📡 GitHub-Advisory · 2026-05-06 GHSA-9h64-2846-7x7f - Axonflow fixed bugs by implementing multi-tenant isolation and access-control ha GHSA-9h64-2846-7x7f CRITICAL go/github.com/getaxonflow/axonflow CVE: Summary Eight independently-filed bug fixes in the v7.1.3 → v7.5.0 release window collectively close a set of multi-tenant isolation, access-control, and policy-enforcement defects in the

📡 GitHub-Advisory · 2026-05-06 CVE-2026-42577 - Netty epoll transport denial of service via RST on half-closed TCP connection CVE-2026-42577 GHSA-rwm7-x88c-3g2p HIGH maven/io.netty:netty-transport-native-epoll CVE: CVE-2026-42577 Summary Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that

📡 GitHub-Advisory · 2026-05-06 CVE-2026-0897 - Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petab CVE-2026-0897 GHSA-mgx6-5cf9-rr43 HIGH pip/keras CVE: CVE-2026-0897 Summary Keras’s model loader (KerasFileEditor) unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44375 - Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes CVE-2026-44375 GHSA-2cwq-pwfr-wcw3 HIGH nuget/Nerdbank.MessagePack CVE: CVE-2026-44375 Summary Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44374 - Backstage: Catalog unprocessed read endpoints allow authenticated cross-owner da CVE-2026-44374 GHSA-p7g9-rp3g-mgfg MEDIUM npm/@backstage/plugin-catalog-unprocessed-entities-common CVE: CVE-2026-44374 Impact The unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. Any authenticated user can access unprocessed entity records regardless of ownershi

📡 GitHub-Advisory · 2026-05-06 CVE-2026-42845 - Grav Form Plugin has an Anonymous Page Content Overwrite via Form File Upload fi CVE-2026-42845 GHSA-w4rc-p66m-x6qq HIGH composer/getgrav/grav-plugin-form CVE: CVE-2026-42845 Summary (Tested on Form 9.0.3 released on April, 28th) The Form plugin's file upload handler at user/plugins/form/classes/

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44372 - Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Ru CVE-2026-44372 GHSA-9phm-9p8f-hw5m MEDIUM npm/nitro CVE: CVE-2026-44372 A redirect route rule like: routeRules: { "/legacy/**": { redirect: "/**" } } is intended to rewrite paths within the same host. Before the patch, an attacker

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44373 - Nitro has a proxy scope bypass via percent-encoded path traversal in `routeRules CVE-2026-44373 GHSA-5w89-w975-hf9q MEDIUM npm/nitro CVE: CVE-2026-44373 A proxy route rule like: routeRules: { "/api/orders/**": { proxy: { to: "http://upstream/orders/**" } } } is intended to limit the proxy to URLs under /api/

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44368 - pyquorum: Timing side‑channel in mul_mod CVE-2026-44368 GHSA-7r92-3jgr-r65q MEDIUM pip/pyquorum CVE: CVE-2026-44368 Impact The mul_mod function implements multiplication via a binary expansion loop whose execution time depends on the Hamming weight of the second operand (the exponent). An attacker who can measure the

📡 GitHub-Advisory · 2026-05-06 CVE-2026-42602 - opentelemetry-collector-contrib's azureauthextension Authenticate method does no CVE-2026-42602 GHSA-pjv4-3c63-699f HIGH go/github.com/open-telemetry/opentelemetry-collector-contrib/extension/azureauthextension CVE: CVE-2026-42602 Summary A server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for *any scope the collector's configured

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44364 - misp-modules website - Missing CSRF protection in the website home blueprint CVE-2026-44364 GHSA-j4rh-7jcr-qm69 CRITICAL pip/misp-modules CVE: CVE-2026-44364 A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44363 - misp-modules has nsafe remote resource fetching in expansion CVE-2026-44363 GHSA-fhq3-2gf3-8f3j MEDIUM pip/misp-modules CVE: CVE-2026-44363 An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The html_to_markdown module accepted arbitrary HTTP(S) URLs without sufficient validation, which could allow Server-Side Request Forgery

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44351 - fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolve CVE-2026-44351 GHSA-gmvf-9v4p-v8jc CRITICAL npm/fast-jwt CVE: CVE-2026-44351 Summary A critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic.

📡 GitHub-Advisory · 2026-05-06 GHSA-95q8-x6r6-672m - Lemmy may expose private community data through community, saved, liked, and mod GHSA-95q8-x6r6-672m MEDIUM rust/lemmy_api CVE: Summary Lemmy applies private-community checks in PostView and CommentView, but several adjacent API views skip the accepted-follower filter. Bob, a registered user who is not an accepted follower,

📡 GitHub-Advisory · 2026-05-06 GHSA-jmxc-hhwx-gvv3 - Private Lemmy instances expose multi-community metadata without authentication GHSA-jmxc-hhwx-gvv3 MEDIUM rust/lemmy_api CVE: Summary read_multi_community() does not enforce the private-instance setting. On a private instance, an unauthenticated visitor can read multi-community names, titles, summaries, sidebars, owner identities, and member community lists. Details Other

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44245 - Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Co CVE-2026-44245 GHSA-q98m-7w8c-w388 MEDIUM go/github.com/kyverno/policy-reporter-ui CVE: CVE-2026-44245 Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that {{ }} interpolation provides. The

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44349 - Daptin fuzzy search injects unvalidated column name into raw SQL CVE-2026-44349 GHSA-pwqg-q8pg-pp6r HIGH go/github.com/daptin/daptin CVE: CVE-2026-44349 Summary processFuzzySearch in server/resource/resource_findallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.L(fmt.Sprintf(

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44335 - PraisonAI has an SSRF bypass CVE-2026-44335 GHSA-q9pw-vmhh-384g HIGH pip/praisonaiagents CVE: CVE-2026-44335 Summary The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. Details The current PraisonAI project uses _validate_url to validate the input URL.

📡 GitHub-Advisory · 2026-05-06 GHSA-7mw3-79jq-xc7f - aiograpi has dependency on vulnerable orjson 3.11.4 (CVE-2025-67221) CVE-2025-67221 GHSA-7mw3-79jq-xc7f LOW pip/aiograpi CVE: Impact aiograpi 0.6.6 / 0.7.0 / 0.7.1 declared orjson==3.11.6 (and later ==3.11.8) in requirements.txt but setup.py carried a hard-coded

📡 GitHub-Advisory · 2026-05-06 CVE-2026-42572 - Hatchet affected by cross-tenant information disclosure in `listTasksByDAGIds` CVE-2026-42572 GHSA-55gc-6fmc-fpx9 MEDIUM go/github.com/hatchet-dev/hatchet CVE: CVE-2026-42572 Summary A missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint caused Hatchet's tenant-membership check to be skipped for this route. A user

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44244 - GitPython: Newline injection in config_writer().set_value() enables RCE via core CVE-2026-44244 GHSA-v87r-6q3f-2j67 HIGH pip/GitPython CVE: CVE-2026-44244 GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.

📡 GitHub-Advisory · 2026-05-06 CVE-2026-42559 - rmcp Streamable HTTP server transport has a DNS rebinding vulnerability CVE-2026-42559 GHSA-89vp-x53w-74fx HIGH rust/rmcp CVE: CVE-2026-42559 Summary Prior to version 1.4.0, the rmcp crate's Streamable HTTP server transport (crates/rmcp/src/transport/streamable_http_server/) did not validate the incoming Host

📡 GitHub-Advisory · 2026-05-06 GHSA-v5mh-h5hx-7v92 - kube-router: GoBGP gRPC Admin Port Exposed on Node Primary IP Without Authentica GHSA-v5mh-h5hx-7v92 MEDIUM go/github.com/cloudnativelabs/kube-router CVE: Summary When the kube-router routing controller starts (--run-router), it binds the GoBGP gRPC management server to the node's primary IP (e.g., 192.168.

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44223 - vLLM: extract_hidden_states speculative decoding crashes server on any request w CVE-2026-44223 GHSA-83vm-p52w-f9pw MEDIUM pip/vllm CVE: CVE-2026-44223 Summary The extract_hidden_states speculative decoding proposer in vLLM returns a tensor with an incorrect shape after the first decode step, causing a RuntimeError that crashes

📡 GitHub-Advisory · 2026-05-06 CVE-2026-44307 - Mako vulnerable to path traversal via backslash URI on Windows in TemplateLookup CVE-2026-44307 GHSA-2h4p-vjrc-8xpq HIGH pip/Mako CVE: CVE-2026-44307 Summary On Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and the posixpath-based normalization in TemplateLookup.get_