📡 GitHub-Advisory · 2026-05-07 CVE-2026-44004 - vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memor CVE-2026-44004 GHSA-6785-pvv7-mvg7 HIGH npm/vm2 CVE: CVE-2026-44004 Summary Sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C+

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44001 - vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Cr CVE-2026-44001 GHSA-hw58-p9xv-2mjh HIGH npm/vm2 CVE: CVE-2026-44001 Summary A sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that

📡 GitHub-Advisory · 2026-05-07 CVE-2026-43999 - vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` CVE-2026-43999 GHSA-947f-4v7f-x2v8 CRITICAL npm/vm2 CVE: CVE-2026-43999 Summary NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44005 - vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape CVE-2026-44005 GHSA-vwrp-x96c-mhwq CRITICAL npm/vm2 CVE: CVE-2026-44005 Summary vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44006 - vm2 has a Sandbox Escape Vulnerability CVE-2026-44006 GHSA-qcp4-v2jj-fjx8 CRITICAL npm/vm2 CVE: CVE-2026-44006 Summary It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes Details https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658 BaseHandler can be reached via

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44662 - rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wra CVE-2026-44662 GHSA-xv59-967r-8726 MEDIUM rust/openssl CVE: CVE-2026-44662 CipherCtxRef::cipher_update, CipherCtxRef::cipher_update_vec, and symm::Crypter::update incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad)

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44661 - utcp-http vulnerable to SSRF via attacker-controlled OpenAPI servers[0].url in H CVE-2026-44661 GHSA-39j6-4867-gg4w MEDIUM pip/utcp-http CVE: CVE-2026-44661 Summary The utcp-http plugin is vulnerable to a blind Server-Side Request Forgery (SSRF) caused by a trust-boundary inconsistency between manual discovery and tool invocation. register_manual() validates

📡 GitHub-Advisory · 2026-05-07 GHSA-v7qw-hx66-4w9x - netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow t GHSA-v7qw-hx66-4w9x HIGH pip/netbox-data-flows CVE: Summary An authenticated user who can create or edit ObjectAlias objects can store arbitrary HTML/JavaScript in an alias name. That payload is later rendered unescaped in DataFlow table views,

📡 GitHub-Advisory · 2026-05-07 GHSA-j7h9-2jh7-g967 - mcp-ssh-tool has file transfer path policy bypass and bearer token comparison ha GHSA-j7h9-2jh7-g967 HIGH npm/mcp-ssh-tool CVE: Summary mcp-ssh-tool has released version 2.1.1 with security hardening for transfer path authorization and HTTP bearer authentication. The release addresses: * insufficient local path policy enforcement in transfer-related

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44641 - Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbi CVE-2026-44641 GHSA-xhrw-5qxx-jpwr HIGH pip/apm-cli CVE: CVE-2026-44641 Summary Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks

📡 GitHub-Advisory · 2026-05-07 GHSA-fpw6-hrg5-q5x5 - ech0's acess tokens with expiry=never cannot be revoked: logout panics, delete d GHSA-fpw6-hrg5-q5x5 HIGH go/github.com/lin-snow/Ech0 CVE: Summary Access tokens created with the "never expire" option have no exp JWT claim. Three independent revocation mechanisms fail for this

📡 GitHub-Advisory · 2026-05-07 GHSA-p64j-f4x9-wq66 - Ech0's OAuth redirect URI validation ignores path component, enables exchange-co GHSA-p64j-f4x9-wq66 HIGH go/github.com/lin-snow/Ech0 CVE: Summary parseAndValidateClientRedirect at internal/service/auth/auth.go:448 validates OAuth client-redirect URIs by comparing only scheme and host against the admin-configured allowlist. Path, query, and

📡 GitHub-Advisory · 2026-05-07 GHSA-8mc6-xjpr-h98x - Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnect GHSA-8mc6-xjpr-h98x HIGH go/github.com/lin-snow/ech0 CVE: Summary The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest (no SSRF protection) instead of SendSafeRequest (which has ValidatePublicHTTPURL with private IP blocking). This

📡 GitHub-Advisory · 2026-05-07 GHSA-pj6q-4vq4-r8cg - Ech0 allows PUT /api/echo/like/:id unauthenticated: anonymous callers to modify GHSA-pj6q-4vq4-r8cg MEDIUM go/github.com/lin-snow/Ech0 CVE: Summary PUT /api/echo/like/:id at internal/router/echo.go:12 is registered on PublicRouterGroup with no authentication and no rate limit. Anonymous callers increment

📡 GitHub-Advisory · 2026-05-07 GHSA-rgj7-vg8v-j4wr - Ech0's Unauthenticated Like Endpoint Enables Arbitrary Engagement Metric Inflati GHSA-rgj7-vg8v-j4wr MEDIUM go/github.com/lin-snow/ech0 CVE: Summary No authentication is required to invoke PUT /api/echo/like/:id. The handler is registered on the public router group. The service increments fav_count for

📡 GitHub-Advisory · 2026-05-07 GHSA-3v85-fqvh-7rxf - Ech0's RSS feed renders unescaped tag names and raw-HTML markdown, stored XSS ag GHSA-3v85-fqvh-7rxf MEDIUM go/github.com/lin-snow/Ech0 CVE: Summary The public RSS/Atom feed at /rss renders two attacker-controlled surfaces without HTML escaping. Tag names flow through fmt.Appendf(renderedContent, "

📡 GitHub-Advisory · 2026-05-07 GHSA-rj4g-rqgh-rx9h - Ech0 comment model's Email field returned on public /api/comments endpoints GHSA-rj4g-rqgh-rx9h MEDIUM go/github.com/lin-snow/Ech0 CVE: Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44523 - Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token CVE-2026-44523 GHSA-q6mh-rqwh-g786 CRITICAL go/github.com/enchant97/note-mark/backend CVE: CVE-2026-44523 Summary No minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44522 - Note Mark: Arbitrary File Write via Path Traversal in Asset Names Leads to Remot CVE-2026-44522 GHSA-g49p-4qxj-88v3 HIGH go/github.com/enchant97/note-mark/backend CVE: CVE-2026-44522 Description The Note Mark application allows authenticated users to upload assets to notes via POST /api/notes/{noteID}/assets, where the

📡 GitHub-Advisory · 2026-05-07 GHSA-h4fw-6r7f-w494 - Webauthn has a User Verification Downgrade via Default-Open ClientOverridePolicy GHSA-h4fw-6r7f-w494 LOW composer/web-auth/webauthn-framework CVE: Summary In version 5.3.0 of the Symfony bundle, Webauthn\Bundle\Policy\ClientOverridePolicy defaulted to allowing all client overrides, including userVerification. A client could send {"userVerification": "discouraged&

📡 GitHub-Advisory · 2026-05-07 GHSA-cwfq-rfcr-8hmp - Zebra's Transparent SIGHASH_SINGLE Handling Diverges from zcashd for Correspondi GHSA-cwfq-rfcr-8hmp CRITICAL rust/zebrad CVE: `Zebra` Transparent `SIGHASH_SINGLE` Corresponding-Output Handling Diverges From `zcashd` Summary For V5+ transparent spends, Zebra and zcashd disagree on the same consensus rule: SIGHASH_SINGLE must fail when the

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44497 - Zebra has Consensus Divergence in Transparent Sighash Hash-Type Handling due to CVE-2026-44497 GHSA-gq4h-3grw-2rhv CRITICAL rust/zebra-script CVE: CVE-2026-44497 CVE-2026-44497: Consensus Divergence in Transparent Sighash Hash-Type Handling due to Stale Buffer Summary The fix for https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj introduced a separate issue

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44500 - Zebra Vulnerable to Allocation Amplification in Inbound Network Deserializers CVE-2026-44500 GHSA-438q-jx8f-cccv MEDIUM rust/zebra-network CVE: CVE-2026-44500 CVE-2026-44500: Allocation Amplification in Inbound Network Deserializers Summary Several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter protocol or consensus limits

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44498 - Zebra's Block Validator Undercounts Coinbase and P2SH Sigops CVE-2026-44498 GHSA-jv4h-j224-23cc CRITICAL rust/zebrad CVE: CVE-2026-44498 Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44589 - nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect CVE-2026-44589 GHSA-c2rm-g55x-8hr5 LOW npm/nuxt-og-image CVE: CVE-2026-44589 Summary The isBlockedUrl() denylist introduced in nuxt-og-image@6.2.5 to remediate GHSA-pqhr-mp3f-hrpp (Dmitry Prokhorov / Positive Technologies, March 2026) is incomplete. The patch advisory states "Decimal/hexadecimal