Monthly
Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
Silent type confusion in js-toml's TOML interpreter allows attacker-controlled input to overwrite falsy primitive values (false, 0, empty string) with truthy objects, defeating duplicate-key enforcement required by TOML 1.0.0 spec. All versions of js-toml up to and including 1.1.1 are affected via the npm package (pkg:npm/js-toml). Attackers who can supply TOML input to an application using this parser can cause security-gated boolean checks such as if (config.isAdmin) or if (!user.banned) to silently evaluate as truthy, enabling authentication bypass. A working proof-of-concept is publicly available in the GitHub security advisory GHSA-m34p-749j-x6m6; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Detection bypass in @hulumi/policies versions prior to 1.4.0 allows IAM trust policies that list multiple OIDC federated providers to evade the G_OIDC_1 and G_OIDC_2 policy checks for GitHub Actions OIDC roles. Consumers of HulumiHardeningPack or HulumiGithubHardeningPack can therefore ship roles with wildcard sub: conditions - assumable by untrusted forked-PR workflows - while the validator falsely reports compliance, including missing the AdministratorAccess blast-radius flag. No public exploit identified at time of analysis, and there is no CISA KEV listing.
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.
fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.
Authenticated users in Parse Server prior to versions 8.6.69 and 9.7.0-alpha.14 can bypass immutability protections on session fields by submitting null values in PUT requests to the session update endpoint, allowing indefinite session validity and circumventing configured session expiration policies. The vulnerability requires valid authentication credentials to exploit and has been patched in the specified versions.
Stripe PaymentIntent replay vulnerability in mppx payment handler allows attackers to bypass idempotency checks and consume resources by replaying captured Stripe credentials against new challenges without actual charges. The vulnerability affects mppx versions prior to 0.4.11, where the server failed to validate Stripe's Idempotent-Replayed response header during PaymentIntent creation, enabling unlimited resource consumption from a single valid payment credential.
The soroban-sdk Rust SDK contains a cryptographic comparison vulnerability in Fr (scalar field) types for BN254 and BLS12-381 curves that fails to reduce unreduced field elements modulo the field modulus r before equality comparison. This allows attackers to supply crafted Fr values that are mathematically equal but compare as unequal when unreduced, potentially bypassing security-critical authorization or validation logic in smart contracts. The vulnerability affects versions prior to 22.0.11, 23.5.3, and 25.3.0; with a CVSS score of 5.3 (Medium), it poses moderate risk primarily to contract integrity rather than confidentiality.
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authorization-model destruction in FlaskBB forum software (versions up to and including 2.2.0) lets an authenticated administrator wipe all six built-in permission groups through the management bulk-delete AJAX endpoint. Because the endpoint compares JSON integer group IDs against string literals, the guard meant to protect built-in groups never matches and silently allows their removal, collapsing the forum's entire permission model and potentially bricking the site. No public exploit identified at time of analysis; the flaw was reported by VulnCheck and is fixed in commit a5da9a5.
Incorrect comparison in HdrHistogram's DoubleHistogram.recordValue() range check allows a local, low-privileged attacker to manipulate histogram integrity by recording out-of-range values that bypass the bounds check. Versions up to and including 2.2.2 are affected. No public exploit identified at time of analysis - publicly available exploit code exists, and the project maintainer has not responded to the responsible disclosure, leaving the vulnerability unpatched.
Silent type confusion in js-toml's TOML interpreter allows attacker-controlled input to overwrite falsy primitive values (false, 0, empty string) with truthy objects, defeating duplicate-key enforcement required by TOML 1.0.0 spec. All versions of js-toml up to and including 1.1.1 are affected via the npm package (pkg:npm/js-toml). Attackers who can supply TOML input to an application using this parser can cause security-gated boolean checks such as if (config.isAdmin) or if (!user.banned) to silently evaluate as truthy, enabling authentication bypass. A working proof-of-concept is publicly available in the GitHub security advisory GHSA-m34p-749j-x6m6; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Detection bypass in @hulumi/policies versions prior to 1.4.0 allows IAM trust policies that list multiple OIDC federated providers to evade the G_OIDC_1 and G_OIDC_2 policy checks for GitHub Actions OIDC roles. Consumers of HulumiHardeningPack or HulumiGithubHardeningPack can therefore ship roles with wildcard sub: conditions - assumable by untrusted forked-PR workflows - while the validator falsely reports compliance, including missing the AdministratorAccess blast-radius flag. No public exploit identified at time of analysis, and there is no CISA KEV listing.
Local privilege escalation in NousResearch hermes-agent 2026.4.23 allows authenticated local users to manipulate plugin discovery logic via HERMES_ENABLE_PROJECT_PLUGINS environment variable, resulting in unauthorized information disclosure and potential integrity compromise of the CLI web-dashboard interface. Publicly available exploit code exists (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure attempts, leaving remediation status uncertain.
fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.
Authenticated users in Parse Server prior to versions 8.6.69 and 9.7.0-alpha.14 can bypass immutability protections on session fields by submitting null values in PUT requests to the session update endpoint, allowing indefinite session validity and circumventing configured session expiration policies. The vulnerability requires valid authentication credentials to exploit and has been patched in the specified versions.
Stripe PaymentIntent replay vulnerability in mppx payment handler allows attackers to bypass idempotency checks and consume resources by replaying captured Stripe credentials against new challenges without actual charges. The vulnerability affects mppx versions prior to 0.4.11, where the server failed to validate Stripe's Idempotent-Replayed response header during PaymentIntent creation, enabling unlimited resource consumption from a single valid payment credential.
The soroban-sdk Rust SDK contains a cryptographic comparison vulnerability in Fr (scalar field) types for BN254 and BLS12-381 curves that fails to reduce unreduced field elements modulo the field modulus r before equality comparison. This allows attackers to supply crafted Fr values that are mathematically equal but compare as unequal when unreduced, potentially bypassing security-critical authorization or validation logic in smart contracts. The vulnerability affects versions prior to 22.0.11, 23.5.3, and 25.3.0; with a CVSS score of 5.3 (Medium), it poses moderate risk primarily to contract integrity rather than confidentiality.
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.