Address bar spoofing in Arc Search for Android allows a remote attacker to display a trusted domain in the address bar while rendering attacker-controlled content, enabling phishing.
Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
Gitea: Token scope bypass on web archive download endpoint
Gitea: Missing repository-unit authorization on issue-template API endpoints
Gitea: Incomplete CVE-2025-68941 fix: /user/orgs missing checkTokenPublicOnly + switch-case logic flaw
Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo
Gitea: OAuth2 access token scope enforcement bypass via HTTP Basic authentication
Gogs: Overwriting critical files results in a denial of service
Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix
LiteLLM: Authentication Bypass via Host Header Injection
Gitea: Git Smart HTTP Skips Repository Token Scopes for Bearer Tokens
n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
n8n: Credential Exfiltration via Permission Bypass
n8n: Denial of Service via ZIP decompression in webhook workflow
n8n: Stored XSS in Chat Trigger Node
n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
n8n: Microsoft SQL Node Prototype Pollution
Daytona: Cross-org IDOR in organization role update/delete โ any org owner can rewrite or destroy another org's roles