•9 minutes ago•GHSA-528Q-4PGM-WVG2
6.1CVE-2025-45286: Reflected Cross-Site Scripting in go-httpbin
A Reflected Cross-Site Scripting (XSS) vulnerability exists in `mccutchen/go-httpbin` (also known as `httpbingo`), a Go implementation of the httpbin service. The vulnerability affects versions prior to 2.18.0 and stems from improper neutralization of user-controlled input in the `/response-headers` and `/base64` endpoints. By manipulating the `Content-Type` query parameter, an attacker can force the application to serve a response interpreted as HTML by the browser, allowing for the execution of arbitrary JavaScript in the context of the victim's session.
2 views•5 min read
•about 12 hours ago•CVE-2026-27752
8.2CVE-2026-27752: Cleartext Credential Exposure in SODOLA SL902-SWTGW124AS Switches
A critical information disclosure vulnerability affects the management interface of SODOLA SL902-SWTGW124AS network switches (firmware versions 200.1.20 and prior). The device transmits administrative credentials in cleartext over unencrypted HTTP, allowing network-positioned attackers to intercept sensitive authentication data and gain full administrative control of the device.
3 views•5 min read
•about 12 hours ago•CVE-2026-27751
9.8CVE-2026-27751: Hardcoded Default Credentials in SODOLA SL902-SWTGW124AS
A critical authentication vulnerability exists in the SODOLA SL902-SWTGW124AS network switch firmware. The device ships with hardcoded administrative credentials that are not forcibly changed upon initial configuration. This flaw allows unauthenticated remote attackers to gain full administrative access to the device management interface via HTTP or HTTPS, leading to complete system compromise.
11 views•5 min read
•about 13 hours ago•CVE-2026-2359
8.7DoS in Multer via Premature Connection Termination
A high-severity Denial of Service (DoS) vulnerability exists in Multer versions prior to 2.1.0, a popular Node.js middleware for handling `multipart/form-data`. The flaw stems from improper handling of HTTP request termination events (`aborted` and `close`) during file uploads. When a client initiates a multipart upload and subsequently terminates the connection before completion, Multer fails to clean up internal resources or stop the parsing stream. This leads to the indefinite hanging of the request handler and the leakage of file descriptors, memory buffers, and socket connections, eventually resulting in server resource exhaustion.
3 views•6 min read
•about 14 hours ago•CVE-2026-3304
8.7Denial of Service via Incomplete File Cleanup in Multer Middleware
A critical resource exhaustion vulnerability exists in the Multer Node.js middleware versions prior to 2.1.0. The issue arises from a race condition between asynchronous file filtering and stream error handling. When a request triggers an error during the processing of a multipart stream, files that were pending validation in an asynchronous `fileFilter` are not properly cleaned up from the disk. This allows remote attackers to exhaust the server's storage capacity by repeatedly sending crafted requests, leading to a Denial of Service (DoS).
10 views•6 min read
•about 14 hours ago•GHSA-XFX2-PRG5-JQ3G
8.8Gin-Gonic Middleware Bypass: Authorization Failure in INSATutorat
A critical authorization bypass vulnerability exists in the INSATutorat application due to improper middleware implementation within the Gin-Gonic web framework. The `AdminHandler` middleware, designed to protect administrative routes, fails to terminate the request lifecycle upon detecting unauthorized access. Consequently, authenticated non-administrative users can bypass security controls and execute privileged actions on endpoints under `/api/admin/*`, resulting in potential data loss and unauthorized system management.
6 views•4 min read
•about 15 hours ago•CVE-2026-28352
6.5Broken Access Control in Indico Event Series Management (CVE-2026-28352)
A critical access control vulnerability in the Indico event management system allows unauthenticated attackers to modify or delete event series metadata. The flaw exists in the `RHEventSeries` handler, which failed to enforce authentication checks or permission validation prior to version 3.3.11.
3 views•6 min read
•about 15 hours ago•CVE-2026-21619
2.0Unsafe Deserialization in Erlang Hex Ecosystem (hex_core, rebar3)
A critical unsafe deserialization vulnerability exists in `hex_core`, the reference implementation for the Hex package manager API, affecting downstream tools like `hex` and `rebar3`. The flaw stems from the use of the unsafe `binary_to_term/1` function when processing HTTP response bodies, allowing attackers to trigger Denial of Service via atom table exhaustion or potentially achieve Remote Code Execution through object injection.
9 views•5 min read
•about 16 hours ago•CVE-2026-28406
8.2Kaniko Build Context Path Traversal via Unsafe Tar Extraction
A high-severity path traversal vulnerability exists in the Kaniko container image builder, specifically within the `chainguard-forks/kaniko` distribution. The vulnerability resides in the build context extraction logic, where the application fails to properly validate tar archive entries before writing them to the filesystem. By crafting a malicious tarball containing files with relative path sequences (e.g., `../../`), an attacker can escape the intended extraction directory. This allows for arbitrary file writes on the container filesystem, which can potentially lead to Remote Code Execution (RCE) by overwriting system binaries or credential helpers used during the build process.
2 views•5 min read
•about 17 hours ago•CVE-2026-28414
7.5Gradio Path Traversal: Exploiting Python 3.13 Path Semantics on Windows
A high-severity absolute path traversal vulnerability exists in Gradio versions prior to 6.7 when running on Windows with Python 3.13 or newer. The vulnerability arises from a breaking change in Python 3.13's `os.path.isabs()` implementation, which no longer treats root-relative paths (e.g., `/Windows/win.ini`) as absolute on Windows. Gradio's path sanitization logic relied on the previous behavior, allowing unauthenticated remote attackers to bypass security checks and read arbitrary files from the host filesystem.
5 views•6 min read
•about 17 hours ago•CVE-2026-28415
4.3Open Redirect in Gradio OAuth Flow Enables Phishing Attacks
A security vulnerability has been identified in Gradio, a popular Python library for building machine learning demonstrations. The flaw exists within the OAuth authentication workflow, specifically in the `_redirect_to_target` function found in `gradio/oauth.py`. This function fails to properly validate the `_target_url` query parameter before issuing an HTTP 302 redirect. Consequently, an unauthenticated attacker can craft malicious URLs that leverage the trust of a legitimate Gradio application domain (such as those hosted on Hugging Face Spaces) to redirect users to arbitrary external sites. This mechanism is frequently employed in phishing campaigns to harvest credentials or distribute malware by masking the destination behind a trusted domain.
11 views•5 min read
•about 18 hours ago•CVE-2026-28416
8.2Implicit Trust in Remote Configuration Leads to SSRF in Gradio
A high-severity Server-Side Request Forgery (SSRF) vulnerability exists in the Gradio machine learning framework due to improper validation of remote configurations. When a user utilizes the `gr.load()` function to import a remote Hugging Face Space, the local Gradio instance ingests the remote `config.json` file. In vulnerable versions, the application implicitly trusts the `proxy_url` parameters defined within this configuration, adding them to the local application's proxy allowlist. This allows a malicious Space to inject arbitrary internal URLs—such as cloud metadata endpoints or local network services—into the allowlist. Consequently, an attacker can leverage the victim's `/proxy` endpoint to exfiltrate sensitive internal data.
5 views•6 min read