•about 8 hours ago•GHSA-H5X8-XP6M-X6Q4
7.1GHSA-H5X8-XP6M-X6Q4: Unvalidated Signature Generation in @jhb.software/payload-cloudinary-plugin
The @jhb.software/payload-cloudinary-plugin exposes an endpoint that performs unvalidated cryptographic signing of Cloudinary API parameters, allowing authenticated users with minimal privileges to forge valid signatures for arbitrary actions. This flaw allows attackers to overwrite remote storage assets, execute unauthorized file uploads, alter asset visibility parameters, trigger SSRF webhooks, and perform directory traversal within Cloudinary repositories.
3 views•6 min read
•about 8 hours ago•GHSA-G2GW-Q38M-VJFC
8.7GHSA-G2GW-Q38M-VJFC: Server-Side Request Forgery and Bearer Token Exfiltration in @merill/lokka
A Server-Side Request Forgery (SSRF) and Bearer Token Exfiltration vulnerability exists in the @merill/lokka (Lokka) Model Context Protocol (MCP) server prior to version 2.1.2. The server constructed Azure Resource Manager request URLs by concatenating user-controlled path parameters directly into destination request strings. By injecting authority-redefinition characters, an attacker can manipulate URL parsing to execute a host-escape attack, forcing the server to send high-privilege Azure Resource Manager (ARM) Bearer tokens to an external attacker-controlled host. This allows complete administrative access to the associated Azure subscriptions.
6 views•7 min read
•about 10 hours ago•GHSA-4XGF-CPJX-PC3J
5.3GHSA-4xgf-cpjx-pc3j: Directory Traversal and Symlink Following in Pydantic Settings
A directory traversal and symlink following vulnerability exists in Pydantic Settings when using the NestedSecretsSettingsSource with nested subdirectory lookups enabled. An attacker capable of writing to the secrets directory can bypass size limitations, read arbitrary host files, or cause a denial-of-service condition via cyclic symlinks.
2 views•7 min read
•about 11 hours ago•GHSA-H5RG-8P7F-47G2
4.1GHSA-h5rg-8p7f-47g2: Server-Side Request Forgery (SSRF) in SurrealDB Identity & Access Management (IAM) JWKS Fetcher
A Server-Side Request Forgery (SSRF) vulnerability exists in SurrealDB's Identity & Access Management (IAM) module prior to version 3.1.5. When configuring JSON Web Key Set (JWKS) URLs for token verification, the remote fetcher follows HTTP redirects by default without validating redirect targets against configured network capabilities. This allows high-privileged users to bypass network access limits and perform blind port scanning of internal network resources.
4 views•6 min read
•about 12 hours ago•GHSA-CC8F-FCX3-GPJR
7.7GHSA-cc8f-fcx3-gpjr: Arbitrary File Disclosure via DEFINE ANALYZER mapper filter in SurrealDB
A local file disclosure vulnerability exists in SurrealDB's full-text search capabilities, allowing authenticated users with database EDITOR or OWNER roles to read arbitrary files from the host system filesystem. This occurs by abusing the mapper() filter inside a DEFINE ANALYZER statement to point to system files.
6 views•6 min read
•about 13 hours ago•GHSA-H4H3-3RFJ-X6FQ
4.3GHSA-H4H3-3RFJ-X6FQ: Value-Ordering Oracle Side-Channel via Indexed ORDER BY in SurrealDB
SurrealDB versions 3.0.0 through 3.1.4 contain an information exposure vulnerability (CWE-203) where the query planner optimizes sorted queries using indexes on fields with field-level SELECT restrictions. Because the query planner performs index-based sorting before enforcing permission-based redaction, unauthorized users can observe the physical order of returned rows to deduce the relative values of protected fields.
4 views•8 min read
•about 13 hours ago•GHSA-HV6H-HC26-Q48P
4.3GHSA-HV6H-HC26-Q48P: Field-level SELECT permissions bypassed via graph and reference traversals in SurrealDB
A security vulnerability exists in SurrealDB's streaming query planner where streaming graph edge traversals or reverse-reference traversals bypass field-level SELECT permissions. This vulnerability allows an authenticated database user with valid, low-privileged credentials holding table-level SELECT permissions to bypass field-level access controls and read highly confidential or restricted fields.
5 views•6 min read
•about 15 hours ago•GHSA-JV2J-MQMW-XVV5
6.5GHSA-jv2j-mqmw-xvv5: Stack Overflow Denial of Service in SurrealDB Query Engine
An authenticated denial-of-service vulnerability in SurrealDB allows remote attackers with query privileges to crash the server process. The issue arises from uncontrolled recursion during the compilation, serialization, or deallocation of exceptionally deep Abstract Syntax Trees (ASTs). While the iterative Pratt parser successfully handles long flat sequences of binary operators without triggering recursion limits, the resulting AST structure causes stack overflow in downstream recursive tree-walking components.
5 views•6 min read
•about 18 hours ago•GHSA-869J-R97X-HX2G
8.7GHSA-869J-R97X-HX2G: Local Path Traversal and Cross-Origin Resource Sharing Bypass in Anki Desktop
The local media server (mediasrv.py) in Anki up to and including version 25.09.2 fails to validate incoming HTTP requests. The server does not validate the Origin header, enabling cross-origin requests. Additionally, several endpoints suffer from directory traversal vulnerabilities. Combined, these flaws permit an unauthenticated remote attacker to exfiltrate arbitrary files from a local file system when a user visits a malicious website.
4 views•8 min read
•about 20 hours ago•GHSA-C7JM-38GQ-H67H
8.1GHSA-C7JM-38GQ-H67H: Authentication Bypass via Replay Attack in http4k-security-digest due to Insecure Default Nonce Verifier
The http4k-security-digest module within the http4k library fails to validate HTTP Digest Access Authentication nonces by default. Due to an always-true nonce verifier lambda implementation, applications using default configurations do not enforce session freshness or uniqueness. This design flaw allows remote attackers to perform replay attacks, gaining unauthorized access to protected endpoints by intercepting and retransmitting valid authorization headers.
5 views•5 min read
•about 20 hours ago•CVE-2026-11769
6.4CVE-2026-11769: Local File Read and Privilege Escalation in Grafana Operator via Jsonnet Evaluation
CVE-2026-11769 is a directory traversal vulnerability affecting the Grafana Operator before version 5.24.0. An authenticated attacker with basic namespace privileges can deploy a crafted GrafanaDashboard or GrafanaLibraryPanel custom resource to read sensitive local files. This enables the extraction of the service account token of the operator manager, resulting in cluster-wide privilege escalation.
5 views•7 min read
•about 21 hours ago•CVE-2026-53725
5.9CVE-2026-53725: Sensitive Information Disclosure via MFA Re-fetch Bypass in Parse Server
CVE-2026-53725 is a critical sensitive information disclosure vulnerability in Parse Server (versions 9.8.0 to < 9.9.1-alpha.5). When Multi-Factor Authentication (MFA) is enabled and standard read permissions on the _User class are restricted via Class-Level Permissions (CLPs), the /login and /verifyPassword endpoints improperly fall back to returning the raw database row upon a failed mock re-fetch request. This behavior leaks plaintext MFA TOTP secrets, recovery codes, and fields designated as protected, enabling attackers with compromised user passwords to bypass multi-factor authentication controls entirely.
4 views•8 min read