Suse
Monthly
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.
High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.
Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.
Ghostty terminal emulator allows control characters embedded in pasted or drag-and-dropped text to execute arbitrary commands in certain shell environments, requiring only user interaction to trigger. An attacker can craft malicious text with invisible control sequences that, when copied/pasted by a user, execute unintended commands with the user's privileges. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]
Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.
Netmaker versions prior to 1.5.0 expose WireGuard private keys through unauthenticated API endpoints when accessed by users with the platform-user role, allowing credential theft across all network configurations despite UI-level access restrictions. An authenticated attacker can retrieve sensitive cryptographic material by directly calling GET /api/extclients/{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.
Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.
OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.
OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]
Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]
Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. [CVSS 5.5 MEDIUM]
Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. [CVSS 5.5 MEDIUM]
An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. [CVSS 5.0 MEDIUM]
Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.
Reflected XSS in SiYuan knowledge management before 3.5.9.
SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to execute arbitrary database queries through the /api/query/sql endpoint due to insufficient authorization checks. Public exploit code exists for this vulnerability, enabling attackers to extract sensitive data or modify the knowledge base contents. No patch is currently available for affected versions.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.
Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]
Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.
Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]
Unauthorized file operations in File Browser before fix. PoC and patch available.
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.
lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.
lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.
Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.
Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.
Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.
Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.
Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.
Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.
Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.
Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.
Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.
Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.
Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.
Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.
Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.
Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
ClamAV's HTML CSS parser fails to properly handle UTF-8 string operations, enabling remote attackers to crash the scanning engine by submitting a malicious HTML file. An unauthenticated attacker can exploit this weakness over the network without user interaction to achieve denial of service. No patch is currently available.
Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.
Heap use-after-free in ImageMagick's MSL decoder (versions before 7.1.2-16 and 6.9.13-41) allows remote attackers to trigger memory access violations via specially crafted MSL files, resulting in denial of service. The vulnerability requires no authentication or user interaction and affects systems processing untrusted image files. No patch is currently available for this MEDIUM severity issue.
Medium severity vulnerability in ImageMagick. A heap-buffer-overflow vulnerability exists in the PCL encode due to an undersized output buffer allocation.
High severity vulnerability in ImageMagick. A stack buffer overflow exists in ImageMagick's morphology kernel parsing functions. User-controlled kernel strings exceeding a buffer are copied into fixed-size stack buffers via memcpy without bounds checking, resulting in stack corruption.
Medium severity vulnerability in ImageMagick. An integer overflow vulnerability exists in the SIXEL decoer. The vulnerability allows an attacker to perform an out of bounds via a specially crafted mage.
Ghostty terminal emulator allows control characters embedded in pasted or drag-and-dropped text to execute arbitrary commands in certain shell environments, requiring only user interaction to trigger. An attacker can craft malicious text with invisible control sequences that, when copied/pasted by a user, execute unintended commands with the user's privileges. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF .debug_rnglists data. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.45.1 readelf contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF loclists data. [CVSS 6.2 MEDIUM]
Out-of-bounds read in libssh versions up to 0.11.3 allows remote attackers to cause denial of service by manipulating the idx argument in the SFTP extension name handler functions. The vulnerability resides in the sftp_extensions_get_name and sftp_extensions_get_data functions, enabling unauthenticated attackers to trigger memory access violations without user interaction. Upgrading to libssh 0.11.4 or 0.12.0 resolves this issue.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
Caddy versions 2.7.5 through 2.11.1 contain a template injection vulnerability in the vars_regexp matcher that allows remote attackers to perform double variable expansion on user-controlled input, enabling disclosure of environment variables and file contents. By injecting placeholders like {env.DATABASE_URL} or {file./etc/passwd} into request headers, an unauthenticated attacker can leak sensitive system information. Public exploit code exists for this vulnerability, which is fixed in version 2.11.2.
Caddy versions 2.10.0 through 2.11.1 fail to strip client-supplied headers in the forward_auth copy_headers directive, enabling authenticated attackers to inject identity headers and escalate privileges. This authentication bypass vulnerability affects deployments relying on Caddy for request forwarding and has public exploit code available. The vulnerability requires valid authentication credentials but allows complete privilege elevation within affected systems.
Netmaker versions prior to 1.5.0 expose WireGuard private keys through unauthenticated API endpoints when accessed by users with the platform-user role, allowing credential theft across all network configurations despite UI-level access restrictions. An authenticated attacker can retrieve sensitive cryptographic material by directly calling GET /api/extclients/{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.
Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.
PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. [CVSS 7.5 HIGH]
SSRF in Soft Serve Git server versions 0.6.0 to 0.11.3 allows authenticated attackers to make requests to internal services. PoC and patch available.
Netmaker versions prior to 1.5.0 fail to properly validate host JWT tokens during authorization, allowing any attacker with knowledge of target object identifiers to bypass access controls and read, modify, or delete resources across different hosts. The vulnerability affects critical operations including node management, host deletion, and failover configurations, requiring only a valid host token and network access to exploit. Update to version 1.5.0 or later to remediate.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
ZITADEL is an open source identity management platform. [CVSS 8.2 HIGH]
Account takeover in Zitadel versions 4.0.0 through 4.11.1 is possible through improper redirect URI validation in the login V2 interface, allowing attackers with high privileges to compromise user accounts. This cross-site scripting vulnerability affects organizations using the vulnerable Zitadel identity management platform and has been resolved in version 4.12.0.
Stored XSS in ZITADEL identity management platform versions 4.0.0 to 4.11.1 allows unauthenticated attackers to inject persistent scripts through the login flow. Patch available.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
OliveTin prior to version 3000.11.1 fails to enforce view permission checks on dashboard and API endpoints, allowing authenticated users to enumerate action bindings, titles, IDs, icons, and argument metadata despite having restricted access. While command execution remains properly denied, this information disclosure enables attackers to map available actions and their configurations. Public exploit code exists for this medium-severity vulnerability, and a patch is available.
OliveTin versions prior to 3000.11.1 contain an authentication bypass in RestartAction that allows authenticated users to execute shell commands beyond their assigned permissions. The vulnerability stems from improper request context handling that causes the system to fall back to guest user privileges, which may have broader access than the authenticated caller. Public exploit code exists for this medium-severity flaw that enables privilege escalation and unauthorized command execution.
OliveTin prior to version 3000.11.1 fails to invalidate server-side sessions upon user logout, allowing attackers with a stolen session cookie to maintain authenticated access even after the legitimate user logs out. The vulnerability persists because browser cookies are cleared while the corresponding server session remains valid for approximately one year by default. Public exploit code exists for this session management bypass.
OliveTin gives access to predefined shell commands from a web interface. [CVSS 8.8 HIGH]
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when processing a crafted ELF binary with malformed DWARF abbrev or debug information. [CVSS 6.2 MEDIUM]
GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF binary with malformed relocation data. During GOT relocation handling, dump_relocations may return early without initializing the all_relocations array. [CVSS 7.5 HIGH]
GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a crafted ELF binary with malformed header fields. [CVSS 7.5 HIGH]
Arbitrary code execution in TimescaleDB 2.23.0 through 2.25.1 allows local authenticated users to execute malicious functions by shadowing built-in PostgreSQL functions through user-writable schemas in the search_path setting during extension upgrades. An attacker with database access can create malicious functions in writable schemas that are invoked instead of legitimate PostgreSQL functions, resulting in code execution with database privileges. No patch is currently available for affected installations.
GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when processing a crafted ELF binary with malformed relocation or symbol data. If dump_relocations returns early due to parsing errors, the internal all_relocations array may remain partially uninitialized. [CVSS 5.5 MEDIUM]
Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug_rnglists data. [CVSS 5.5 MEDIUM]
Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed DWARF debug information. [CVSS 5.5 MEDIUM]
An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerability when processing a crafted binary with malformed debug information. [CVSS 5.0 MEDIUM]
Zarf is an Airgap Native Packager Manager for Kubernetes. [CVSS 8.2 HIGH]
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts.
Reflected XSS in SiYuan knowledge management before 3.5.9.
SQL injection in SiYuan prior to version 3.6.0 allows any authenticated user, including those with read-only access, to execute arbitrary database queries through the /api/query/sql endpoint due to insufficient authorization checks. Public exploit code exists for this vulnerability, enabling attackers to extract sensitive data or modify the knowledge base contents. No patch is currently available for affected versions.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
pypdf versions prior to 6.7.5 are vulnerable to denial-of-service attacks where specially crafted PDF files with ASCIIHexDecode filtered streams can cause excessive processing time and application hang. An unauthenticated attacker can exploit this by providing a malicious PDF that consumes significant computational resources when processed. A patch is available in version 6.7.5 and later.
Gokapi versions prior to 2.2.3 lack CSRF protection on the login endpoint, allowing authenticated attackers to perform unwanted actions on behalf of legitimate users through malicious cross-site requests. An attacker can exploit this by crafting a webpage that tricks a logged-in user into unknowingly submitting forged login credentials or session-modifying requests. The vulnerability requires user interaction and a prior login session but could lead to unauthorized account access or session hijacking on self-hosted Gokapi instances.
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 5.4 MEDIUM]
Privilege escalation in Gokapi prior to version 2.2.3 allows authenticated users to generate API keys with elevated permissions for file request management, despite lacking those privileges themselves. This affects deployments where no administrative users have access to the upload menu, enabling unauthorized users to create or modify file requests. No patch is currently available.
Stored XSS in Gokapi through malicious SVG file uploads enables authenticated attackers to execute arbitrary JavaScript in users' browsers via hotlinked files. An attacker with valid credentials can craft SVG payloads that persist in the application and compromise other users accessing the shared links. No patch is currently available for versions prior to 2.2.3.
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. [CVSS 6.4 MEDIUM]
Unauthorized file operations in File Browser before fix. PoC and patch available.
File Browser versions prior to 2.61.0 incorrectly set the filesystem root to a parent directory when generating public share links, enabling any user with a share link to access and download files from sibling directories beyond the intended shared folder. This authenticated network-based vulnerability affects Golang and Filebrowser and has public exploit code available. The issue is resolved in version 2.61.0 and later.
OliveTin versions prior to 3000.11.0 suffer from broken access control allowing unauthenticated users to invoke the KillAction RPC endpoint and terminate running shell command executions, bypassing authentication restrictions. Public exploit code exists for this vulnerability, enabling remote denial of service attacks against legitimate administrative actions. The vulnerability affects OliveTin deployments regardless of authentication settings and has been remediated in version 3000.11.0 and later.
OliveTin versions prior to 3000.10.3 are vulnerable to unauthenticated denial-of-service attacks when OAuth2 authentication is enabled, allowing remote attackers to crash the application by sending concurrent requests to the login endpoint. The vulnerability stems from unsynchronized access to shared state during OAuth2 processing, triggering a Go runtime panic. Public exploit code exists for this high-severity flaw, which is patched in version 3000.10.3 and later.
lxml_html_clean versions prior to 0.4.4 fail to sanitize <base> HTML tags, allowing attackers to inject malicious base tags and redirect relative links to attacker-controlled domains. Public exploit code exists for this vulnerability. The issue affects applications using the default Cleaner configuration and has been remediated in version 0.4.4.
lxml_html_clean versions before 0.4.4 fail to properly sanitize CSS Unicode escape sequences in the _has_sneaky_javascript() method, allowing attackers to bypass filters and inject malicious @import statements or XSS payloads. Public exploit code exists for this vulnerability, which affects applications using the library for HTML sanitization. A patch is available in version 0.4.4 and should be applied immediately to prevent CSS-based injection attacks.
OliveTin versions prior to 3000.10.2 are vulnerable to unauthenticated denial of service through the PasswordHash API endpoint, which lacks request throttling or authentication controls and allows attackers to trigger excessive memory allocation via concurrent hashing requests. An attacker can exhaust container memory by sending multiple parallel requests, causing service degradation or complete outage. Public exploit code exists for this vulnerability, and a patch is available in version 3000.10.2 and later.
Unauthenticated backup download and RCE in Nginx UI before 2.3.3. EPSS 1.0%. PoC available.
Traefik versions prior to 2.11.38 and 3.6.9 fail to limit memory allocation when processing ForwardAuth middleware responses, allowing a malicious or compromised authentication server to trigger unbounded memory consumption. An attacker controlling the auth server can return an arbitrarily large response body that causes the Traefik process to exhaust available memory and crash, resulting in denial of service for all proxied routes. A patch is available in the specified versions.
Gogs versions prior to 0.14.2 contain a DOM-based XSS vulnerability in the Issue creation page where attackers can inject malicious scripts through milestone names that execute when other users interact with those milestones. An authenticated attacker can craft a repository with a malicious milestone name containing JavaScript payloads that trigger in victim browsers, potentially compromising user sessions or sensitive data. No patch is currently available for affected versions.
Gogs versions prior to 0.14.2 expose authentication tokens in URL parameters, allowing credentials to be captured through server logs, browser history, and HTTP referrer headers. This information disclosure vulnerability affects self-hosted Gogs instances and could enable attackers to gain unauthorized API access if tokens are leaked through these channels. A patch is available in version 0.14.2 and later.
Stored cross-site scripting in Gogs prior to version 0.14.2 allows unauthenticated attackers to inject malicious scripts through template rendering of user-controlled data, potentially affecting all users viewing compromised content. The vulnerability exploits unsafe handling of data URLs combined with permissive sanitization, enabling attackers to steal session cookies, deface pages, or perform actions on behalf of victims. A patch is available in version 0.14.2 and later.
Gogs prior to version 0.14.2 contains a command injection vulnerability in release deletion functionality where improper handling of user-controlled tag names allows git options to be injected into git commands. An authenticated attacker with UI interaction can exploit this to achieve integrity and availability impacts. Public exploit code exists for this vulnerability.
Stored XSS in Gogs prior to version 0.14.2 allows authenticated users to execute arbitrary JavaScript in comments and issue descriptions by exploiting the HTML sanitizer's allowance of data: URI schemes. This affects all users viewing malicious content within the same Gogs instance and could enable session hijacking or credential theft. Public exploit code exists for this vulnerability, though a patch is available in version 0.14.2 and later.
Supply chain attack via LFS object overwrite across repos in Gogs before 0.14.2. PoC and patch available.
Unauthenticated attackers can abuse missing authorization controls in RustDesk Server's rendezvous and relay modules (hbbs/hbbr) to gain unauthorized privileges through exposed critical functions like punch hole requests and peer registration. This vulnerability affects RustDesk Server versions through 1.7.5 and 1.1.15, enabling remote privilege escalation over the network with no authentication required. No patch is currently available.
Improper access control in the Linux kernel affects SUSE Linux Enterprise Server 12 SP5, causing nftables firewall rules to become ineffective and allowing network traffic to bypass intended filtering policies. An unauthenticated remote attacker can exploit this vulnerability to circumvent firewall protections without user interaction. No patch is currently available for this vulnerability.
Insecure embedded zlib in Compress::Raw::Zlib through 2.219 for Perl.
Insecure session ID generation in Plack::Middleware::Session::Simple before 0.05 for Perl. Patch available.
The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.
Sandbox escape via navigation validation in Chrome before 145.0.7632.159. Patch available.
Google Chrome versions before 145.0.7632.159 contain a heap buffer overflow in the WebCodecs component that enables remote attackers to write data outside allocated memory bounds through malicious HTML pages. An unauthenticated attacker can exploit this vulnerability with minimal user interaction to achieve arbitrary code execution on affected systems. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory access in Google Chrome's V8 engine (versions prior to 145.0.7632.159) enables remote attackers to achieve memory corruption through malicious HTML pages without requiring user privileges beyond standard interaction. The vulnerability affects all Chrome users and could potentially lead to information disclosure, data corruption, or code execution depending on memory layout and exploitation context.
Out-of-bounds memory access in Google Chrome's WebAssembly implementation (versions prior to 145.0.7632.159) enables remote attackers to achieve full memory corruption through malicious HTML pages, requiring only user interaction. An attacker can exploit this to read sensitive data, modify memory, or crash the browser with no authentication needed. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory read in Google Chrome's CSS implementation (versions prior to 145.0.7632.159) allows network attackers to read sensitive memory contents by tricking users into viewing a malicious HTML page. The vulnerability requires user interaction but carries high impact, enabling information disclosure without authentication or special privileges. A patch is available in Chrome 145.0.7632.159 and later.
Out-of-bounds memory access in Google Chrome's WebAudio component (versions prior to 145.0.7632.159) enables remote attackers to read, modify, or crash the browser by tricking users into visiting malicious web pages. This network-based vulnerability requires no special privileges and affects all Chrome users who interact with untrusted content. A patch is available in Chrome 145.0.7632.159 and later versions.
Heap corruption in Google Chrome's DevTools prior to version 145.0.7632.159 can be triggered through a malicious extension, requiring user installation and interaction. An attacker exploiting this object lifecycle vulnerability could achieve arbitrary code execution with full system privileges. A patch is available in Chrome 145.0.7632.159 and later versions.
Google Chrome's Skia rendering engine contains an integer overflow flaw that enables remote attackers to access out-of-bounds memory when processing malicious HTML pages. Affected users running Chrome versions prior to 145.0.7632.159 could face memory corruption leading to information disclosure, data modification, or denial of service. A security patch is available to remediate this critical vulnerability.
Heap corruption in Chrome's PowerVR graphics driver on Android versions prior to 145.0.7632.159 can be triggered through malicious HTML pages, potentially enabling remote code execution without user interaction beyond visiting a compromised website. The vulnerability stems from improper object lifecycle management and affects all Android users running vulnerable Chrome versions. A patch is available and should be applied immediately given the high exploitation potential.
Google Chrome's ANGLE graphics library before version 145.0.7632.159 contains an integer overflow vulnerability that enables remote attackers to access out-of-bounds memory through malicious HTML pages. An unauthenticated attacker can exploit this flaw by tricking users into visiting a crafted webpage, potentially compromising confidentiality, integrity, and availability. A patch is available in Chrome 145.0.7632.159 and later versions.
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 7.5 HIGH]
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. [CVSS 5.3 MEDIUM]
ClamAV's HTML CSS parser fails to properly handle UTF-8 string operations, enabling remote attackers to crash the scanning engine by submitting a malicious HTML file. An unauthenticated attacker can exploit this weakness over the network without user interaction to achieve denial of service. No patch is currently available.
Rancher Backup And Restore Operator is affected by insertion of sensitive information into log file (CVSS 6.8).
The Linux kernel's Classmate laptop driver lacks NULL pointer checks in sysfs attribute handlers, allowing local users to trigger a denial of service by accessing device attributes before driver initialization completes. A premature sysfs access can cause the driver to dereference a NULL pointer when retrieving uninitialized device data, crashing the affected system.
Local privilege escalation in Linux kernel f2fs sysfs attributes allows unprivileged users to trigger out-of-bounds memory access and cause denial of service by writing oversized integer values to filesystem control interfaces. The vulnerability stems from improper bounds checking when mapping sysfs attributes to kernel structures of varying integer sizes, enabling attackers to corrupt kernel memory and crash the system. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's f2fs filesystem allows a local attacker with user privileges to trigger memory corruption and crash the system through a race condition between I/O completion and filesystem unmount operations. The vulnerability occurs when a loop device completes write operations concurrently with an unmount that frees filesystem structures still being accessed by pending I/O handlers. This issue has no available patch and requires kernel-level access to exploit.
F2FS swapfile memory corruption in Linux kernel 6.6+ allows local attackers with user privileges to cause data corruption through improper physical block mapping when using fragmented swapfiles smaller than the F2FS section size. Public exploit code exists for this vulnerability, and attackers can trigger dm-verity corruption errors or F2FS node corruption leading to system crashes and data loss. No patch is currently available.
A revert of a Linux kernel patch introduces a potential deadlock condition in the f2fs filesystem when concurrent write operations and checkpoint operations occur, allowing a local user with write permissions to cause a denial of service through system hang. The vulnerability affects the Linux kernel's f2fs module and requires low privileges to trigger. No patch is currently available to address this issue.