Suse
Monthly
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
Joserfc versions 1.6.2 and earlier fail to validate the PBES2 iteration count parameter in JWE tokens, allowing unauthenticated attackers to trigger CPU exhaustion by specifying arbitrarily large values in the p2c header field. An attacker can exploit this resource exhaustion vulnerability to cause denial of service against any system using the library to decrypt JWE tokens. Public exploit code exists for this vulnerability, and a patch is available.
DOMPurify versions 2.5.3-2.5.8 and 3.1.3-3.3.1 fail to sanitize attribute values within certain rawtext HTML elements (noscript, xmp, noembed, noframes, iframe), allowing attackers to inject malicious scripts that execute when sanitized content is rendered in these contexts. An attacker can exploit this by embedding JavaScript payloads in HTML attributes, bypassing DOMPurify's sanitization to achieve cross-site scripting. A patch is available in commit 729097f.
Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.
Exiv2 versions prior to 0.28.8 are vulnerable to a denial of service attack through integer overflow in the preview component when specific command-line arguments are used, causing the application to crash with an uncaught exception. An attacker can trigger this vulnerability by providing a specially crafted image file to crash Exiv2 processes, affecting systems that rely on the library for metadata processing. A patch is available in version 0.28.8 and later.
Out-of-bounds memory read in Exiv2 prior to version 0.28.8 causes denial of service through application crash when processing specially crafted image files with the preview extraction feature. The vulnerability requires specific command-line arguments (such as -pp) to trigger and affects all users running vulnerable Exiv2 versions for image metadata operations. A patch is available in version 0.28.8 and later.
Out-of-bounds read in Exiv2's CRW image parser allows remote attackers to cause denial of service and potentially disclose sensitive memory contents through crafted image files. Versions prior to 0.28.8 are affected, and public exploit code exists for this vulnerability. A patch is available that administrators should deploy immediately to prevent exploitation.
Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.
Vim versions prior to 9.2.0076 contain a heap buffer overflow and out-of-bounds read vulnerability in the terminal emulator when handling Unicode combining characters from supplementary planes, allowing a local attacker with user interaction to cause memory corruption and denial of service. The vulnerability requires local access and user interaction to trigger, with no confidentiality impact but potential integrity and availability consequences. A patch is available in version 9.2.0076 and later.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Vim versions prior to 9.2.0074 contain a heap buffer overflow in the Emacs-style tags file parser that allows reading up to 7 bytes of out-of-bounds memory when processing malformed tags files. A local attacker can trigger this vulnerability through a crafted tags file to leak sensitive information from the application's memory. The vulnerability has been patched in version 9.2.0074 and later.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
Crafted PDF files can trigger excessive memory consumption in pypdf versions before 6.7.4 when processing content streams with the RunLengthDecode filter, enabling denial-of-service attacks against applications using the library. An unauthenticated attacker can exploit this remotely by submitting a malicious PDF, causing the affected application to exhaust system memory. A patch is available in pypdf 6.7.4 and later.
Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.
Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.
Calibre Content Server's brute-force protection can be bypassed by manipulating the X-Forwarded-For HTTP header, allowing attackers to circumvent IP-based account lockouts and conduct credential stuffing attacks. Public exploit code exists for this vulnerability, which affects Calibre versions prior to 9.4.0 and poses a significant risk to internet-exposed servers where brute-force protection is the primary authentication defense mechanism. No patch is currently available for affected versions.
HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject arbitrary headers through an unsanitized query parameter, potentially enabling cache poisoning, session fixation, or credential theft attacks. Any authenticated user can exploit this vulnerability directly or via social engineering, affecting all instances with authentication enabled. Public exploit code exists and no patch is currently available.
Path traversal in Beszel hub's container API endpoints allows authenticated users, including those with read-only roles, to bypass validation and access arbitrary Docker Engine API endpoints on agent hosts through improper URL path construction. This exposure of sensitive infrastructure details affects Beszel versions prior to 0.18.4 and Docker integrations, with public exploit code already available. The vulnerability requires valid authentication but no special privileges, making it exploitable by low-privileged users in multi-tenant environments.
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. [CVSS 6.3 MEDIUM]
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]
Apache\ versions up to \ contains a vulnerability that allows attackers to gain access to systems (CVSS 8.2).
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic [CVSS 7.5 HIGH]
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.
GVfs FTP backend clients blindly trust server-provided IP addresses and ports during passive mode connections, enabling malicious FTP servers to conduct network reconnaissance and probe for open ports from the client's network perspective. The vulnerability requires user interaction but poses a confidentiality risk to network topology information. A patch is available to address this trust validation issue.
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar resources associated with the service acc (CVSS 6.5).
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template deletion API that allows team administrators to delete certificate templates belonging to other teams. The vulnerability stems from insufficient validation of template ownership during batch deletion operations, enabling cross-team resource destruction that could disrupt certificate-dependent functions like device enrollment and VPN access. A patch is not yet available as of this CVE publication.
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated attackers to remotely trigger device unenrollment and remove Android devices from management. The vulnerability has limited impact, affecting only device management continuity without providing access to Fleet itself or device data. Organizations running vulnerable versions should upgrade immediately or disable Android MDM until patching is possible.
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.
Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write arbitrary files to any location during restore operations, potentially achieving remote code execution on production MySQL deployments. An attacker can manipulate backup manifests to extract files outside intended directories, gaining unauthorized access to sensitive data and the ability to execute arbitrary commands in the production environment. Patches are available for versions 23.0.3 and 22.0.4.
Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. Patch available.
Minimatch versions prior to 10.2.3 (and earlier affected versions) suffer from ReDoS vulnerabilities in nested extglob patterns that generate regexps with catastrophic backtracking, allowing remote attackers to cause denial of service with minimal input. A 12-byte glob pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching string can hang the application for 7+ seconds, with larger patterns stalling for minutes. Public exploit code exists and no patch is currently available, making this a critical risk for any application using the default minimatch API.
The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. Affected deployments require immediate patching to version 2.1.3 or later to prevent unauthorized administrative access.
Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.
Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
Mailpit versions prior to 1.29.2 contain a Server-Side Request Forgery vulnerability in the Link Check API that allows unauthenticated remote attackers to perform HTTP requests to arbitrary hosts, including internal and private IP addresses. The API fails to validate or filter target URLs and returns status codes for each link, enabling non-blind SSRF attacks. Public exploit code exists for this vulnerability, affecting deployments with default configuration.
Heap buffer over-read in ImageMagick and Magick.NET's DJVU image handler allows local attackers to read out-of-bounds memory through integer truncation in stride calculations. An attacker can trigger this vulnerability by supplying a malicious DJVU file, potentially leading to information disclosure or application crashes. Updates are available for ImageMagick versions 7.1.2-15, 6.9.13-40 and later.
Magick.NET and ImageMagick versions before 7.1.2-15 and 6.9.13-40 are vulnerable to heap buffer over-read when processing low-resolution images with the wavelet-denoise filter, allowing local attackers to read sensitive memory. This out-of-bounds read could expose confidential information from adjacent heap memory with no possibility of code execution or denial of service. A patch is available for affected users.
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the order_key parameter and inject arbitrary SQL commands through improper identifier handling in ORDER BY clauses. An attacker with valid credentials can exploit this vulnerability to perform blind SQL injection attacks, potentially extracting sensitive database information or causing denial of service through resource exhaustion. No patch is currently available for this high-severity vulnerability affecting MySQL implementations.
An integer overflow in FreeRDP's Stream_EnsureCapacity function prior to version 3.23.0 can trigger an endless blocking loop, causing denial of service on affected client and server implementations. This vulnerability primarily impacts 32-bit systems with sufficient physical memory and has public exploit code available. Administrators should upgrade to FreeRDP 3.23.0 or later to remediate this issue.
FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to validate file paths in ZIP archives, allowing attackers with high privileges to write arbitrary files to the host system. Public exploit code exists for this vulnerability, and malformed archives can trigger a denial of service that permanently wipes the database before crashing the application. The flaw affects Vikunja and the underlying Go platform, with no patch currently available.
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 versions up to 0.8.1 is affected by integer underflow (CVSS 8.1).
Denial of service in FreeRDP prior to version 3.23.0 allows a malicious RDP server to crash the client application through a missing bounds check in smartcard packet handling. This vulnerability affects users who have explicitly enabled smartcard redirection, and public exploit code exists. The crash is triggered via assertion failure in builds with verbose assert checking enabled, which is the default configuration in FreeRDP 3.22.0.
FreeRDP versions prior to 3.23.0 are vulnerable to a buffer overread in icon data processing that allows denial of service when clients receive crafted RDP Window Icon data from a server or network attacker. An unauthenticated remote attacker can exploit this vulnerability to crash the FreeRDP client by sending malicious icon structures during the RDP connection. A patch is available in version 3.23.0 and later.
Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available.
Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available.
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory corruption. PoC and patch available.
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 4.3 MEDIUM]
esm.sh versions up to 137 contain an SSRF vulnerability in the `/http(s)` fetch route that allows remote attackers to bypass hostname validation through DNS alias domains and access internal localhost services. Public exploit code exists for this vulnerability, and no patches are currently available. This affects users of esm.sh CDN services and any applications relying on the affected versions.
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. [CVSS 7.5 HIGH]
Wireshark versions 4.4.0-4.4.13 and 4.6.0-4.6.3 crash when processing malformed RF4CE Profile protocol packets, enabling local denial of service attacks through user interaction. An attacker can trigger an out-of-bounds read by supplying a specially crafted packet file to a target user, causing the application to become unavailable. No patch is currently available for this vulnerability.
NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service [CVSS 4.7 MEDIUM]
Wireshark 4.6.0-4.6.3 and 4.4.0-4.4.13 can be crashed through memory exhaustion in the USB HID protocol dissector when processing malformed packets. A local attacker with the ability to trigger packet analysis can cause a denial of service condition, and public exploit code exists for this vulnerability. No patch is currently available.
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Unprivileged users can extract LUKS encryption headers from the udisks daemon due to missing authorization checks on a privileged D-Bus method, allowing attackers to read sensitive cryptographic metadata and potentially compromise encrypted storage confidentiality. The vulnerability affects systems running vulnerable versions of udisks and requires local access to exploit. No patch is currently available.
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the -cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. [CVSS 8.3 HIGH]
Path traversal in Kubernetes PersistentVolume creation via pathPattern parameter allows creating volumes in arbitrary host filesystem locations. CVSS 9.9 with scope change.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.
Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
FileBrowser Quantum versions prior to 1.1.3-stable and 1.2.6-beta expose a password bypass vulnerability in shared files, allowing unauthenticated recipients to download protected content by accessing the direct download link embedded in share details. An attacker possessing only the share link can retrieve files without providing the intended password, completely circumventing access controls. Public exploit code exists for this vulnerability, and patches are available in the patched versions.
Arbitrary file write in Dagu workflow engine up to version 1.16.7 allows authenticated users with DAG write permissions to place malicious YAML files anywhere on the filesystem due to insufficient name validation in the CreateNewDAG API endpoint. Since Dagu executes DAG files as shell commands, an attacker can achieve remote code execution by overwriting existing DAGs or configuration files. Public exploit code exists for this vulnerability, and a patch is available.
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.
Fiber web framework versions 3.0.0 and earlier on Windows contain a path traversal vulnerability that allows remote attackers to bypass static file middleware protections and read arbitrary files from the server. Public exploit code exists for this vulnerability, which affects applications using the vulnerable Fiber versions. The issue has been patched in Fiber v3.1.0.
Fiber web framework versions 2 and 3 are vulnerable to denial of service attacks when processing requests to routes containing more than 30 parameters, enabling remote attackers to crash affected applications without authentication. The vulnerability stems from insufficient validation during route registration and unbounded array writes in request matching logic. Public exploit code exists for this high-severity flaw, though patches are available in Fiber v2.52.12 and v3.1.0.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.
NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.
In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free Kernel panic observed on system, [5353358.825191] BUG: unable to handle page fault for address: ff5f5e897b024000 [5353358.825194] #PF: supervisor write access in kernel mode [5353358.825195] #PF: error_code(0x0002) - not-present page [5353358.825196] PGD 100006067 P4D 0 [5353358.825198] Oops: 0002 [#1] PREEMPT SMP NOPTI [5353358.825200] CPU: 5 PID: 2132085 Comm: qlafwupdate.sub Kdump: loaded Tainted: G W L ------- --- 5.14.0-503.34.1.el9_5.x86_64 #1 [5353358.825203] Hardware name: HPE ProLiant DL360 Gen11/ProLiant DL360 Gen11, BIOS 2.44 01/17/2025 [5353358.825204] RIP: 0010:memcpy_erms+0x6/0x10 [5353358.825211] RSP: 0018:ff591da8f4f6b710 EFLAGS: 00010246 [5353358.825212] RAX: ff5f5e897b024000 RBX: 0000000000007090 RCX: 0000000000001000 [5353358.825213] RDX: 0000000000001000 RSI: ff591da8f4fed090 RDI: ff5f5e897b024000 [5353358.825214] RBP: 0000000000010000 R08: ff5f5e897b024000 R09: 0000000000000000 [5353358.825215] R10: ff46cf8c40517000 R11: 0000000000000001 R12: 0000000000008090 [5353358.825216] R13: ff591da8f4f6b720 R14: 0000000000001000 R15: 0000000000000000 [5353358.825218] FS: 00007f1e88d47740(0000) GS:ff46cf935f940000(0000) knlGS:0000000000000000 [5353358.825219] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [5353358.825220] CR2: ff5f5e897b024000 CR3: 0000000231532004 CR4: 0000000000771ef0 [5353358.825221] PKRU: 55555554 [5353358.825222] Call Trace: [5353358.825223] <TASK> [5353358.825224] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825229] ? show_trace_log_lvl+0x1c4/0x2df [5353358.825232] ? sg_copy_buffer+0xc8/0x110 [5353358.825236] ? __die_body.cold+0x8/0xd [5353358.825238] ? page_fault_oops+0x134/0x170 [5353358.825242] ? kernelmode_fixup_or_oops+0x84/0x110 [5353358.825244] ? exc_page_fault+0xa8/0x150 [5353358.825247] ? asm_exc_page_fault+0x22/0x30 [5353358.825252] ? memcpy_erms+0x6/0x10 [5353358.825253] sg_copy_buffer+0xc8/0x110 [5353358.825259] qla2x00_process_vendor_specific+0x652/0x1320 [qla2xxx] [5353358.825317] qla24xx_bsg_request+0x1b2/0x2d0 [qla2xxx] Most routines in qla_bsg.c call bsg_done() only for success cases.
Joserfc versions 1.6.2 and earlier fail to validate the PBES2 iteration count parameter in JWE tokens, allowing unauthenticated attackers to trigger CPU exhaustion by specifying arbitrarily large values in the p2c header field. An attacker can exploit this resource exhaustion vulnerability to cause denial of service against any system using the library to decrypt JWE tokens. Public exploit code exists for this vulnerability, and a patch is available.
DOMPurify versions 2.5.3-2.5.8 and 3.1.3-3.3.1 fail to sanitize attribute values within certain rawtext HTML elements (noscript, xmp, noembed, noframes, iframe), allowing attackers to inject malicious scripts that execute when sanitized content is rendered in these contexts. An attacker can exploit this by embedding JavaScript payloads in HTML attributes, bypassing DOMPurify's sanitization to achieve cross-site scripting. A patch is available in commit 729097f.
Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.
Timing side-channel attacks in AWS-LC's AES-CCM decryption implementation allow unauthenticated attackers to infer authentication tag validity through precise timing measurements. The vulnerability affects AWS-LC and related cryptographic libraries across multiple AES-CCM variants (128, 192, and 256-bit), potentially enabling attackers to forge authenticated messages. AWS service customers are unaffected, but applications using AWS-LC directly should upgrade to version 1.69.0 or later.
Exiv2 versions prior to 0.28.8 are vulnerable to a denial of service attack through integer overflow in the preview component when specific command-line arguments are used, causing the application to crash with an uncaught exception. An attacker can trigger this vulnerability by providing a specially crafted image file to crash Exiv2 processes, affecting systems that rely on the library for metadata processing. A patch is available in version 0.28.8 and later.
Out-of-bounds memory read in Exiv2 prior to version 0.28.8 causes denial of service through application crash when processing specially crafted image files with the preview extraction feature. The vulnerability requires specific command-line arguments (such as -pp) to trigger and affects all users running vulnerable Exiv2 versions for image metadata operations. A patch is available in version 0.28.8 and later.
Out-of-bounds read in Exiv2's CRW image parser allows remote attackers to cause denial of service and potentially disclose sensitive memory contents through crafted image files. Versions prior to 0.28.8 are affected, and public exploit code exists for this vulnerability. A patch is available that administrators should deploy immediately to prevent exploitation.
Vim versions before 9.2.0077 contain heap buffer overflow and segmentation fault vulnerabilities in swap file recovery that can be triggered by opening a specially crafted swap file, affecting users who recover sessions from untrusted sources. An attacker could exploit this to cause application crashes or potentially achieve code execution through memory corruption. A patch is available in version 9.2.0077 and later.
Vim versions prior to 9.2.0076 contain a heap buffer overflow and out-of-bounds read vulnerability in the terminal emulator when handling Unicode combining characters from supplementary planes, allowing a local attacker with user interaction to cause memory corruption and denial of service. The vulnerability requires local access and user interaction to trigger, with no confidentiality impact but potential integrity and availability consequences. A patch is available in version 9.2.0076 and later.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Vim versions prior to 9.2.0074 contain a heap buffer overflow in the Emacs-style tags file parser that allows reading up to 7 bytes of out-of-bounds memory when processing malformed tags files. A local attacker can trigger this vulnerability through a crafted tags file to leak sensitive information from the application's memory. The vulnerability has been patched in version 9.2.0074 and later.
Arbitrary command execution in Vim's netrw plugin prior to version 9.2.0073 allows attackers to execute shell commands with user privileges by crafting malicious URLs (such as scp:// handlers) that users are tricked into opening. The vulnerability requires user interaction but poses a local privilege escalation risk in multi-user environments. A patch is available in Vim 9.2.0073 and later.
Malcontent versions before 1.21.0 fail to preserve nested archives that cannot be extracted, potentially allowing malicious content to evade detection during supply-chain compromise analysis. An attacker could exploit this by embedding malicious payloads in problematic nested archives that the tool would discard without scanning. The vulnerability has a patch available in version 1.21.0 and later.
Crafted PDF files can trigger excessive memory consumption in pypdf versions before 6.7.4 when processing content streams with the RunLengthDecode filter, enabling denial-of-service attacks against applications using the library. An unauthenticated attacker can exploit this remotely by submitting a malicious PDF, causing the affected application to exhaust system memory. A patch is available in pypdf 6.7.4 and later.
Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.
Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.
Calibre Content Server's brute-force protection can be bypassed by manipulating the X-Forwarded-For HTTP header, allowing attackers to circumvent IP-based account lockouts and conduct credential stuffing attacks. Public exploit code exists for this vulnerability, which affects Calibre versions prior to 9.4.0 and poses a significant risk to internet-exposed servers where brute-force protection is the primary authentication defense mechanism. No patch is currently available for affected versions.
HTTP response header injection in Calibre Content Server prior to version 9.4.0 permits authenticated users to inject arbitrary headers through an unsanitized query parameter, potentially enabling cache poisoning, session fixation, or credential theft attacks. Any authenticated user can exploit this vulnerability directly or via social engineering, affecting all instances with authentication enabled. Public exploit code exists and no patch is currently available.
Path traversal in Beszel hub's container API endpoints allows authenticated users, including those with read-only roles, to bypass validation and access arbitrary Docker Engine API endpoints on agent hosts through improper URL path construction. This exposure of sensitive infrastructure details affects Beszel versions prior to 0.18.4 and Docker integrations, with public exploit code already available. The vulnerability requires valid authentication but no special privileges, making it exploitable by low-privileged users in multi-tenant environments.
A flaw was found in uv. This vulnerability allows an attacker to execute malicious code during package resolution or installation via specially crafted ZIP (Zipped Information Package) archives that exploit parsing differentials, requiring user interaction to install an attacker-controlled package. [CVSS 6.3 MEDIUM]
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. [CVSS 6.5 MEDIUM]
Apache\ versions up to \ contains a vulnerability that allows attackers to gain access to systems (CVSS 8.2).
Stored XSS in osctrl-admin prior to version 0.5.0 allows low-privileged users with query permissions to inject malicious JavaScript into the on-demand query list, affecting all users who view the page. An attacker can exploit this vulnerability to steal CSRF tokens and impersonate other users, potentially compromising the entire platform if an administrator is compromised. A patch is available in version 0.5.0.
Remote code execution in osctrl prior to version 0.5.0 allows authenticated administrators to inject arbitrary OS commands through the hostname parameter during environment configuration, which are then executed on all endpoints enrolling via the compromised environment. The injected commands execute with root/SYSTEM privileges before osquery installation, providing complete system compromise with minimal audit trails. A patch is available in version 0.5.0 and later.
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.
Due to missing nil check, sending 0x0a-0x0f HTTP/2 frames will cause a running server to panic [CVSS 7.5 HIGH]
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.
GVfs FTP backend clients blindly trust server-provided IP addresses and ports during passive mode connections, enabling malicious FTP servers to conduct network reconnaissance and probe for open ports from the client's network perspective. The vulnerability requires user interaction but poses a confidentiality risk to network topology information. A patch is available to address this trust validation issue.
Fleet versions up to 4.80.1 contains a vulnerability that allows attackers to unauthorized access to Google Calendar resources associated with the service acc (CVSS 6.5).
Fleet device management software versions before 4.80.1 contain an authorization bypass in the certificate template deletion API that allows team administrators to delete certificate templates belonging to other teams. The vulnerability stems from insufficient validation of template ownership during batch deletion operations, enabling cross-team resource destruction that could disrupt certificate-dependent functions like device enrollment and VPN access. A patch is not yet available as of this CVE publication.
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated attackers to remotely trigger device unenrollment and remove Android devices from management. The vulnerability has limited impact, affecting only device management continuity without providing access to Fleet itself or device data. Organizations running vulnerable versions should upgrade immediately or disable Android MDM until patching is possible.
Fleet's device lock and wipe PIN generation relies on predictable timestamps without additional entropy, allowing attackers with physical access to a locked device and knowledge of the approximate lock time to brute-force the 6-digit PIN within a limited search window. This vulnerability affects Fleet versions prior to 4.80.1 and requires local access and timing knowledge to exploit. No patch is currently available.
Path traversal in Vitess backup manifest handling allows authenticated attackers with access to backup storage to write arbitrary files to any location during restore operations, potentially achieving remote code execution on production MySQL deployments. An attacker can manipulate backup manifests to extract files outside intended directories, gaining unauthorized access to sensitive data and the ability to execute arbitrary commands in the production environment. Patches are available for versions 23.0.3 and 22.0.4.
Command injection in Vitess MySQL clustering system before 23.0.3/22.0.4. Users with read/write access to the backup store can achieve code execution. Patch available.
Minimatch versions prior to 10.2.3 (and earlier affected versions) suffer from ReDoS vulnerabilities in nested extglob patterns that generate regexps with catastrophic backtracking, allowing remote attackers to cause denial of service with minimal input. A 12-byte glob pattern like `*(*(*(a|b)))` combined with an 18-byte non-matching string can hang the application for 7+ seconds, with larger patterns stalling for minutes. Public exploit code exists and no patch is currently available, making this a critical risk for any application using the default minimatch API.
The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.
Privilege escalation in WireGuard Portal prior to version 2.1.3 allows authenticated non-admin users to gain full administrator access by modifying their own user profile with an IsAdmin flag set to true. The vulnerability exists because the server fails to properly validate and restrict the IsAdmin field during profile updates, allowing the privilege change to persist after re-authentication. Affected deployments require immediate patching to version 2.1.3 or later to prevent unauthorized administrative access.
Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.
Zitadel versions prior to 4.11.1 and 3.4.7 permit authenticated users to bypass email and phone verification procedures through the self-management feature, allowing them to mark contact information as verified without completing actual validation. This integrity bypass enables account compromise scenarios where attackers with valid credentials can impersonate other users or escalate privileges by falsifying verified contact details. No patch is currently available for affected deployments, though implementing action rules (v2) can mitigate the risk.
Server-Side Request Forgery in Zitadel's Action V2 webhook feature allows unauthenticated attackers to probe internal network services and gather information about internal infrastructure by crafting malicious webhook target URLs pointing to localhost or private IP addresses. The vulnerability affects Zitadel versions 4.0.0 through 4.11.0, with schema validation providing limited mitigation. No patch is currently available.
Denial of service in pypdf prior to version 6.7.3 allows remote attackers to exhaust system memory by crafting malicious PDF files that exploit FlateDecode-compressed streams accessed through the xfa property. The vulnerability requires no authentication or user interaction and affects any application processing untrusted PDF documents with the vulnerable library. Upgrade to pypdf 6.7.3 or later to remediate.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
Mailpit versions prior to 1.29.2 contain a Server-Side Request Forgery vulnerability in the Link Check API that allows unauthenticated remote attackers to perform HTTP requests to arbitrary hosts, including internal and private IP addresses. The API fails to validate or filter target URLs and returns status codes for each link, enabling non-blind SSRF attacks. Public exploit code exists for this vulnerability, affecting deployments with default configuration.
Heap buffer over-read in ImageMagick and Magick.NET's DJVU image handler allows local attackers to read out-of-bounds memory through integer truncation in stride calculations. An attacker can trigger this vulnerability by supplying a malicious DJVU file, potentially leading to information disclosure or application crashes. Updates are available for ImageMagick versions 7.1.2-15, 6.9.13-40 and later.
Magick.NET and ImageMagick versions before 7.1.2-15 and 6.9.13-40 are vulnerable to heap buffer over-read when processing low-resolution images with the wavelet-denoise filter, allowing local attackers to read sensitive memory. This out-of-bounds read could expose confidential information from adjacent heap memory with no possibility of code execution or denial of service. A patch is available for affected users.
SQL injection in Fleet device management software before version 4.80.1 allows authenticated users to manipulate the order_key parameter and inject arbitrary SQL commands through improper identifier handling in ORDER BY clauses. An attacker with valid credentials can exploit this vulnerability to perform blind SQL injection attacks, potentially extracting sensitive database information or causing denial of service through resource exhaustion. No patch is currently available for this high-severity vulnerability affecting MySQL implementations.
An integer overflow in FreeRDP's Stream_EnsureCapacity function prior to version 3.23.0 can trigger an endless blocking loop, causing denial of service on affected client and server implementations. This vulnerability primarily impacts 32-bit systems with sufficient physical memory and has public exploit code available. Administrators should upgrade to FreeRDP 3.23.0 or later to remediate this issue.
FreeRDP versions prior to 3.23.0 contain an incomplete fix for a heap-use-after-free vulnerability that affects only the SDL2 code path, where freed memory pointers are not properly nulled, allowing an unauthenticated attacker to trigger a denial of service condition. Users running FreeRDP with SDL2 backends remain vulnerable despite the advisory claiming the issue was resolved. Upgrade to version 3.23.0 or later to obtain the complete fix.
Vikunja before version 2.0.0 contains a path traversal vulnerability in its backup restoration function that fails to validate file paths in ZIP archives, allowing attackers with high privileges to write arbitrary files to the host system. Public exploit code exists for this vulnerability, and malformed archives can trigger a denial of service that permanently wipes the database before crashing the application. The flaw affects Vikunja and the underlying Go platform, with no patch currently available.
Stored cross-site scripting (XSS) in Vikunja prior to version 2.0.0 allows authenticated attackers to steal authentication tokens by uploading malicious SVG files containing JavaScript that executes when accessed directly. The vulnerability exists because the application fails to sanitize SVG content before storage and renders it inline under the application origin, enabling token theft from localStorage. Public exploit code exists for this vulnerability and no patch is currently available for affected versions.
Weak password policy in Vikunja task management before 2.0.0 allows users to set trivially guessable passwords. PoC available.
Vikunja is an open-source self-hosted task management platform. [CVSS 6.1 MEDIUM]
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 versions up to 0.8.1 is affected by integer underflow (CVSS 8.1).
Denial of service in FreeRDP prior to version 3.23.0 allows a malicious RDP server to crash the client application through a missing bounds check in smartcard packet handling. This vulnerability affects users who have explicitly enabled smartcard redirection, and public exploit code exists. The crash is triggered via assertion failure in builds with verbose assert checking enabled, which is the default configuration in FreeRDP 3.22.0.
FreeRDP versions prior to 3.23.0 are vulnerable to a buffer overread in icon data processing that allows denial of service when clients receive crafted RDP Window Icon data from a server or network attacker. An unauthenticated remote attacker can exploit this vulnerability to crash the FreeRDP client by sending malicious icon structures during the RDP connection. A patch is available in version 3.23.0 and later.
Use-after-free in FreeRDP xf_clipboard_format_equal before 3.23.0. Clipboard format comparison uses freed memory. Fifth FreeRDP UAF. PoC and patch available.
Use-after-free in FreeRDP xf_cliprdr_provide_data clipboard handling before 3.23.0. Clipboard data exchange triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Different code path from CVE-2026-25953. PoC and patch available.
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
Use-after-free in FreeRDP xf_AppUpdateWindowFromSurface before 3.23.0. Surface-to-window update triggers memory corruption. PoC and patch available.
Use-after-free in FreeRDP xf_SetWindowMinMaxInfo before version 3.23.0. X11 client window management triggers memory corruption. PoC and patch available.
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 7.5 HIGH]
FreeRDP is a free implementation of the Remote Desktop Protocol. [CVSS 4.3 MEDIUM]
esm.sh versions up to 137 contain an SSRF vulnerability in the `/http(s)` fetch route that allows remote attackers to bypass hostname validation through DNS alias domains and access internal localhost services. Public exploit code exists for this vulnerability, and no patches are currently available. This affects users of esm.sh CDN services and any applications relying on the affected versions.
esm.sh is a no-build content delivery network (CDN) for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. [CVSS 7.5 HIGH]
Wireshark versions 4.4.0-4.4.13 and 4.6.0-4.6.3 crash when processing malformed RF4CE Profile protocol packets, enabling local denial of service attacks through user interaction. An attacker can trigger an out-of-bounds read by supplying a specially crafted packet file to a target user, causing the application to become unavailable. No patch is currently available for this vulnerability.
NTS-KE protocol dissector crash in Wireshark 4.6.0 to 4.6.3 allows denial of service [CVSS 4.7 MEDIUM]
Wireshark 4.6.0-4.6.3 and 4.4.0-4.4.13 can be crashed through memory exhaustion in the USB HID protocol dissector when processing malformed packets. A local attacker with the ability to trigger packet analysis can cause a denial of service condition, and public exploit code exists for this vulnerability. No patch is currently available.
Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.
Unprivileged users can extract LUKS encryption headers from the udisks daemon due to missing authorization checks on a privileged D-Bus method, allowing attackers to read sensitive cryptographic metadata and potentially compromise encrypted storage confidentiality. The vulnerability affects systems running vulnerable versions of udisks and requires local access to exploit. No patch is currently available.
A vulnerability has been identified within Rancher Manager, where using self-signed CA certificates and passing the -skip-verify flag to the Rancher CLI login command without also passing the -cacert flag results in the CLI attempting to fetch CA certificates stored in Rancher’s setting cacerts. [CVSS 8.3 HIGH]
Path traversal in Kubernetes PersistentVolume creation via pathPattern parameter allows creating volumes in arbitrary host filesystem locations. CVSS 9.9 with scope change.
URLs containing percent-encoded slashes (`/` or `\`) can trick wcurl into saving the output file outside of the current directory without the user explicitly asking for it. This flaw only affects the wcurl command line tool. [CVSS 4.6 MEDIUM]
Coturn TURN/STUN server contains an access control bypass that allows remote attackers to reach blocked internal addresses by exploiting IPv4-mapped IPv6 address handling in permission and channel binding requests. The vulnerability bypasses "denied-peer-ip" restrictions designed to block loopback ranges, enabling an attacker to interact with internal services that should be unreachable. Public exploit code exists for this flaw, and a patch is available in version 4.9.0 and later.
Pypdf versions up to 6.7.2 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).
OS command injection in OliveTin web shell interface through version 3000.10.0. OliveTin provides web-based access to predefined shell commands — the injection allows executing arbitrary commands beyond the whitelist. PoC available.
FileBrowser Quantum versions prior to 1.1.3-stable and 1.2.6-beta expose a password bypass vulnerability in shared files, allowing unauthenticated recipients to download protected content by accessing the direct download link embedded in share details. An attacker possessing only the share link can retrieve files without providing the intended password, completely circumventing access controls. Public exploit code exists for this vulnerability, and patches are available in the patched versions.
Arbitrary file write in Dagu workflow engine up to version 1.16.7 allows authenticated users with DAG write permissions to place malicious YAML files anywhere on the filesystem due to insufficient name validation in the CreateNewDAG API endpoint. Since Dagu executes DAG files as shell commands, an attacker can achieve remote code execution by overwriting existing DAGs or configuration files. Public exploit code exists for this vulnerability, and a patch is available.
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. No patch is currently available.
Fiber web framework versions 3.0.0 and earlier on Windows contain a path traversal vulnerability that allows remote attackers to bypass static file middleware protections and read arbitrary files from the server. Public exploit code exists for this vulnerability, which affects applications using the vulnerable Fiber versions. The issue has been patched in Fiber v3.1.0.
Fiber web framework versions 2 and 3 are vulnerable to denial of service attacks when processing requests to routes containing more than 30 parameters, enabling remote attackers to crash affected applications without authentication. The vulnerability stems from insufficient validation during route registration and unbounded array writes in request matching logic. Public exploit code exists for this high-severity flaw, though patches are available in Fiber v2.52.12 and v3.1.0.
FastCGI path splitting vulnerability in Caddy before 2.11.1 allows request smuggling or path confusion when proxying to FastCGI backends (PHP-FPM). EPSS 0.19% with PoC available.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. PoC available.
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. PoC available.
TLS error swallowing in Caddy web server before 2.11.1 allows bypassing client certificate authentication. Errors in ClientCAs handling are silenced, potentially accepting invalid client certificates. PoC available.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.
NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.