•about 2 hours ago•GHSA-F3CJ-J4F6-WQ85
9.1GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises
A critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental `hydratable` feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks.
1 views•6 min read
•about 2 hours ago•GHSA-WF8Q-WVV8-P8JF
4.7GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint
The @samanhappy/mcphub package before version 0.12.15 contains a critical improper authentication vulnerability within its Server-Sent Events (SSE) transport layer. The application blindly trusts the username provided in the URL path parameter to establish user context and session state without requiring cryptographic verification or authentication tokens. This architectural flaw allows unauthenticated remote attackers to impersonate any user, establish a valid session, and execute arbitrary Model Context Protocol (MCP) tools within the victim's authorization context.
3 views•6 min read
•about 3 hours ago•GHSA-GXHX-2686-5H9G
7.7GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier
The slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string—such as from a missing environment variable—allow attackers to bypass request authentication by forging signatures with an empty HMAC key.
2 views•7 min read
•about 3 hours ago•CVE-2026-42897
8.1CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA
CVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing.
34 views•5 min read
•about 12 hours ago•CVE-2026-45369
10.0CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol
CVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.
13 views•7 min read
•about 12 hours ago•CVE-2026-45370
7.7CVE-2026-45370: Environment Variable Leak in python-utcp CLI Subprocesses
The python-utcp library improperly exposes the host application's full environment variables to spawned subprocesses via os.environ.copy(). When combined with an existing command injection flaw, attackers can exfiltrate all host secrets in a single request.
10 views•6 min read
•about 13 hours ago•CVE-2026-45411
9.8CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation
CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.
10 views•8 min read
•about 16 hours ago•GHSA-7RX4-C5VX-G8W3
8.6GHSA-7RX4-C5VX-G8W3: Server-Side Request Forgery Bypass in Karakeep Metadata Extraction Workers
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the Karakeep metadata extraction process prior to version 0.32.0. The flaw allows attackers to bypass primary URL validation and target internal network resources or cloud metadata services via crafted webpage metadata.
7 views•5 min read
•about 16 hours ago•GHSA-9M65-766C-R333
7.1GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start
A type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).
7 views•6 min read
•about 19 hours ago•GHSA-7G73-99R4-M4MJ
7.5GHSA-7G73-99R4-M4MJ: Credential Data Leak in FlowiseAI API Responses
FlowiseAI versions prior to 3.1.2 suffer from a CWE-200 Information Exposure vulnerability. The application's credential management API inadvertently returns the `encryptedData` field containing ciphertext for sensitive integrations in its JSON responses.
5 views•5 min read
•about 20 hours ago•CVE-2026-42793
8.2CVE-2026-42793: Unauthenticated Remote Denial of Service in Absinthe GraphQL via Atom Exhaustion
CVE-2026-42793 is a critical resource exhaustion vulnerability in the Absinthe GraphQL library for Elixir. Unauthenticated attackers can exploit unsafe atom creation during Schema Definition Language (SDL) parsing to trigger a system-wide crash of the Erlang Virtual Machine (BEAM).
5 views•6 min read
•about 20 hours ago•CVE-2026-43967
8.7CVE-2026-43967: Denial of Service via Algorithmic Complexity in Absinthe GraphQL Fragment Validation
Absinthe, an Elixir GraphQL toolkit, is vulnerable to a Denial of Service (DoS) condition due to inefficient algorithmic complexity in its document validation phase. Unauthenticated attackers can exhaust server resources by submitting GraphQL requests with heavily duplicated fragment definitions.
6 views•6 min read