Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuth...
A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...
Symfony: UrlGenerator Dot-Segment Encoding Skips Every Other Chained `../` or `./` โ Generated URL Collapses Off-Route Under RFC 3986 Normalization
Symfony: HtmlSanitizer URL Parser Deny Gates Underinclusive: Percent-Encoded BiDi Marks and Unicode Whitespace Bypass Visual-Spoofing Defense
Symfony: Mailomat Mailer Webhook Parser Reads the HMAC Algorithm from the Request: Signature Algorithm Downgrade
Symfony: IpUtils::PRIVATE_SUBNETS Omits IPv6 Transition Forms (6to4, NAT64, Teredo, IPv4-compatible): SSRF Bypass in NoPrivateNetworkHttpClient
protobufjs: Denial of service through unbounded Any expansion during JSON conversion
Symfony: Security Firewall Bypass via failure_forward Subrequest: Unauthenticated Access to access_control-Protected GET Routes
protobufjs : Schema-derived names can shadow runtime-significant properties
@angular/service-worker: Sensitive Header Leakage on Cross-Origin Redirects in Angular Service Worker
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate)
@angular/common: Weak 32-Bit Cache Key Hashing in `HttpTransferCache` Leading to Cross-Request Data Leakage and State Poisoning
@angular/compiler: Two-Way Property Binding Sanitization Bypass (XSS)
Angular: Template and Attribute Namespace Sanitization Bypass (XSS)
@angular/platform-server: Missing `<noscript>` Raw-Text Serialization Escaping leads to Cross-Site Scripting (XSS) in Angular SSR
@angular/platform-server: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
vite: `server.fs.deny` bypass on Windows alternate paths
JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases