๐จ CVE-2026-25779
Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values.
๐@cveNotify
Gitea versions up to and including 1.25.4 allow redirect bypasses through raw or percent-encoded backslashes in redirect_to values.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-25782
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
๐@cveNotify
Gitea versions before 1.25.5 look up tracked-time entries by time ID without scoping the lookup to the issue in the request URL, allowing deletion attempts to target entries from another issue.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-26231
Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.
๐@cveNotify
Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write.
๐@cveNotify
Gitea
Gitea 1.26.2 is released | Gitea Blog
We are excited to announce the release of Gitea 1.26.2! We strongly recommend all users upgrade to this version, as it contains a number of security fixes alongside important bug fixes and stability improvements.
๐จ CVE-2026-26232
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
๐@cveNotify
Gitea versions before 1.25.5 do not consistently enforce OAuth2 authorization code expiry and single-use behavior during token exchange.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-26247
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
๐@cveNotify
Gitea versions before 1.25.5 do not persist the OAuth2 PKCE S256 challenge method correctly during authorization, allowing token exchange without the expected verifier check.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-26292
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
๐@cveNotify
Gitea versions before 1.25.5 do not use the migration HTTP transport for LFS push and sync mirror operations, bypassing the configured migration transport protections for those LFS requests.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-27657
Gitea versions before 1.25.5 allow a user to change another user's primary email address.
๐@cveNotify
Gitea versions before 1.25.5 allow a user to change another user's primary email address.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-27660
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
๐@cveNotify
Gitea versions before 1.25.5 allow draft release data or attachments to be accessed without the required write permission.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-27761
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.
๐@cveNotify
Gitea versions up to and including 1.26.2 allow repository RSS and Atom feed endpoints to bypass API access token scope checks, exposing private repository commit data to tokens without the required repository scope.
๐@cveNotify
Gitea
Gitea 1.26.3 and 1.26.4 are released | Gitea Blog
We are excited to announce the release of Gitea 1.26.3 and Gitea 1.26.4. Version 1.26.3 delivers a large set of security fixes alongside important bug fixes and stability improvements. Version 1.26.4 follows immediately with a fix for a repository code-pageโฆ
๐จ CVE-2026-27771
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
๐@cveNotify
Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information.
๐@cveNotify
Gitea
Gitea 1.26.2 is released | Gitea Blog
We are excited to announce the release of Gitea 1.26.2! We strongly recommend all users upgrade to this version, as it contains a number of security fixes alongside important bug fixes and stability improvements.
๐จ CVE-2026-28705
Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.
๐@cveNotify
Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths.
๐@cveNotify
Gitea
Gitea 1.25.5 is released | Gitea Blog
We're excited to announce the release of Gitea 1.25.5! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
๐จ CVE-2026-28737
Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.
๐@cveNotify
Gitea versions from 1.25.0 before 1.26.0 allow stored cross-site scripting through the extensionsRequired field in glTF files rendered by the 3D file viewer.
๐@cveNotify
Gitea
Gitea 1.26.0 is released | Gitea Blog
We are thrilled to announce the latest release of Gitea v1.26.0.
๐จ CVE-2026-28740
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
๐@cveNotify
Gitea versions up to and including 1.26.2 allow Git LFS object reuse to authorize private source objects for users who have repository access but lack Code-unit access.
๐@cveNotify
Gitea
Gitea 1.26.3 and 1.26.4 are released | Gitea Blog
We are excited to announce the release of Gitea 1.26.3 and Gitea 1.26.4. Version 1.26.3 delivers a large set of security fixes alongside important bug fixes and stability improvements. Version 1.26.4 follows immediately with a fix for a repository code-pageโฆ
๐จ CVE-2025-71364
picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.
๐@cveNotify
picklescan before 0.0.30 fails to detect the asyncio.unix_events._UnixSubprocessTransport._start function in pickle reduce methods, allowing remote code execution. Attackers can craft malicious pickle files embedding this built-in function that evade detection but execute arbitrary commands when loaded.
๐@cveNotify
GitHub
Missing detection when calling built-in python library asyncio.unix_events._UnixSubprocessTransport._start
### Summary
Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload ex...
Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload ex...
๐จ CVE-2025-71375
picklescan before 0.0.34 fails to detect the _operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using _operator.methodcaller that evade detection and execute arbitrary code when loaded by pickle.load().
๐@cveNotify
picklescan before 0.0.34 fails to detect the _operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using _operator.methodcaller that evade detection and execute arbitrary code when loaded by pickle.load().
๐@cveNotify
GitHub
Missing detection when calling built-in python _operator.methodcaller
### Summary
Using _operator.methodcaller, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload executes in the following steps:
First, t...
Using _operator.methodcaller, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload executes in the following steps:
First, t...
๐จ CVE-2025-53827
ownCloud Core is the server-side component of the file storage, synchronization, and sharing application ownCloud Classic. In versions prior to 10.15.3, the Updater on ownCloud 10 before 10.15.3 has an exposed dangerous method or function. Attackers with administrative privileges may leverage functionality to execute arbitrary code. This issue has been fixed in version 10.15.3.
๐@cveNotify
ownCloud Core is the server-side component of the file storage, synchronization, and sharing application ownCloud Classic. In versions prior to 10.15.3, the Updater on ownCloud 10 before 10.15.3 has an exposed dangerous method or function. Attackers with administrative privileges may leverage functionality to execute arbitrary code. This issue has been fixed in version 10.15.3.
๐@cveNotify
GitHub
[OC10] Updater on ownCloud 10 before 10.15.3 has an exposed dangerous method or function
Updater on ownCloud 10 before 10.15.3 has an exposed dangerous method or function
======================================================================
- Risk: high
- CVSS v3 Base Score: 9.1
-...
======================================================================
- Risk: high
- CVSS v3 Base Score: 9.1
-...
๐จ CVE-2026-59194
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.
๐@cveNotify
pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted patch entry could resolve outside the configured patches directory and cause pnpm patch-remove to delete an arbitrary reachable file. This vulnerability is fixed in 10.34.4 and 11.7.0.
๐@cveNotify
GitHub
CAND-PNPM-030: pnpm patch-remove could delete project-selected files outside the patches directory
## Summary
Contain `patch-remove` deletions to the project for GHSA-72r4-9c5j-mj57 / CAND-PNPM-030.
A crafted patch entry could resolve outside the configured patches directory and cause `pnp...
Contain `patch-remove` deletions to the project for GHSA-72r4-9c5j-mj57 / CAND-PNPM-030.
A crafted patch entry could resolve outside the configured patches directory and cause `pnp...
๐จ CVE-2026-54059
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.
๐@cveNotify
Pillow is a Python imaging library. Prior to 12.3.0, PIL/PcfFontFile.py _load_bitmaps() read glyph dimensions from the PCF METRICS section and passed them directly to Image.frombytes() without calling Image._decompression_bomb_check(), allowing crafted PCF font data to cause excessive memory allocation. This issue is fixed in version 12.3.0.
๐@cveNotify
GitHub
Pillow/docs/releasenotes/12.3.0.rst at main ยท python-pillow/Pillow
Python Imaging Library (fork). Contribute to python-pillow/Pillow development by creating an account on GitHub.
๐จ CVE-2026-41514
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Only affects plat-d06 with `CFG_HISILICON_ACC_V3=y`, which seems to be disabled by default. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.
๐@cveNotify
OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.5.0 and prior to version 4.11.0, the RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memcmp()` for label hash verification and has multiple distinguishable error paths. This creates a Manger-style padding oracle that allows an attacker to recover RSA-OAEP plaintext with approximately 1000-2000 adaptive chosen ciphertext queries. Only affects plat-d06 with `CFG_HISILICON_ACC_V3=y`, which seems to be disabled by default. Version 4.11.0 contains a patch. As a workaround, disable Hisilicon HPRE RSA driver with `CFG_HISILICON_ACC_V3=n`.
๐@cveNotify
GitHub
RSA-OAEP padding oracle in Hisilicon HPRE driver enables plaintext recovery
# RSA-OAEP padding oracle in Hisilicon HPRE driver enables plaintext recovery
### Summary
The RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memc...
### Summary
The RSA-OAEP decryption implementation in the Hisilicon HPRE crypto driver uses non-constant-time `memc...
๐จ CVE-2026-50134
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
๐@cveNotify
Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.
๐@cveNotify
GitHub
security: Validate redirects against security.http.urls ยท gohugoio/hugo@86fbb0f
A server allowed by security.http.urls could redirect resources.GetRemote
to a host that is not. Re-run the check on each hop via CheckRedirect.
Fixes #14871
to a host that is not. Re-run the check on each hop via CheckRedirect.
Fixes #14871