🚨 CVE-2026-54056
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
🎖@cveNotify
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, `kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses `utils.CreateAt()` / `openat(O_RDWR|O_CREAT|O_TRUNC)` without `O_NOFOLLOW`, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects `kitten dnd` remote drag-and-drop staging, uses different vulnerable code (`kittens/dnd/drop.go` and `tools/utils/file_at_fd.go`), and reproduces on commit `4aa4a5c0567a92553a8c20a88a4352da637fca5d`, after the file-transfer `O_NOFOLLOW` fix. Version 0.47.2 patches the issue.
🎖@cveNotify
GitHub
Arbitrary file overwrite via symlink following in `kitten dnd` remote drop staging
### Summary
`kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a...
`kitten dnd` can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote `text/uri-list` drops are staged in a...
🚨 CVE-2026-54421
In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
🎖@cveNotify
In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information (such as iSCSI credentials). The PATCH outcome is a security issue; the POST outcome is not a security issue.
🎖@cveNotify
Launchpad
Bug #2155049 “[OSSA-2026-TBD] Sensitive properties returned unre...” : Bugs : Ironic
A fix for a potential security issue, detected by an AI tool, has been proposed without prior coordination with the team. This is my retrospective analysis of this issue.
NOTE: this issue has been previously discussed as part of (also private) https://b…
NOTE: this issue has been previously discussed as part of (also private) https://b…
🚨 CVE-2026-47777
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
🎖@cveNotify
Mastodon is a free, open-source social network server based on ActivityPub. In versions there is a missing condition in the check if remote accounts consented to be featured in a remote Collection could lead to attackers bypassing the check and faking consent. An attacker could forge the FeatureAuthorization object that is used to verify consent to be featured in a Collection and thus make it appear as if an account is allowed to be in a Collection when it actually is not. While the FeatureAuthorization must reside on the same domain as the object it is for, a check is missing to make sure said object is actually the same as in the Collection item. This allows an attacker to forge the authorization. Mastodon servers are affected only if running the main branch or nightly builds who have opted into testing the experimental "Collections" feature by setting the environment variable EXPERIMENTAL_FEATURES to a value including collections. This has been patched in version 4.6.0-beta.1.
🎖@cveNotify
GitHub
Improve collection item verification (#39096) · mastodon/mastodon@22203f8
Your self-hosted, globally interconnected microblogging community - Improve collection item verification (#39096) · mastodon/mastodon@22203f8
🚨 CVE-2026-49294
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
🎖@cveNotify
Valhalla is an open source routing engine and accompanying libraries for use with OpenStreetMap data. Versions 3.6.3 and prior are vulnerable to reflected cross-site scripting (XSS) due to improper neutralization of input in the JSONP callback parameter. When a request specifies a JSONP callback, the value is reflected directly into the HTTP response body with Content-Type: application/javascript, without any validation, output encoding, or allowlist filtering. An attacker can craft a URL containing arbitrary JavaScript in the callback parameter; if a victim is induced to load that URL via a <script src="..."> tag, the injected script executes in the context of the serving origin, potentially leading to session token theft, credential disclosure, or actions performed on behalf of the victim. This issue was not fixed at time of publication.
🎖@cveNotify
GitHub
Reflected XSS via unsanitized JSONP callback parameter
### Summary
The jsonp request parameter in src/worker.cc:718 is stored unsanitized via options.set_jsonp() and subsequently written directly into the HTTP response body at lines 1622 (success path...
The jsonp request parameter in src/worker.cc:718 is stored unsanitized via options.set_jsonp() and subsequently written directly into the HTTP response body at lines 1622 (success path...
🚨 CVE-2025-56814
A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.
🎖@cveNotify
A code injection vulnerability in the wxExecute() function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters.
🎖@cveNotify
jihoo-portfolio.vercel.app
OpenCPN RCE - Command Injection
OpenCPN Launcher Plugin - Command Injection via User-defined Command Execution
🚨 CVE-2025-68713
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
🎖@cveNotify
An issue was discovered in Rakuten Send Anywhere (File Transfer) for Android (com.estmob.android.sendanywhere) 23.2.9. The vulnerability allows untrusted applications (with no permissions) to force arbitrary file downloads into the app's scoped storage. The resulting files appear in the application's trusted Received interface. These conditions establish a vector for arbitrary code execution if the payload is an APK file, or a denial-of-service condition through resource exhaustion from oversized transfers.
🎖@cveNotify
GitHub
com.estmob.android.sendanywhere/CVE-2025-68713 at main · actuator/com.estmob.android.sendanywhere
Contribute to actuator/com.estmob.android.sendanywhere development by creating an account on GitHub.
🚨 CVE-2025-70102
A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
🎖@cveNotify
A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
🎖@cveNotify
Infosec Exchange
sigdevel (@sigdevel@infosec.exchange)
Security Advisory: CVE-2025-70102 - NULL Pointer Dereference in dhcpcd parse_option
Summary
A crafted dhcpcd configuration input can trigger undefined behavior in the configuration parser by causing `parse_option()` to access a member through a NULL `struct…
Summary
A crafted dhcpcd configuration input can trigger undefined behavior in the configuration parser by causing `parse_option()` to access a member through a NULL `struct…
🚨 CVE-2026-36213
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.
🎖@cveNotify
An issue in Microvirt MEmu Android Emulator 9.2.7.0 allows a local attacker to escalate privileges via the MemuService.exe component.
🎖@cveNotify
GitHub
GitHub - sec-zone/CVE-2026-36213: CVE-2026-36213 | Local Privilege Escalation in MEmu Android Emulator 9.2.7.0 via Insecure Service…
CVE-2026-36213 | Local Privilege Escalation in MEmu Android Emulator 9.2.7.0 via Insecure Service Binary Permissions | Patched in 9.3.2 - sec-zone/CVE-2026-36213
🚨 CVE-2026-36521
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
🎖@cveNotify
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
🎖@cveNotify
Gist
Reference for CVE-2026-36521
Reference for CVE-2026-36521. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-36537
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
🎖@cveNotify
ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.
🎖@cveNotify
Gist
Account Takeover via Sign in with Apple in ThingsBoard
Account Takeover via Sign in with Apple in ThingsBoard - CVE-2026-36537-PoC.md
🚨 CVE-2026-36670
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.
🎖@cveNotify
A Time-Based Blind SQL Injection vulnerability in the alias_management module of OpenSIPS Control Panel (opensips-cp) prior to version 9.3.3 allows authenticated attackers to execute arbitrary SQL commands via the 'table' GET parameter in alias_management.php.
🎖@cveNotify
GitHub
CVE-2026-36670/ADVISORY.md at main · Gabriel-Lacorte/CVE-2026-36670
Time-Based Blind SQL Injection Exploit for the OpenSIPs Control Panel (or my first CVE!) - Gabriel-Lacorte/CVE-2026-36670
🚨 CVE-2026-36933
An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.
🎖@cveNotify
An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.
🎖@cveNotify
0x09
Analyse de la caméra de surveillance 'Ease Life' - Retour à l'usine
En raison d’une fonctionnalité de test d’usine activée sur le firmware d’une caméra Ease Life, il est possible de réaliser de l’exécution de commandes à travers l’insertion d’une microSD contenant une série de fichiers forgés…
🚨 CVE-2026-37216
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
🎖@cveNotify
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
🎖@cveNotify
GitHub
通知公告模块存储型XSS漏洞 · Issue #320 · yangzongzhuan/RuoYi
漏洞背景 通知公告模块(/system/notice/*)在 application.yml 中被排除在XSS过滤器之外(第144行): xss: enabled: true excludes: /system/notice/* 排除XSS过滤是为了支持Summernote富文本编辑器提交HTML内容。但服务端未对提交的HTML进行安全消毒处理(如JSoup Cleaner),且前端使用th...
🚨 CVE-2026-38812
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.
🎖@cveNotify
RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.
🎖@cveNotify
GitHub
GitHub - jjcjgo/CVE-2026-38812-RuoYi-SQL-Injection: CVE-2026-38812 RuoYi v4.8.2 SQL Injection
CVE-2026-38812 RuoYi v4.8.2 SQL Injection. Contribute to jjcjgo/CVE-2026-38812-RuoYi-SQL-Injection development by creating an account on GitHub.
🚨 CVE-2026-39006
An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
🎖@cveNotify
An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
🎖@cveNotify
GitHub
security-advisories/CVE-2026-39006.md at main · EaEa0001/security-advisories
Contribute to EaEa0001/security-advisories development by creating an account on GitHub.
🚨 CVE-2026-39007
An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.
🎖@cveNotify
An issue in Observeinc's Observe v.2026-01-28 and before allows a remote attacker to obtain sensitive information via the CSV Log export component.
🎖@cveNotify
GitHub
Vulnerability_Publications/CVE-2026-39007 at main · Kettn/Vulnerability_Publications
This repository contains information on the CVE's I've found. - Kettn/Vulnerability_Publications
🚨 CVE-2026-39118
An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.
🎖@cveNotify
An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.
🎖@cveNotify
Iru
Kandji Agent Release 4.7.5 (5374)
This release includes miscellaneous bug fixes and performance improvements.
🚨 CVE-2026-39197
An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
🎖@cveNotify
An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
🎖@cveNotify
Gist
Reference for CVE-2026-39197
Reference for CVE-2026-39197. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-48114
Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.
🎖@cveNotify
Metacat is data repository software that helps researchers preserve, share, and discover data. Versions 2.0.0 and and above contain an unauthenticated SQL injection in the /harvesterRegistration endpoint. HarvesterRegistration.dbInsert() builds an INSERT against HARVEST_SITE_SCHEDULE via string concatenation, using a quoteString() helper that performs raw single-quote wrapping without escaping. Three request parameters reach the sink: unit, contactEmail, and documentListURL. The servlet does not verify a real LDAP identity. Allowing the vulnerable insert to proceed. Since the PostgreSQL backend permits stacked queries via Statement.executeUpdate(), this vulnerability allows full read/write/execute access in the Metacat database context. The vulnerability was remediated in Metacat 3.0.0.
🎖@cveNotify
GitHub
Removed the harvester client for LTER. · NCEAS/metacat@820d595
Data repository software that helps researchers preserve, share, and discover data - Removed the harvester client for LTER. · NCEAS/metacat@820d595
🚨 CVE-2026-50870
An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.
🎖@cveNotify
An information disclosure vulnerability in the configuration endpoint of Ben Busby whoogle-search v1.2.3 allows attackers to obtain sensitive information via a crafted GET request.
🎖@cveNotify
Gist
Reference for CVE-2026-50870
Reference for CVE-2026-50870. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-50871
An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
🎖@cveNotify
An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
🎖@cveNotify
Gist
Reference for CVE-2026-50871
Reference for CVE-2026-50871. GitHub Gist: instantly share code, notes, and snippets.