•about 5 hours ago•GHSA-Q6WC-XX4M-92FJ
6.5GHSA-q6wc-xx4m-92fj: Improper Authorization in PowerSync Service Sync Streams
A critical logic error in PowerSync Service version 1.20.0 causes the synchronization engine to ignore specific subquery filters when using the `config.edition: 3` architecture. This flaw results in an authorization bypass where authenticated users may receive data intended solely for privileged accounts, such as administrators.
3 views•5 min read
•about 8 hours ago•GHSA-6W2R-CFPC-23R5
6.9GHSA-6w2r-cfpc-23r5: Unauthenticated IDOR in AVideo Playlist Endpoints
A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the AVideo platform (formerly YouPHPTube) prior to version 25.0. The flaw allows unauthenticated remote attackers to retrieve private playlist information—including 'Watch Later' lists, 'Favorites', and custom private collections—for any user on the system. The vulnerability resides in the `/objects/playlistsFromUser.json.php` and `/objects/playlistsFromUserVideos.json.php` endpoints, which fail to validate the requester's identity or authorization level before querying the database with a flag that exposes non-public data.
4 views•5 min read
•about 8 hours ago•GHSA-C8M8-3JCR-6RJ5
8.1GHSA-c8m8-3jcr-6rj5: Hardcoded JWT Signing Secret in FUXA
FUXA, a web-based Process Visualization (SCADA/HMI) software, contains a critical authentication bypass vulnerability due to the use of a hardcoded fallback secret for JSON Web Token (JWT) signing. In versions prior to 1.3.0, if a user did not explicitly configure a `secretCode`, the application defaulted to the static string 'frangoteam751'. This secret was publicly exposed in the project's source code and documentation. An attacker with knowledge of this secret can forge valid authentication tokens, impersonating any user—including administrators—thereby gaining full control over the HMI system and potentially affecting connected industrial processes.
4 views•5 min read
•about 10 hours ago•GHSA-6F6W-6J58-RQ76
8.7GHSA-6f6w-6j58-rq76: Shell Injection in shescape via Symlink Chain Misidentification
A high-severity vulnerability exists in the `shescape` npm package (versions prior to 2.1.9) due to improper resolution of symbolic link chains when identifying the system shell. This flaw allows the library to misidentify the target shell, applying incorrect escaping rules. Attackers can exploit this to bypass protections and inject arbitrary OS commands if the application executes commands in a shell configured via a symlink chain.
1 views•5 min read
•about 10 hours ago•GHSA-V53H-F6M7-XCGM
8.7GHSA-V53H-F6M7-XCGM: Remote Code Execution in psf/black GitHub Action via pyproject.toml
A high-severity Remote Code Execution (RCE) vulnerability exists in the official GitHub Action for the Black Python code formatter (`psf/black`). The vulnerability arises from improper input validation within the Action's version parsing logic when reading `pyproject.toml` configuration files. By constructing a malicious dependency definition using PEP 508 direct references (e.g., pointing to a remote URL), an attacker can inject arbitrary arguments into the underlying `pip install` command. This flaw allows unauthorized code execution within the context of the GitHub Actions runner, potentially compromising CI/CD pipelines and secrets.
4 views•5 min read
•about 11 hours ago•GHSA-QR2G-P6Q7-W82M
9.9GHSA-qr2g-p6q7-w82m: Critical Payment Verification Bypass in Coinbase x402 SDK (Solana)
A critical vulnerability exists in the Coinbase x402 SDK affecting the verification of Solana (SVM) payments. The flaw is located in the facilitator component, which acts as an intermediary for validating automated HTTP 402 payments. Due to improper verification of Ed25519 cryptographic signatures in the Solana implementation, an attacker can bypass payment requirements. This allows unauthorized access to monetized APIs, compute resources, or digital goods without settling the required transaction on the blockchain. The vulnerability specifically affects the `@x402/svm` npm package, the `x402` PyPI package, and the Go SDK.
21 views•4 min read
•about 13 hours ago•GHSA-4J36-39GM-8VQ8
9.9OneUptime Synthetic Monitor RCE via Sandbox Escape
A critical Remote Code Execution (RCE) vulnerability exists in OneUptime versions prior to 10.0.20, specifically within the `oneuptime-probe` service. The vulnerability stems from an insecure implementation of a JavaScript sandbox used for Synthetic Monitors, allowing authenticated users with low privileges to execute arbitrary code on the host system. The flaw is caused by the exposure of dangerous host objects to the sandbox context and an incomplete `Proxy` implementation that fails to trap specific object property accessors, enabling a complete sandbox escape.
3 views•6 min read
•about 14 hours ago•GHSA-PM4J-7R4Q-CCG8
1.7GHSA-PM4J-7R4Q-CCG8: State Inconsistency in Soroban Host Storage Key Conversion
A logic error in the Soroban host environment (`soroban-env-host`) allows for internal state corruption during the conversion of smart contract values (`Val`) to storage keys (`ScVal`). When a conversion fails—specifically involving prohibited types like `MuxedAddress`—an internal status flag indicating that a 'storage conversion is in progress' may remain incorrectly set to `true`. This inconsistent state persists for the duration of the host's execution context. Consequently, valid subsequent operations that rely on this flag, such as emitting events containing `MuxedAddress` objects or performing XDR serialization, are erroneously rejected. This vulnerability can lead to unexpected transaction failures and contract logic denial of service.
5 views•6 min read
•about 19 hours ago•GHSA-H343-GG57-2Q67
10.0CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape
A critical Remote Code Execution (RCE) vulnerability exists in the OneUptime Probe component due to unsafe execution of user-supplied JavaScript. The application leverages the standard Node.js `vm` module to run Synthetic Monitors, which fails to provide a secure security boundary. Authenticated attackers, including low-privileged project members, can break out of the sandbox using prototype chain traversal to access the host process. This grants full access to the underlying server and critical cluster credentials, including database passwords and the master secret.
6 views•7 min read
•about 22 hours ago•CVE-2026-30835
6.9CVE-2026-30835: Database Metadata Leak via Malformed Regex in Parse Server
Parse Server, a popular open-source backend framework, contains an information disclosure vulnerability in its query processing layer. The flaw manifests when the server processes malformed regular expression queries targeting the underlying database. Instead of returning a generic error message, the application propagates the raw database error object—containing internal cluster timestamps, topology information, and driver-specific error codes—directly to the API consumer. This exposure allows unauthenticated attackers to fingerprint the backend infrastructure and gather intelligence for subsequent attacks.
5 views•7 min read
•about 23 hours ago•CVE-2026-26018
7.5CVE-2026-26018: Remote Denial of Service in CoreDNS Loop Detection Plugin via Predictable PRNG
CoreDNS, the default DNS server for Kubernetes, contains a critical Denial of Service (DoS) vulnerability in its `loop` detection plugin. The plugin uses a non-cryptographically secure pseudo-random number generator (PRNG) seeded with the current timestamp to generate self-test query names. An unauthenticated remote attacker can predict this seed or observe the query in logs to craft a matching UDP packet. Upon receiving a response that matches the predictable query name, the CoreDNS process triggers a fatal error and terminates, leading to a complete service outage.
5 views•5 min read
•about 23 hours ago•CVE-2026-29064
8.2CVE-2026-29064: Path Traversal via Symlink Extraction in Zarf
A high-severity path traversal vulnerability exists in the archive extraction component of Zarf, an airgap-native Kubernetes package manager. The flaw allows malicious packages to write files outside the intended extraction directory via unvalidated symbolic links. This vulnerability affects Zarf versions 0.54.0 through 0.73.0 and is remediated in version 0.73.1.
6 views•6 min read