CVE Catalog

A vulnerability exists in pam_usb versions prior to 0.9.0, where the deny_remote feature incorrectly classifies IPv4-mapped IPv6 addresses as local. This misclassification allows an attacker with physical access to a registered USB device to authenticate over SSH as if they were at a local terminal, bypassing the intended remote authentication restrictions. The issue arises because the remote detection only checks the first word of the IPv6 address, leaving IPv4-mapped addresses unverified. This vulnerability is particularly relevant on systems with the SSH daemon configured to accept connections over IPv6.

A logic error in the Anchor framework for Solana programs, affecting versions 1.0.0 prior to 1.0.2, allows programs to accept any program ID when the system program ID is required. This flaw can lead to false assumptions and potential arbitrary cross-program invocations (CPI) in programs that use system program instructions. The issue arises because the default behavior of the program ID validation can be manipulated, allowing any executable account to be passed in instead of the intended system program. As a result, programs may inadvertently invoke instructions from unauthorized programs, bypassing expected payment processes and potentially exploiting other functionalities.

A local code execution vulnerability has been identified in the Claude Code Cache Fix tool, specifically in versions 3.5.0 prior to 3.5.2. The issue arises in the 'tools/quota-statusline.sh' script, which interpolates hook stdin payloads directly into a Python triple-quoted string. This allows for injection of Python code execution by manipulating the payload with a specific byte sequence. The vulnerability is present when the script is integrated into the Claude Code statusLine configuration, a setup recommended in the tool's README.

A command injection vulnerability has been identified in pam_usb versions prior to 0.8.7, specifically within the tmux integration. The issue arises in src/tmux.c, where the user's $TMUX environment variable is read, split on commas, and the socket-path component is directly interpolated into a shell command executed by popen(). This interpolation occurs without proper sanitization, allowing any value containing a double quote to terminate the quoted string and inject arbitrary shell commands. The popen() function is executed with root privileges in the PAM stack, creating a significant security risk. Exploitation of this vulnerability allows local users to bypass USB authentication and gain unauthorized root access.

A vulnerability in pam_usb versions prior to 0.8.7 allows for root remote code execution through shell injection via crafted UUIDs or usernames. This issue arises because two Python helper tools, pamusb-conf and pamusb-agent, improperly handle user-controlled data by passing it directly into shell commands. Exploitation can occur by manipulating the UUID of a USB device or the username in the pam_usb configuration.

A vulnerability in pam_usb prior to version 0.8.7 allows for authentication bypass and corruption of root-owned files. This issue arises from symlink attacks on the pad directory and pad files, exploiting weaknesses in how the application handles filesystem paths. The vulnerability is fixed in version 0.8.7.

A NULL pointer dereference vulnerability has been identified in pam_usb versions prior to 0.8.7. The issue arises in src/device.c, where the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and udisks_drive_get_model() are passed directly to strcmp() without checking for NULL. According to the GIO/UDisks API documentation, these accessors can return NULL for devices that do not provide the corresponding information. Passing NULL to strcmp() results in undefined behavior, typically causing a segmentation fault (SIGSEGV). This vulnerability can be exploited by an attacker with physical access who connects a USB device or mass-storage gadget that does not expose a serial number via UDisks. The PAM module crashes during device enumeration, leading to authentication failures for all users on the affected service until the device is removed. On a single-user workstation with pam_usb configured for login, this causes a complete lockout.

A vulnerability in pam_usb versions prior to 0.8.7 allows for arbitrary command execution. The issue arises in the pamusb-pinentry tool, which executes the PINENTRY_FALLBACK_APP environment variable without validation. This flaw can be exploited by any process that sets environment variables before pamusb-pinentry is called, directing PINENTRY_FALLBACK_APP to an arbitrary binary or script that is then executed with the privileges of the pam_usb tool chain. Additionally, in versions prior to 0.8.7, the GNOME Keyring unlock password was exposed in process arguments, briefly visible to other local users.

A memory leak vulnerability has been identified in UltraJSON versions through 5.12.0. The issue arises in the ujson.dump() function when writing to a file-like object. If the write operation fails, the serialized JSON string is not properly cleaned up, leading to a memory leak. Each failed write operation causes a leak equivalent to the size of the serialized payload. This vulnerability is not present when using ujson.dumps() or the JSON load/decode methods.

A vulnerability exists in HCL BigFix Remote Control Server WebUI in versions through 10.1.0.0442. The issue arises from a misconfigured Content Security Policy (CSP) that fails to establish directives without fallbacks. This flaw enables attackers to circumvent intended security measures and load unauthorized resources.

A denial-of-service vulnerability has been identified in the ROHC (Robust Header Compression) protocol dissector of Wireshark. This issue affects versions 4.6.0 through 4.6.5 and 4.4.0 through 4.4.15. The vulnerability arises when the uncompressed profile is used with large CID (Context Identifier) values, leading to a heap corruption issue. Specifically, the problem occurs when a packet's length matches the value length of the CID field, causing a NULL buffer to be created and manipulated improperly, which can crash the application.

A vulnerability exists in the Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) versions prior to 17.1.10488.57063. The service listens on TCP port 7878 and accepts remote HTTP messages directed to specific URL paths, including /resources, /status, /sysinfo, /woshome, /Settings, /schedule, and /DavCache. This vulnerability allows unauthenticated remote attackers to interact with these endpoints, potentially causing security issues. Certain operations could initiate authenticated communications with the Triofox web portal using the credentials of the user currently logged into the Triofox Server Agent Management Console.

A stack-based buffer overflow vulnerability has been identified in the Gladinet Triofox Server Agent, specifically in the WOSDeviceDropFolder.dll component. This vulnerability occurs when the application processes long URL paths that start with '/resources'. The issue affects Triofox Server Agent versions prior to 17.1.10488.57063.

A stack-based buffer overflow vulnerability has been identified in the Gladinet Triofox Server Agent, specifically in the WOSDefaultHttpModule.dll file, all versions prior to 17.1.10488.57063. The vulnerability arises when the module processes long URL paths that start with '/woshome'. This buffer overflow can potentially be exploited to execute arbitrary code.

A path traversal vulnerability has been identified in Gladinet Triofox Server Agent versions prior to 17.1.10488.57063. The vulnerability exists in WOSDefaultHttpModule.dll when processing URL paths that start with '/woshome'. This flaw allows an attacker to traverse directories and access restricted files on the server.

A vulnerability exists in Gladinet Triofox Server Agent versions prior to 17.1.10488.57063, where function calls to WOSCommonUtil.dll can return a NULL pointer if no user is logged into the Triofox Server Agent Management Console. This NULL pointer is not properly checked before being dereferenced, leading to a denial-of-service condition.

A denial-of-service vulnerability has been identified in Gladinet Triofox Server Agent versions prior to 17.1.10488.57063. The issue arises in the WOSHttpStatusModule.dll, which is supposed to handle requests with URL paths starting from /status or /sysinfo. Since this DLL is not included in the installation, a function pointer intended to call a module loading function is set to NULL. This leads to a crash by calling a function at a NULL address, causing an access violation.

A directory traversal vulnerability has been identified in Northern.tech Mender Server versions 4.1.0, 4.0.1 and earlier. The issue arises from improper input sanitization in the endpoint for creating artifacts, which can be accessed through the UI or API. This flaw allows an attacker to include path traversal sequences in requests, enabling them to access and modify files outside the intended directory. In a multi-tenant environment like hosted Mender, this could lead to injecting malicious code into artifacts, potentially compromising the containers of other users.

A vulnerability exists in pam_usb versions prior to 0.9.1, where the software improperly handles EACCES errors when accessing /dev/input/event* nodes. This oversight causes the function pusb_has_virtual_input_device() to incorrectly report that no virtual devices are available, even when permission issues prevent successful device detection. As a result, the authentication process may continue without properly verifying the presence of virtual devices, potentially leading to misconfigurations being overlooked. This issue is particularly relevant for administrators testing their pam_usb setup with the 'pamusb-check' tool, as it creates a false sense of security by not accurately reflecting the status of virtual input device detection.

A vulnerability exists in pam_usb versions prior to 0.9.1, where a process-wide static pointer in the logging component is overwritten with the address of a stack-local variable during each PAM invocation. This issue violates the PAM requirement for re-entrancy and introduces a data race when PAM is accessed concurrently from multiple threads. The vulnerability can lead to one thread's logging settings interfering with another's authentication process, potentially causing a crash or incorrect log output.

A heap-based buffer overflow vulnerability has been identified in pam_usb versions prior to 0.9.1. The issue arises in src/conf.c, where heap memory is allocated based on n_devices, a count obtained from libxml2 XPath evaluation of the configuration file. This allocation is made without enforcing an upper limit, allowing for integer overflow on 32-bit targets (armv7l, i686). The overflow occurs when n_devices, multiplied by the size of a device structure, exceeds the maximum value representable by size_t, leading to a small allocation that can be exploited to overflow the heap. The vulnerability requires write access to the configuration file, typically owned by root and readable only by the owner, to be exploited during authentication.

A vulnerability in pam_usb prior to version 0.9.1 allows remote authentication bypass through XDMCP connections. When the PAM service is set to deny_remote=false, the PAM_RHOST check is skipped, enabling authentication without proper locality verification. This issue affects display managers like GDM, SDDM, and LightDM, as well as the xscreensaver locker in VNC sessions.

A vulnerability in pam_usb helper tools prior to version 0.9.0 allows for privilege escalation through uncontrolled search paths. The affected tools, pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resolved external binaries via the PATH environment variable instead of using absolute paths. This flaw could be exploited by an attacker who can manipulate the process environment during PAM authentication or tool execution, potentially leading to the execution of malicious binaries.

A vulnerability in pam_usb prior to version 0.9.0 allows for XPath injection through unvalidated user-supplied and device-supplied identifiers. This flaw arises because the application constructs XPath expressions for querying the configuration file /etc/pamusb.conf without properly sanitizing these identifiers. As a result, an attacker could manipulate the XPath query to alter authentication processes or bypass device checks.

A vulnerability in pam_usb versions through 0.8.6 allows local users to bypass USB authentication by exploiting a missing verification of the system-side pad on the USB device. The issue arises because the pusb_pad_compare() function only checks the user-side pad, leaving a gap that can be manipulated. By deleting the user-side pad file, a user can authenticate without the physical USB device. This vulnerability is classified as high severity.

A vulnerability in pam_usb versions prior to 0.9.0 allows for a NULL pointer dereference, leading to a crash of the PAM module. This issue arises because the out-of-memory guards for memory allocation functions were removed in release builds, where NDEBUG is defined. As a result, these functions silently return NULL on allocation failures. The codebase's design expects these functions to always succeed, causing a NULL pointer dereference when a memory allocation fails. This vulnerability creates a local denial-of-service condition, particularly when the PAM module is used with sudo or login, as it can lock users out of these services.

A remote code execution vulnerability exists in RELATE LMS versions prior to 2026.1. The issue arises because the application configures Celery workers to accept and deserialize untrusted 'pickle' data. An authenticated student can exploit this by sending a crafted pickle payload through the message broker, leading to the execution of arbitrary commands on the host server. This vulnerability is exacerbated by a lack of network isolation in the code execution sandbox, allowing the exploitation to occur remotely.

A vulnerability exists in the LangSmith SDKs for Python and JS/TS, prior to the patched versions, allowing the prompt pull methods to fetch and deserialize prompt manifests from the LangSmith Hub without proper trust validation. These manifests can include serialized LangChain objects and model configurations that influence runtime behavior. When a public prompt is pulled using the owner/name identifier, the content is controlled by an external party. However, earlier SDK versions did not differentiate this risk from pulling prompts within the user's own organization. As a result, applications could unintentionally execute harmful configurations or code from untrusted sources.

An authentication bypass vulnerability has been identified in Himmelblau versions 2.0.0 prior to 3.1.5 and 2.3.11. This vulnerability exists in the Device Authorization Grant (DAG) flow, allowing a user within the same Entra ID domain to obtain a local Unix session as another user by using their own valid credentials. The issue arises in the 'token_validate' function, which improperly validates domain aliases by only comparing domains rather than the complete usernames of the authenticated users. As a result, an attacker can impersonate another user and gain access to their local files and Unix session.

A NULL pointer dereference vulnerability has been identified in MapServer versions 6.4.0 prior to 8.6.3. The issue arises in the SLD (Styled Layer Descriptor) parsing process, specifically within the 'msSLDParseUserStyle' function. When a '<Rule>' element includes an '<ElseFilter/>', the function incorrectly assumes that a class has been added, leading to an attempt to access a non-existent class index. This flaw can be exploited by sending a 200-byte well-formed SLD through the WMS 'SLD_BODY=' parameter, without requiring authentication.

A remote code execution vulnerability exists in OneUptime versions prior to 10.0.98. The issue arises because OneUptime improperly uses Node.js's VM module for code isolation, a purpose for which the API was not intended. This misapplication allows for escapes from the VM's confinement, particularly through error objects and infinite recursion, enabling unauthorized code execution on the server.

A vulnerability in Pi.Alert prior to May 7, 2026, allows for unauthenticated remote code execution at the operating system level. The issue arises in the SaveConfigFile() endpoint, which writes user-supplied numeric configuration values directly into pialert.conf without proper validation. This configuration file is executed by a background cron process every 3 to 5 minutes, enabling an attacker to inject arbitrary Python code. On default installations, where PIALERT_WEB_PROTECTION is set to false, no credentials are required to exploit this vulnerability.

A remote code execution vulnerability has been identified in Pi.Alert, a WiFi/LAN intruder detection system, prior to May 7, 2026. The issue arises in the web-based configuration editor, which allows arbitrary Python code to be injected into the 'pialert.conf' file. The background scan daemon executes this file using Python's 'exec()' function, running the injected code as the daemon process. With web protection turned off by default, this vulnerability can be exploited without authentication.

A SQL injection vulnerability has been identified in the Pi.Alert web application, specifically in the devices.php endpoint. This issue allows unauthenticated users to inject malicious SQL into a query, potentially leading to unauthorized data access. The vulnerability is present in versions of Pi.Alert released between June 29, 2024, and May 7, 2026.

A command injection vulnerability has been identified in the systeminformation library for Node.js, specifically in versions 4.17.0 through 5.31.5. The issue arises in the networkInterfaces() function when an active NetworkManager connection profile name contains shell metacharacters. The vulnerability is rooted in inconsistent sanitization of input; while the library properly sanitizes network interface names before they are used in shell commands, it fails to apply the same level of scrutiny to NetworkManager connection names, which can include harmful characters. This unsanitized data is then interpolated into command strings executed with execSync(), allowing for arbitrary command execution with the privileges of the Node.js process.

An open redirect vulnerability has been identified in Authlib, a Python library for building OAuth and OpenID Connect servers. This issue affects versions prior to 1.6.12 and 1.7.1. The vulnerability allows an unauthenticated remote attacker to manipulate the authorization server into redirecting to an attacker-chosen URL. This is achieved by sending an authorization request that excludes the 'openid' scope, which triggers a validation error that includes the unvalidated redirect URI. The server then responds with an HTTP 302 redirect to the specified URL.

A command injection vulnerability has been identified in the GitHub Actions workflow 'validate_modified_targets.yml' of the Sherlock project, prior to version 0.16.1. This vulnerability allows any GitHub user to execute arbitrary commands on the Continuous Integration (CI) runner and exfiltrate the 'GITHUB_TOKEN' by opening a pull request. The issue arises because the workflow processes JSON key names controlled by the pull request author, injecting them directly into a shell command. Exploitation of this vulnerability does not require approval, review, or merge of the pull request.

A stored cross-site scripting vulnerability has been identified in FacturaScripts accounting and invoicing software, affecting versions through 2025.92. The issue resides in the product search modal for sales and purchases documents. An authenticated user with access to the warehouse module can create a product with a malicious reference. This reference executes arbitrary JavaScript in the browser of any other user who opens the product search modal within an invoice, order, or delivery note.

A stored cross-site scripting vulnerability has been identified in RELATE, a web-based courseware package, affecting versions through 2024.1. The issue allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to a full admin account takeover. The vulnerability arises in the 'get_user()' method of the 'ParticipationAdmin' class, where user-controlled input is rendered using 'mark_safe' and Python's string formatting. This combination bypasses Django's automatic HTML escaping. The unsanitized data, sourced from editable user profile fields, is executed in the admin's browser when the Participation list is viewed.

An access control vulnerability has been identified in Northern.tech Mender Enterprise Server versions prior to 4.1.1. This issue arises from a flaw in the role-based access control (RBAC) system, where users could inadvertently gain higher access levels than intended. Specifically, if an administrator assigned different access levels to devices through separate device groups, the user would end up with elevated privileges across both groups, potentially leading to unauthorized management of devices.

A vulnerability exists in GitLab CE/EE versions 12.7 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. Under certain conditions, this vulnerability could have allowed an authenticated user to access Continuous Integration (CI) data from an unintended reference type.

A vulnerability exists in GitLab CE/EE versions 18.2 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. Under certain conditions, this vulnerability could have allowed an unauthorized user to enumerate private projects due to improper authorization checks.

A vulnerability exists in GitLab EE versions 18.7 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. When foundational flows were enabled at the group level, this vulnerability allowed an authenticated user with developer-role permissions to bypass flow restrictions under certain conditions.

A vulnerability exists in GitLab EE versions 18.8 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. Under certain conditions, this vulnerability could allow an authenticated user to execute specific Duo AI workflows under the identity of another user. This issue arises from improper resolution of user identities when initiating Duo AI workflow runners.

A vulnerability in Gryph, a tool that adds a security layer for AI coding agents, allows for the logging of sensitive file content to a local SQLite database. This issue affects Gryph versions through 0.6.0. The vulnerability arises because the default logging level is set to 'standard', contrary to the README's claim of 'minimal'. At this default level, sensitive file-write information is recorded in the payload as 'ContentPreview', 'OldString', or 'NewString', particularly when the logging is set to 'full'. This logging behavior violates Gryph's sensitive file filter and log level agreements.

A vulnerability in Kysely, a TypeScript SQL query builder, allows for unauthorized traversal of JSON-path keys in versions 0.26.0 prior to 0.28.16. The issue arises because the DefaultQueryCompiler.visitJSONPathLeg method fails to properly escape JSON-path metacharacters. This flaw enables an attacker to manipulate JSON-path queries and access sensitive data stored in JSON sub-fields that should remain private. The vulnerability is present in MySQL, PostgreSQL, and SQLite dialects.

A vulnerability allowing authenticated users to upload files with executable extensions has been identified in FacturaScripts accounting and invoicing software, versions through 2025.81. The issue arises in the product image upload feature, where MIME type validation can be bypassed. Attackers can upload PHP files disguised as GIF images by exploiting the validation process, which only checks for the presence of 'image/' in the MIME type. The uploaded files are stored with their original extensions in a web-accessible directory, potentially leading to remote code execution.

An unauthenticated information disclosure vulnerability has been identified in FacturaScripts accounting and invoicing software, prior to version 2026. The issue resides in the Installer controller, where remote attackers can trigger the phpinfo() function on a fresh FacturaScripts deployment by sending a request with the phpinfo parameter set to TRUE. This exposure reveals the complete PHP configuration, server environment variables (including database credentials, API keys, and application secrets), filesystem paths, and loaded extensions, all without requiring authentication.

A vulnerability exists in GitLab EE versions 11.5 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. Under certain conditions, this vulnerability could have allowed an authenticated user with developer-role permissions to access sensitive deployment data on projects. The issue arises from improper authorization checks.

A denial-of-service vulnerability has been addressed in GitLab CE/EE versions 17.1 prior to 18.10.7, 18.11 prior to 18.11.4, and 19.0 prior to 19.0.1. Under certain conditions, this vulnerability could have allowed an authenticated user to cause a denial-of-service due to insufficient validation.