any Ruby application relying on this denylist to prevent SVG uploads for stored XSS protection is completely unprotected despite believing the control is active. A publicly available proof-of-concept exploit demonstrates successful SVG bypass; no public exploit identified at time of analysis for active KEV-level exploitation.
Improper output escaping in NousResearch Hermes Agent versions up to 2026.4.16 allows remote unauthenticated attackers to manipulate message formatting in Slack and Mattermost integrations, potentially leading to information disclosure and service disruption. The vulnerability is exploitable via crafted format_message arguments with low attack complexity and requires no user interaction. Public exploit code is available via GitHub Gist. The vendor did not respond to early disclosure attempts, and no patch availability is documented.
Cross-site scripting in twig/markdown-extra and twig/cssinliner-extra arises from three filters - html_to_markdown, markdown_to_html, and inline_css - being incorrectly registered with is_safe => ['all'], which instructs Twig's autoescaper to suppress output encoding in every context including JS, CSS, and URL. When attacker-controlled content flows through these filters and the result is interpolated into a non-HTML context such as an inline script block, the autoescaper emits the raw output verbatim, enabling XSS without the developer ever using the explicit |raw bypass. Notably, html_to_markdown has an additional entity-decoding gadget via league/html-to-markdown that converts encoded HTML entities back to live markup during code span generation, creating a secondary injection path even in HTML contexts. No public exploit identified at time of analysis and no CISA KEV listing.
Cross-site scripting in Twig's PHP templating engine allows attacker-controlled HTML markup to bypass autoescaping when rendered through the `|spaceless` filter. The filter was incorrectly registered with `is_safe => ['html']`, signaling to the autoescaper that its output is already safe and requires no HTML encoding - even when the input is user-supplied and autoescape is globally enabled. All `twig/twig` Composer installations prior to 3.26.0 are affected, as are downstream packages (notably certain Drupal modules) that independently copied the `spaceless` filter and inherited the same erroneous flag. No public exploit or active exploitation is identified at time of analysis.
HTML sanitizer bypass in CryptPad's Diffmarked.js allows remote unauthenticated attackers to inject arbitrary HTML into collaborative documents, completely defeating the platform's bounce sandboxing mechanism. All CryptPad versions prior to 2026.2.0 are affected; the CVSS scope change (S:C) reflects that exploitation crosses sandbox boundaries, enabling link injection and delivery of malicious interactive content to any user who opens a crafted document. No public exploit code has been identified at time of analysis and this CVE is not listed in CISA KEV, though the attack vector is network-accessible with no authentication required.
Shell command injection in go-git's SSH transport allows attackers who control repository path values to execute arbitrary shell commands on SSH servers that evaluate exec commands through a login shell. go-git wraps repository paths in single quotes without escaping embedded single-quote characters, diverging from canonical Git's sq_quote_buf behavior. When a go-git client connects to an SSH server whose exec command passes through /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND, an attacker-influenced path containing a single quote can break out of the quoted region and append arbitrary shell tokens. No public exploit identified at time of analysis.
GuardDog versions 2.6.0 through 2.9.0 fail to escape terminal control characters in human-readable scan output, allowing malicious packages to inject ANSI or OSC escape sequences that can clear analyst terminals, rewrite CI logs, or inject spoofed content. The vulnerability affects file paths, code snippets, and messages parsed from package content and rendered directly to stdout without sanitization. Remote attackers can exploit this by distributing packages with specially crafted filenames or source code containing escape sequences, and requires only user interaction (running the scanner on the malicious package).
Go's html/template library incorrectly escapes data passed into <script> tags when the tag contains an empty or whitespace-only 'type' attribute, allowing a trusted template author to inadvertently expose sensitive information to client-side scripts. Affects html/template versions prior to 1.26.3 and 1.25.10. CVSS 6.1 with user interaction required; EPSS 0.01% indicates minimal real-world exploitation likelihood despite moderate base score.
Wildcard injection in Apache Polaris table names allows authenticated users to escalate privileges and access unauthorized S3 data across tables. By creating tables with literal asterisk characters (e.g., 'f*.t1', '*.*'), attackers bypass IAM policy scoping and obtain temporary S3 credentials that match other tables' storage paths. Confirmed exploitation scenarios include reading Iceberg metadata control files, listing table prefixes, and creating/deleting objects in victim tables' S3 locations - even when the attacker lacks direct Polaris permissions on those tables. Private testing confirmed this on both MinIO and AWS S3 against Polaris 1.4.0. The CVSS 9.4 (Critical) reflects network-accessible exploitation requiring only low privileges (namespace-scoped TABLE_CREATE), with high confidentiality, integrity, and availability impact across system and subsequent components. No public exploit code or CISA KEV listing identified at time of analysis, but the Apache advisory provides detailed attack mechanics.
Axios versions prior to 1.15.1 and 0.31.1 contain a character mapping flaw in the AxiosURLSearchParams.encode() function that reverses safe percent-encoding of null bytes, converting %00 back to raw null bytes. While the standard axios request flow remains unaffected, this vulnerability could enable integrity compromise in edge-case scenarios where encoded parameters are processed by downstream systems expecting percent-encoded values. No public exploit code or active exploitation has been identified.