A missing length validation in the Zephyr Bluetooth Host ISO receive path can be triggered by malformed HCI ISO data. In bt_iso_recv() (subsys/bluetooth/host/iso.c), when processing PB=START/SINGLE fragments, the code pulls a TS SDU header (8 bytes, ts=1) or a non-TS SDU header (4 bytes, ts=0) witho...

A malformed Bluetooth Classic SDP attribute can trigger a reachable assertion in Zephyr's SDP parser. In subsys/bluetooth/host/classic/sdp.c, bt_sdp_parse_attribute() accepts an input buffer once it contains the 1-byte attribute type and 2-byte attribute id, but then unconditionally pulls an ad...

Gogs has the ability to import local repositories via Mirror Settings

Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Gogs Missing Authorization in Attachment Download

Gogs has Stored XSS in `.ipynb` Preview

@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation

Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer.ai/whl/) using --extra-index-url, but the p...

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF