CVE Catalog

A remote code execution vulnerability exists in Zed IDE versions prior to 0.227.1. The issue arises when the application opens a folder containing a malicious .git/config file that exploits the core.fsmonitor Git configuration option. In untrusted mode, Zed executes arbitrary commands embedded in the poisoned configuration, potentially leading to full system compromise.

A vulnerability in Zed code editor versions prior to 0.229.0 allows for bypassing the terminal tool permission system. This is achieved by prepending environment variable assignments to allowlisted commands, which can hijack program behavior (such as the PAGER variable) to execute arbitrary code. The issue arises because Zed's regex-based allowlist does not consider environment variable prefixes, enabling the execution of attacker-controlled programs via common CLI tools that respect user-defined environment variables.

A vulnerability in Zed code editor's terminal tool permission system prior to version 0.229.0 allows for a bypass via bash variable expansion chaining. This exploitation enables arbitrary command execution under an allowlisted command prefix. The issue arises because the permission system's regex-based allowlist validation only matches the initial command token and fails to evaluate nested shell expansions. While this vulnerability is present on Linux systems, it does not affect macOS due to an incompatible bash version,

A command injection vulnerability has been identified in Zed code editor versions prior to 0.227.1. The issue arises in the SSH and WSL remote command execution paths, where environment variable keys are inserted into the command string without proper shell quoting or validation. This flaw allows an attacker to control environment variable keys—potentially through project terminal settings—leading to the evaluation of shell expansions in the keys, such as command substitution. As a result, arbitrary commands could be executed on the remote host under the account of the user running the terminal session.

A vulnerability exists in Tigera Calico when the Azure IPAM plugin is used. The Calico CNI binary modifies the incoming CNI configuration to include subnet details before passing it to the IPAM plugin. This modified configuration is logged in plaintext, including sensitive information such as the ServiceAccount token, client key, and certificate authority, which are exposed with every CNI ADD and DEL operation for pods on the node. This log exposure allows anyone with access to the CNI log file to retrieve these credentials, granting them cluster-wide Calico networking admin rights.

A vulnerability in Tigera Calico's CNI plugin allows for the unauthorized exposure of Kubernetes ServiceAccount bearer tokens. This issue arises because the install-cni init container logs the CNI configuration, including sensitive tokens, to standard output. The vulnerability is present in Calico deployments that use the __SERVICEACCOUNT_TOKEN__ placeholder, such as Canal and Flannel-Calico deployments. The exposed token grants patch privileges on pods/status, potentially enabling annotation-based attacks on cluster workloads. This vulnerability affects Calico versions 3.31 and 3.32.

A business logic flaw allowing broken access control has been identified in EspoCRM versions 9.3.3 prior to 9.3.5. This vulnerability enables low-privileged users to pin notes arbitrarily without the necessary edit permissions for the associated parent object. The issue arises from a 'write first, authorize later' flaw in the backend API, specifically in the POST /api/v1/Note/{id}/pin endpoint. Although the server returns a 403 Forbidden error, the pinned status of the note is still changed in the database. The vulnerability allows unauthorized modifications to notes, which could disrupt business workflows by manipulating the visibility and priority of notes on objects the user does not own or have permission to edit.

A vulnerability exists in EspoCRM versions prior to 9.3.5 within the POST /api/v1/EmailTemplate/:id/prepare endpoint. The endpoint accepts an emailAddress parameter and resolves the associated entity (Contact, Lead, Account, or User) without conducting an ACL check. This flaw enables an authenticated user with EmailTemplate read permission to access all field values of any entity by providing the target's email address, thereby circumventing read: own or read: team ACL restrictions. The issue arises because, when entities are resolved by email address, the process bypasses necessary access controls, directly adding the entity to the template rendering context and exposing all referenced data in the API response.

A command injection vulnerability has been identified in the IPSec VPN feature of InHand Networks Industrial Routers IR302, IR305, IR315, and IR615, all running vulnerable firmware versions. This vulnerability allows attackers to execute arbitrary commands with root privileges on the affected devices.

A command injection vulnerability has been identified in the WireGuard VPN feature of InHand Networks industrial routers, specifically in the IR302, IR305, IR315, and IR615 models, all running vulnerable firmware versions. This vulnerability allows attackers to execute arbitrary commands with root privileges on the affected devices.

A command injection vulnerability has been identified in the ZeroTier VPN feature of InHand Networks Industrial Routers IR302 (firmware through V3.5.108), IR305 (firmware through V1.0.118), IR315 (firmware through V1.0.118), and IR615 (firmware through V1.0.118). This vulnerability allows attackers to execute arbitrary commands with ROOT privileges on the affected devices.

A command injection vulnerability has been identified in the Admin Access feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers, all running vulnerable firmware versions. This vulnerability allows attackers to execute arbitrary commands with root privileges on the affected devices.

A hardcoded password vulnerability has been identified in SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9. This vulnerability exists in the web management interface recovery endpoints, mgmt.php and npcmd.php, allowing unauthenticated attackers to gain root access by submitting the hardcoded credential via HTTP. Exploitation of this vulnerability enables attackers to activate filtered SSH and Telnet services on the device, resulting in unauthorized root-level remote access to the underlying system.

A memory exhaustion vulnerability has been identified in pypdf versions prior to 6.12.1. This issue arises when the library parses large XMP metadata streams, which can include excessive elements, leading to significant memory consumption. An attacker can exploit this vulnerability by crafting a PDF that takes advantage of the problematic metadata handling.

A vulnerability in PyJWT prior to version 2.13.0 allows for JSON Web Tokens (JWT) to be forged by exploiting the library's handling of public JSON Web Keys (JWK) in HMAC algorithms. When the verifier supports both asymmetric and HMAC algorithms, it fails to properly validate the use of JWKs with HMAC, enabling an attacker to use the issuer's public key as a secret key for HMAC. This flaw can be exploited to create JWTs that are accepted as valid, thereby impersonating users and bypassing authorization.

A denial-of-service vulnerability has been identified in PyJWT, a JSON Web Token implementation in Python, affecting versions 2.8.0 through 2.12.1. The issue arises when verifying detached JWS tokens with the unencoded-payload option ('b64': false, RFC 7797). PyJWT decodes the payload segment before applying the detached-payload rules, allowing an attacker to send a large Base64URL payload that increases CPU usage and memory consumption, even with an invalid signature. This vulnerability creates an unauthenticated denial-of-service risk on endpoints that use PyJWT for detached JWS verification.

A denial-of-service vulnerability has been identified in PyJWT versions through 2.12.1, specifically within the PyJWKClient component. The issue arises because the get_signing_key() method sends a new HTTP request to the JWKS endpoint for each JWT with an unrecognized kid value, without any rate limiting. Since the kid is sourced from the unverified token header, this behavior allows an attacker to generate unlimited outbound requests. The problem occurs only when a JWKS fetch fails, creating a dependency on the behavior of the upstream JWKS endpoint, such as rate limiting or transient errors. This vulnerability can lead to increased network latency and disrupt authentication processes by clearing the JWKS cache on fetch errors, causing a reliance on the next successful fetch to restore normal operation.

A vulnerability exists in PyJWT versions 2.9.0 through 2.12.1, allowing a verifier-side algorithm allow-list bypass when decoding JSON Web Tokens (JWTs) with PyJWK keys. The issue arises because, while the JWT header's algorithm is checked against a caller-supplied allow-list, the actual signature verification uses the algorithm associated with the PyJWK object, not the header algorithm. This flaw enables an attacker controlling a registered JWK/JWKS private key to sign tokens with disallowed algorithms, bypassing server-side algorithm policies. The vulnerability affects the documented PyJWKClient.get_signing_key_from_jwt(...) flow.

A vulnerability in PyJWT's handling of JSON Web Tokens has been identified in versions through 2.12.1. The issue arises because PyJWKClient passes its 'uri' argument directly to urllib's 'urlopen' function, which accepts various URL schemes including 'file://', 'ftp://', and 'data:'. This lack of validation allows an attacker to exploit applications that ingest URLs from untrusted sources, such as JWT headers or configuration files. The exploitation can lead to several issues: reading arbitrary local files via 'file://' (resulting in server-side request forgery on the local filesystem), initiating FTP or data-URI fetches (broadening the SSRF attack surface), or forging tokens that PyJWT incorrectly verifies as valid. The vulnerability is particularly concerning because, while the library does not directly expose non-HTTP(S) URI contents to the attacker, it can be chained with other application-layer flaws to create a significant security risk.

A performance-related vulnerability has been identified in pypdf, a pure-Python PDF library, affecting versions prior to 6.12.0. The issue arises when an attacker crafts a PDF that exploits cross-reference streams with specific width values and large size attributes, leading to prolonged processing times. This vulnerability has been addressed in version 6.12.0.

A vulnerability in pypdf, a pure-Python PDF library, prior to version 6.12.0, allows attackers to create PDFs that cause excessive memory usage. This issue arises when extracting text in layout mode with large character offsets. The vulnerability has been addressed in version 6.12.0.

A stored cross-site scripting (XSS) vulnerability has been identified in TinyMCE versions prior to 5.11.1, 7.0.0 prior to 7.9.3, and 8.0.0 prior to 8.5.1. The vulnerability allows attackers to inject scripts into forged mce:protected comments, bypassing sanitization. These injected scripts are executed when the content is restored, impacting users who utilize the protect option.

A stored cross-site scripting vulnerability has been identified in TinyMCE versions prior to 5.11.1, 7.0.0 prior to 7.9.3, and 8.0.0 prior to 8.5.1. This vulnerability allows attackers to inject malicious scripts through crafted 'data-mce-*' attributes, which are executed when the content is rendered. The issue affects users with the media plugin enabled.

A cross-site scripting (XSS) vulnerability has been identified in TinyMCE versions 6.8.0 prior to 7.1.0. The issue arises from improper handling of SVG namespace scope in the sanitizer, allowing a crafted payload with nested elements to bypass attribute sanitization and execute arbitrary JavaScript. This vulnerability is present in the TinyMCE rich text editor, which is available as an open-source project.

A stored cross-site scripting vulnerability has been identified in TinyMCE versions prior to 5.11.1, 7.0.0 prior to 7.9.3, and 8.0.0 prior to 8.5.1. The issue arises from unsanitized data-mce attributes, specifically data-mce-href, data-mce-src, and data-mce-style. This vulnerability allows attackers to inject malicious values that can override safe attributes during serialization, bypassing validation. The injected scripts are executed when the content is rendered.

A vulnerability exists in Python Liquid versions prior to 2.2.0, where the built-in FileSystemLoader and CachingFileSystemLoader do not properly restrict file access when given absolute paths. This flaw enables malicious template authors to include and render arbitrary files using the {% include %} and {% render %} tags. The targeted files must contain valid Liquid markup and be accessible by the application process.

A remote code execution vulnerability has been identified in the Mapfish Print component, affecting versions 3.23.0 prior to 3.28.28, 3.29.0 prior to 3.30.30, 3.31.0 prior to 3.31.21, 3.32.0 prior to 3.33.14, and 3.34.0 prior to 4.0.3. The vulnerability allows attackers to execute arbitrary code in the Dynamic table without authentication.

A Local File Inclusion (LFI) vulnerability has been identified in esm.sh, a no-build content delivery network (CDN) for web development, affecting versions through 137. The issue arises in the esbuild plugin's management of the browser field in package.json. An attacker can publish a malicious npm package that tricks the server into reading and returning arbitrary files from the host filesystem during the build process.

A path traversal vulnerability has been identified in esm.sh, a no-build content delivery network for web development, affecting versions prior to 137. The issue arises in the legacy router, which concatenates request path components into a storage key without proper sanitization. This key is then used to write data to the file system, allowing attackers to manipulate the path and overwrite files in arbitrary locations on the server. Exploitation of this vulnerability could lead to privilege escalation and remote code execution by overwriting critical binaries or scripts.

A vulnerability exists in Espressif Shared GitHub Action DangerJS versions prior to 1.0.1. The issue arises because the action's entrypoint script executes DangerJS from the caller's workspace after transferring the fork's checkout, creating an untrusted search path for binary and Node.js module resolution. This flaw allows fork-supplied code to run inside the action container, potentially leading to arbitrary code execution. The vulnerability is particularly concerning when the action is used in a pull_request_target workflow, as it could allow manipulation of the GITHUB_TOKEN and access to sensitive job-exposed secrets.

A stack buffer overflow vulnerability has been identified in CryptX versions prior to 0.088_001 for Perl. The issue resides in four authenticated encryption with associated data (AEAD) decryption verification helpers: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. These routines improperly handled the authentication tag by copying it into a fixed 144-byte stack buffer without validating the length of the supplied tag. This oversight allows a longer tag to overwrite adjacent stack memory, potentially leading to arbitrary code execution or other malicious outcomes. The vulnerability can be exploited by any caller of the affected helpers that sends an attacker-controlled tag exceeding the buffer size.

A vulnerability exists in phpMyFAQ versions prior to 4.1.3, allowing unauthenticated users to reset passwords through the user password update API endpoint. This flaw enables attackers to change passwords without proper token validation. By sending PUT requests to the /api/index.php/user/password/update endpoint, attackers can disrupt accounts and invalidate legitimate user credentials. The vulnerability also allows for enumeration of valid username and email pairs, as the API response differs between valid and invalid combinations.

An authentication bypass vulnerability has been identified in phpMyFAQ versions prior to 4.1.3. This vulnerability exists in the password reset endpoint, allowing unauthenticated attackers to reset any user account password without the need for token verification or email confirmation. Exploitation of this vulnerability enables attackers to take over user accounts, including those with administrative privileges. The issue arises from the absence of a verification token, lack of rate limiting on the endpoint, and the failure to send a confirmation email before resetting passwords. As a result, attackers can enumerate valid usernames, receive plaintext passwords via email, and gain full access to user accounts, including SuperAdmin accounts.

A vulnerability in phpMyFAQ versions prior to 4.1.3 allows authentication bypass in API v4.0. The issue arises because the default API client token is empty, enabling unauthenticated users to create and modify FAQ entries, categories, and questions. Exploitation involves sending an empty 'x-pmf-token' header to bypass token validation and inject content through specific POST endpoints.

A vulnerability allowing insecure direct object reference (IDOR) has been identified in phpMyFAQ versions prior to 4.1.3. This vulnerability exists in the admin API user password endpoint, where authenticated administrators can change any user's password without proper authorization verification. An attacker with low-privilege admin rights can exploit this to gain SuperAdmin access by altering the userId parameter in the password overwrite API request.

A vulnerability in QOS.CH Logback's logback-core module, specifically in the HardenedObjectInputStream, allows for object injection through deserialization of untrusted data. An attacker can exploit this by influencing serialized data sent to either SimpleSocketServer or SimpleSSLSocketServer. While the HardenedObjectInputStream is designed to restrict deserialization, this vulnerability bypasses those security measures, allowing the instantiation of certain objects from the java.lang and java.util packages that are not explicitly blocked. Although this issue does not currently lead to remote code execution or significant privilege escalation, it still represents a notable security risk. This vulnerability affects Logback versions through 1.5.32 inclusive.

An authentication bypass vulnerability has been identified in the Kidsview mobile application, developed by View Concept. This issue affects versions 4.0.1 prior to 4.4.3. The vulnerability allows a user with physical access to a smartphone to bypass the authentication mechanism and gain full access to the device owner's account by interacting with the application's push notifications.

A privilege escalation vulnerability exists in the Mennekes Amtron series, specifically in firmware versions through 5.22.3. This vulnerability allows an authenticated low-privileged user to change the passwords of admin and manufacturer accounts by sending crafted POST requests. Successful exploitation could lead to unauthorized access and control over the charging infrastructure.

An authentication bypass vulnerability has been identified in the Mennekes Amtron series, specifically in firmware versions through 5.22.3. This vulnerability allows an unauthenticated remote attacker to change the password of a user account by sending a crafted POST request to the /operator/operator endpoint.

A path traversal vulnerability has been identified in Canonical Multipass versions prior to 1.16.3. The issue resides in the host-side SFTP server component, sshfs_server, which runs with root privileges. The vulnerability arises because the validate_path function in src/sshfs_mount/sftp_server.cpp performs a simple string prefix comparison on requested paths without validating path separators or normalizing directory traversal sequences. This flaw allows a local attacker with root access inside a guest virtual machine to bypass the FUSE layer by injecting raw SFTP frames, such as an SSH_FXP_OPEN request, directly into the sshfs_server process's stdin/stdout pipes via procfs. By crafting a path traversal that aligns with the allowed mount prefix, the attacker can manipulate the host-side root process to access files outside the designated mount boundary. This exploitation enables the guest user to read arbitrary files from the host filesystem, resulting in a virtual machine escape.

A local privilege escalation vulnerability exists in Canonical Multipass for macOS, in versions prior to 1.16.3. The issue arises from an incomplete fix for a previous vulnerability, CVE-2025-5199. While the update in version 1.16.0 changed the ownership of the 'multipassd' daemon binary to 'root:wheel', five other binaries in the same directory retained user ownership and remained writable. These binaries, which include 'multipass', 'qemu-img', 'qemu-system-aarch64', 'qemu-system-x86_64', and 'sshfs_server', are invoked by the root LaunchDaemon, creating an opportunity for local attackers to replace them with malicious versions that execute with root privileges, thereby escalating privileges.

A vulnerability exists in bzip2 versions prior to 1.0.9, specifically within the bzip2recover utility. The issue arises from an off-by-one error that allows for an out-of-bounds write to a global buffer when the application processes specially crafted files. This memory corruption causes a crash, creating a denial-of-service condition.

A remote code execution vulnerability exists in SMSGate sms-core versions through 2.1.13.6, specifically within the CMPP 7F protocol. The issue arises in the 'Cmpp7FDeliverRequestMessageCodec.java' component, where the 'attachment' field is deserialized without proper validation. This flaw enables attackers to craft malicious serialized data that, when processed by the server, executes arbitrary code.

A vulnerability in Responsive File Manager version 9.14.0 allows remote attackers to execute arbitrary code by exploiting the force_download.php component. This issue arises from a Local File Inclusion (LFI) vulnerability that can be leveraged to access sensitive files on the server, potentially leading to a full compromise of the host. Additionally, the vulnerability allows for arbitrary file creation, enabling the upload of malicious files that could be executed as PHP scripts, further compromising the server.

A vulnerability in Roundcube Webmail's HTML sanitization process for message rendering allows loopback, localhost, RFC1918, link-local, and ULA URLs to be accessed, even when remote content loading is disabled. This issue can be exploited by a remote attacker who sends an HTML email that, when previewed, causes the recipient's browser to make requests to local or private-network services.

A vulnerability exists in Plack::Middleware::Security::Common for Perl, affecting versions prior to 0.13.1. The issue allows header injections in request paths to bypass security measures, unless the injections are double-encoded. For instance, a request path could be crafted to include CRLF sequences followed by additional headers, potentially evading detection by reverse proxies or Plack-based servers.

A vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows users to modify the routing-type of addresses via the STOMP protocol, without having the necessary permissions. This issue affects Apache Artemis versions 2.50.0 to 2.53.0 and Apache ActiveMQ Artemis versions 2.0.0 to 2.44.0. The vulnerability arises because users with send or consume permissions can change the routing-type, even if they lack the createAddress permission for that address. As a result, users could send or receive messages using unsupported routing-types, contrary to the intended permission restrictions.

A server-side request forgery (SSRF) vulnerability has been identified in FlowIntel versions prior to 3.3.0. The issue arises in the external reference URL probe functionality within app/case/task.py. This vulnerability allows an attacker who can submit an external reference URL to manipulate the application server into sending an HTTP HEAD request to a destination of their choice. The vulnerability is rooted in inadequate validation of the URL scheme and the resolved destination address, which may permit requests to loopback, link-local, private, reserved, or other restricted network resources. Such interactions could potentially access internal services or cloud metadata endpoints from the server's network context.

A vulnerability exists in the D-Link DWR-X1820 router due to the use of weak default passwords generated from the device's IMEI number. The router does not require users to change this default password, allowing attackers who know the password generation method to easily crack it if they have the IMEI number. This issue affects versions 1.00B14CP prior to 1.00B16CP.

A vulnerability in the ExAws.SNS and ExAws.SNS.PublicKeyCache modules of the ex_aws_sns package, versions 2.0.1 prior to 2.3.5, allows for signature spoofing due to improper validation of certificate URLs. The issue arises because the 'verify_message/1' function retrieves the signing certificate from the 'SigningCertURL' field of incoming SNS messages without ensuring that the URL is HTTPS or that it belongs to an AWS-owned domain. This flaw enables an unauthenticated attacker to post to an endpoint that invokes 'verify_message/1', supply a malicious 'SigningCertURL', and sign a forged SNS message, bypassing the signature verification process entirely.