•about 5 hours ago•GHSA-QHH4-458H-XWH2
5.3GHSA-qhh4-458h-xwh2: Credential Leakage via Origin Validation Error in cdxgen
The @cyclonedx/cdxgen package is vulnerable to credential leakage due to improper Docker registry origin validation. A flaw in how registry authentication endpoints are matched against configured credentials allows arbitrary downstream registries to capture private credentials.
5 views•9 min read
•about 6 hours ago•CVE-2026-32689
8.7CVE-2026-32689: Denial of Service in Phoenix Framework LongPoll Transport via NDJSON Payload Amplification
The Phoenix Framework contains a high-severity Denial of Service vulnerability in its LongPoll transport mechanism. The vulnerability is caused by unbounded memory allocation when processing Newline Delimited JSON (NDJSON) payloads. Unauthenticated attackers can trigger Out-Of-Memory conditions on the host BEAM node, terminating all active sessions by forcing the server to evaluate excessive newline characters.
7 views•6 min read
•about 7 hours ago•CVE-2026-44499
8.7CVE-2026-44499: Permanent Block Discovery Halt in Zebra via Gossip Queue Saturation
CVE-2026-44499 is a composite Denial of Service (DoS) vulnerability affecting Zebra, the Rust implementation of a Zcash full node. By exploiting architectural flaws in the peer-to-peer (P2P) communication stack, an unauthenticated attacker can saturate internal message queues and poison the chain discovery process, permanently isolating the target node from the network.
8 views•6 min read
•about 7 hours ago•CVE-2026-6322
7.5CVE-2026-6322: Host Confusion via Interpretation Conflict in fast-uri
The fast-uri library exhibits an interpretation conflict vulnerability due to improper handling of percent-encoded authority delimiters during normalization. This flaw enables attackers to bypass domain validation and perform host confusion attacks against downstream components.
22 views•6 min read
•about 8 hours ago•CVE-2026-43944
9.4CVE-2026-43944: Arbitrary Local Code Execution in electerm via Malicious Deep Links
CVE-2026-43944 is a critical vulnerability in the electerm client that allows for arbitrary local code execution. The application insecurely parses deep link arguments and merges untrusted JSON directly into the core session configuration. This enables attackers to override internal state variables, hijacking the application's execution flow to spawn malicious local binaries.
9 views•7 min read
•about 9 hours ago•GHSA-7HGR-XVRR-XPW3
7.5GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth
A critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure.
11 views•5 min read
•about 9 hours ago•CVE-2026-6321
7.5CVE-2026-6321: Path Traversal in fast-uri via Improper Normalization Order
The fast-uri library (versions ≤ 3.1.0) contains a high-severity path traversal vulnerability due to an order-of-operations flaw during URI normalization. The library incorrectly decodes percent-encoded path separators (%2F) and dot segments (%2E) prior to applying dot-segment removal algorithms, allowing attackers to bypass path-based access controls and filters.
19 views•7 min read
•about 10 hours ago•GHSA-8G7G-HMWM-6RV2
8.5GHSA-8g7g-hmwm-6rv2: Path Traversal, SSRF, and Information Exposure in n8n-mcp
Multiple high-severity vulnerabilities were identified in the `n8n-mcp` package prior to version 2.50.1. These vulnerabilities include a Path Traversal flaw in the API client, a Server-Side Request Forgery (SSRF) bypass via redirect-following, and an Information Exposure vulnerability in the telemetry service. Collectively, these flaws permit credential theft, internal network access, and the leakage of sensitive workflow configurations.
10 views•7 min read
•about 10 hours ago•GHSA-2CM2-M3W5-GP2F
10.0GHSA-2CM2-M3W5-GP2F: Remote Code Execution via Transformer Bypass in vm2
The vm2 package for Node.js provides a software-based sandbox for untrusted code execution. Vulnerability GHSA-2CM2-M3W5-GP2F enables an attacker to bypass these sandbox protections via the Transformer component. The issue resides in the parsing logic responsible for intercepting JavaScript property access. Attackers leverage custom prototypes and computed keys to expose the internal sandbox state mechanism, leading to full host compromise.
6 views•8 min read
•about 11 hours ago•GHSA-3V85-FQVH-7RXF
5.3GHSA-3V85-FQVH-7RXF: Stored Cross-Site Scripting in Ech0 RSS Feed Generation
A stored Cross-Site Scripting (XSS) vulnerability exists in the Ech0 project's RSS feed generation component. The application fails to properly escape user-supplied tags and Markdown content before reflecting them in the `/rss` endpoint, allowing arbitrary JavaScript execution in vulnerable RSS readers.
11 views•5 min read
•about 11 hours ago•GHSA-RGJ7-VG8V-J4WR
5.3GHSA-RGJ7-VG8V-J4WR: Unauthenticated Engagement Metric Inflation in Ech0
The Ech0 lightweight publishing platform suffers from a missing authentication check (CWE-306) and missing authorization (CWE-862) on the `PUT /api/echo/like/:id` API endpoint. This vulnerability allows an unauthenticated remote attacker to arbitrarily inflate engagement metrics by repeatedly sending requests, falsifying social proof and generating unnecessary database writes.
11 views•7 min read
•about 19 hours ago•GHSA-PJ6Q-4VQ4-R8CG
5.3GHSA-PJ6Q-4VQ4-R8CG: Unauthenticated Resource Exhaustion and State Manipulation in Ech0 API
The Ech0 lightweight publishing platform exposes an unauthenticated, rate-unlimited API endpoint that permits arbitrary modification of content metrics. Because this endpoint directly triggers database transactions and simultaneously invalidates multiple application cache layers, it serves as an exploitable vector for resource exhaustion Denial of Service (DoS) and cache-stampede attacks.
2 views•7 min read