Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access
Deno: WebSocket API sandbox bypass via missing post-DNS check
Deno: `fetch()` API sandbox bypass via missing DNS resolution check
Traefik: SNICheck ignores wildcard TLSOptions mappings, allowing domain-fronted mTLS bypass
n8n: Merge Node SQL Mode Prototype Pollution
n8n: Prototype Pollution enables confused-deputy execution via public webhooks
n8n: Same-Origin XSS in Respond to Webhook Node
n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
n8n: Git Node Clone and Push Operations Bypass File Sandbox
n8n: Python sandbox escape
vLLM: OpenAI auth bypass
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Langflow: Unauthenticated RCE in Shareable Playgrounds
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
vLLM: Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
Langflow: IDOR/BOLA in Monitor API โ Missing Ownership Enforcement on 7 Endpoints
Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued be...
Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.