•about 4 hours ago•CVE-2023-49316
7.5CVE-2023-49316: Denial of Service via Unbounded Degree in phpseclib Binary Finite Fields
The phpseclib cryptographic library version 3.x prior to 3.0.34 contains a Denial of Service (DoS) vulnerability in its mathematical field generation logic. When parsing maliciously crafted X.509 certificates or PKCS#8 private keys specifying Elliptic Curve parameters over a binary finite field, the library fails to validate the degree parameter. This flaw allows a remote attacker to force the PHP application to perform unbounded memory allocations, exhausting server resources and terminating the application worker process.
5 views•6 min read
•about 5 hours ago•GHSA-MV93-W799-CJ2W
7.8GHSA-MV93-W799-CJ2W: Remote Code Execution via Config Section Injection in GitPython
GitPython versions prior to 3.1.50 are vulnerable to a newline injection attack in the `config_writer()` and `set_value()` methods. An incomplete fix for CVE-2026-44244 failed to sanitize the configuration section parameter, allowing an attacker to inject malicious Git configuration blocks such as `[core]` and override the `hooksPath`. This leads to unauthenticated remote code execution when subsequent Git operations trigger the injected hooks.
4 views•8 min read
•about 5 hours ago•CVE-2026-6860
5.3CVE-2026-6860: Unbounded SNI Cache Growth in Eclipse Vert.x
Eclipse Vert.x suffers from an uncontrolled resource consumption vulnerability within its Server Name Indication (SNI) processing logic. When server-side SNI is enabled alongside a wildcard TLS certificate, unauthenticated remote attackers can exhaust server memory by initiating handshakes with continuous unique hostname values, ultimately resulting in a Denial of Service (DoS).
4 views•8 min read
•about 6 hours ago•GHSA-V6WJ-C83F-V46X
9.8GHSA-v6wj-c83f-v46x: Critical OS Command Injection in @profullstack/mcp-server domain_lookup Module
A critical unauthenticated OS Command Injection vulnerability (CWE-78) exists in the `@profullstack/mcp-server` npm package, specifically within the `domain_lookup` module. The vulnerability allows remote attackers to execute arbitrary commands on the host system via crafted HTTP requests.
5 views•7 min read
•about 12 hours ago•GHSA-QHH4-458H-XWH2
5.3GHSA-qhh4-458h-xwh2: Credential Leakage via Origin Validation Error in cdxgen
The @cyclonedx/cdxgen package is vulnerable to credential leakage due to improper Docker registry origin validation. A flaw in how registry authentication endpoints are matched against configured credentials allows arbitrary downstream registries to capture private credentials.
5 views•9 min read
•about 14 hours ago•CVE-2026-32689
8.7CVE-2026-32689: Denial of Service in Phoenix Framework LongPoll Transport via NDJSON Payload Amplification
The Phoenix Framework contains a high-severity Denial of Service vulnerability in its LongPoll transport mechanism. The vulnerability is caused by unbounded memory allocation when processing Newline Delimited JSON (NDJSON) payloads. Unauthenticated attackers can trigger Out-Of-Memory conditions on the host BEAM node, terminating all active sessions by forcing the server to evaluate excessive newline characters.
7 views•6 min read
•about 14 hours ago•CVE-2026-44499
8.7CVE-2026-44499: Permanent Block Discovery Halt in Zebra via Gossip Queue Saturation
CVE-2026-44499 is a composite Denial of Service (DoS) vulnerability affecting Zebra, the Rust implementation of a Zcash full node. By exploiting architectural flaws in the peer-to-peer (P2P) communication stack, an unauthenticated attacker can saturate internal message queues and poison the chain discovery process, permanently isolating the target node from the network.
9 views•6 min read
•about 15 hours ago•CVE-2026-6322
7.5CVE-2026-6322: Host Confusion via Interpretation Conflict in fast-uri
The fast-uri library exhibits an interpretation conflict vulnerability due to improper handling of percent-encoded authority delimiters during normalization. This flaw enables attackers to bypass domain validation and perform host confusion attacks against downstream components.
22 views•6 min read
•about 15 hours ago•CVE-2026-43944
9.4CVE-2026-43944: Arbitrary Local Code Execution in electerm via Malicious Deep Links
CVE-2026-43944 is a critical vulnerability in the electerm client that allows for arbitrary local code execution. The application insecurely parses deep link arguments and merges untrusted JSON directly into the core session configuration. This enables attackers to override internal state variables, hijacking the application's execution flow to spawn malicious local binaries.
10 views•7 min read
•about 16 hours ago•GHSA-7HGR-XVRR-XPW3
7.5GHSA-7HGR-XVRR-XPW3: Session Persistence After Password Change in Nhost hasura-auth
A critical session management vulnerability in Nhost's authentication service allows attackers to maintain unauthorized access following a password reset. The password update operation fails to invalidate existing refresh tokens in the database, violating standard session revocation principles and rendering password changes ineffective as an incident response measure.
12 views•5 min read
•about 17 hours ago•CVE-2026-6321
7.5CVE-2026-6321: Path Traversal in fast-uri via Improper Normalization Order
The fast-uri library (versions ≤ 3.1.0) contains a high-severity path traversal vulnerability due to an order-of-operations flaw during URI normalization. The library incorrectly decodes percent-encoded path separators (%2F) and dot segments (%2E) prior to applying dot-segment removal algorithms, allowing attackers to bypass path-based access controls and filters.
21 views•7 min read
•about 17 hours ago•GHSA-8G7G-HMWM-6RV2
8.5GHSA-8g7g-hmwm-6rv2: Path Traversal, SSRF, and Information Exposure in n8n-mcp
Multiple high-severity vulnerabilities were identified in the `n8n-mcp` package prior to version 2.50.1. These vulnerabilities include a Path Traversal flaw in the API client, a Server-Side Request Forgery (SSRF) bypass via redirect-following, and an Information Exposure vulnerability in the telemetry service. Collectively, these flaws permit credential theft, internal network access, and the leakage of sensitive workflow configurations.
10 views•7 min read