Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally re...
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files o...
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller.  Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, includ...
LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin,...
LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created wi...
Russh: Unchecked CryptoVec allocation and growth handling is reachable
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
FlaskBB: SSRF in get_image_info() via unrestricted avatar URL
NocoDB: Stale Auth Cache After API Token Deletion
NocoDB: Attachment Size Limit Bypass via Upload-by-URL
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
SpiceDB: Caveat structures with nested lists can result in improper cache reuse
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Snappy: Binary path is never shell-escaped due to an inverted is_executable check