•about 3 hours ago•GHSA-PJ6Q-4VQ4-R8CG
5.3GHSA-PJ6Q-4VQ4-R8CG: Unauthenticated Resource Exhaustion and State Manipulation in Ech0 API
The Ech0 lightweight publishing platform exposes an unauthenticated, rate-unlimited API endpoint that permits arbitrary modification of content metrics. Because this endpoint directly triggers database transactions and simultaneously invalidates multiple application cache layers, it serves as an exploitable vector for resource exhaustion Denial of Service (DoS) and cache-stampede attacks.
1 views•7 min read
•about 3 hours ago•GHSA-8MC6-XJPR-H98X
8.0GHSA-8MC6-XJPR-H98X: Server-Side Request Forgery (SSRF) in Ech0 fetchPeerConnectInfo
The Ech0 application is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-provided URLs in the peer connection management functionality. Authenticated users with the ability to add connections can force the server to execute arbitrary HTTP GET requests against internal network resources, loopback interfaces, and cloud metadata services.
2 views•6 min read
•about 4 hours ago•GHSA-FPW6-HRG5-Q5X5
7.4GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0
Ech0 access tokens created with the 'never expire' option generate JSON Web Tokens (JWT) missing the 'exp' claim. This structural omission causes a nil-pointer dereference during logout and prevents the JTI blacklisting mechanism from functioning. Consequently, leaked access tokens cannot be revoked by administrators.
1 views•7 min read
•about 4 hours ago•GHSA-J7H9-2JH7-G967
8.7GHSA-j7h9-2jh7-g967: Path Policy Bypass and Timing Side-Channel in mcp-ssh-tool
The mcp-ssh-tool npm package prior to version 2.1.1 contains two significant security flaws: an incomplete path policy enforcement mechanism that permits directory traversal and local path bypasses (CWE-22), and an observable timing differential in bearer token authentication (CWE-208).
3 views•6 min read
•about 10 hours ago•GHSA-V7QW-HX66-4W9X
8.7GHSA-v7qw-hx66-4w9x: Stored Cross-Site Scripting (XSS) in NetBox Data Flows Plugin
A stored Cross-Site Scripting (XSS) vulnerability exists in the netbox-data-flows plugin for NetBox, affecting versions prior to 1.5.1. Authenticated attackers with permissions to modify ObjectAlias records can inject arbitrary HTML and JavaScript, which executes in the context of other users viewing DataFlow tables.
6 views•6 min read
•about 13 hours ago•GHSA-P64J-F4X9-WQ66
8.1GHSA-P64J-F4X9-WQ66: OAuth Redirect URI Path Truncation in Ech0 Leads to Authorization Code Theft
The Ech0 lightweight publishing platform contains a critical vulnerability in its OAuth 2.0 implementation where redirect URI validation ignores the path component. This oversight permits attackers to route authenticated victims to malicious endpoints on trusted domains, resulting in the theft of authorization codes and subsequent account takeover.
6 views•6 min read
•about 16 hours ago•GHSA-54PG-9963-V8VG
9.6GHSA-54PG-9963-V8VG: Supply Chain Compromise and Credential Theft in intercom-client
The intercom-client npm package was compromised in a supply chain attack when a malicious version (7.0.4) was published to the public registry. This version contained an obfuscated payload designed to steal multi-cloud credentials, SSH keys, and tokens, exfiltrating them via a GitHub repository dead-drop mechanism.
12 views•6 min read
•about 17 hours ago•GHSA-GR3R-CRP5-QRRM
10.0GHSA-GR3R-CRP5-QRRM: Supply Chain Compromise in intercom-php via Malicious Composer Plugin
The intercom/intercom-php package on Packagist was subjected to a supply chain compromise by the TeamPCP threat actor group. Attackers published a malicious package version (5.0.2) utilizing a Composer plugin to achieve arbitrary code execution upon installation, resulting in the exfiltration of environment variables and sensitive credentials to an external command-and-control server.
6 views•7 min read
•1 day ago•CVE-2026-39804
8.2CVE-2026-39804: Remote Code Execution and DoS via Bandit WebSocket Permessage-Deflate Resource Exhaustion
CVE-2026-39804 is a critical resource exhaustion vulnerability (CWE-770) affecting the Bandit Elixir HTTP server. By exploiting unbounded DEFLATE decompression in WebSocket frames, an unauthenticated attacker can crash the Erlang VM (BEAM) via a highly compressed decompression bomb.
9 views•5 min read
•1 day ago•CVE-2026-42786
8.7CVE-2026-42786: Unbounded WebSocket Fragmented Message Reassembly Denial of Service in Bandit
An unauthenticated remote denial of service vulnerability exists in the Bandit HTTP server due to unbounded resource allocation during WebSocket fragment reassembly. Attackers can trigger complete memory exhaustion by streaming continuous WebSocket frames without the finalization bit, causing the Erlang virtual machine to crash.
14 views•6 min read
•1 day ago•CVE-2026-20188
7.5CVE-2026-20188: Uncontrolled Resource Consumption in Cisco CNC and NSO
Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO) contain a high-severity denial-of-service vulnerability due to inadequate connection rate limiting. Exploitation results in resource exhaustion requiring a manual reboot for recovery.
26 views•6 min read
•1 day ago•CVE-2026-39805
6.3CVE-2026-39805: CL.CL HTTP Request Smuggling in Bandit Web Server
The Bandit HTTP server for Elixir versions prior to 1.11.0 fails to correctly process requests containing multiple Content-Length headers. This inconsistent interpretation creates a CL.CL HTTP request smuggling vulnerability when Bandit is deployed behind a reverse proxy that parses the headers differently. Attackers exploit this desynchronization to smuggle secondary HTTP requests past edge security controls.
13 views•7 min read