JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Ai...
FileBrowser Quantum: unauthenticated user share share info
SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
SQLFluff: Recursive Stack Overflow in Parser
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
Dasel: Denial of service in dasel selector lexer due to infinite loop on unterminated regex literal
Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
Coder: PKCS#7 signature bypass in Azure instance identity allows unauthenticated agent token theft
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Regression in pymdownx.snippets reintroduces sibling-prefix path traversal bypass despite restrict_base_path
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint โ RCE
FPDI: Memory Exhaustion and Endless Loop in FPDI leads to Denial of Service
Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service
Coder: Unauthenticated SSRF via Azure Instance Identity Endpoint
HAX CMS: Denial of Service using Malicious Import Request
OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle
rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
Kopia: RCE via SSH ProxyCommand Injection