Vulnerabilities

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. The POST /api/file/deleteShareLink.php endpoint calls FileController::deleteShareLink() which performs no authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. This issue is fixed in version 3.8.0.

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this leads to remote code execution. When files are uploaded via WebDAV, the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME. This issue is fixed in version 3.8.0.

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.

FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pull_request_target (which runs with access to repository secrets) but checks out code from the pull request author's fork, then builds and pushes Docker images using attacker-controlled Dockerfiles. This also enables a supply chain attack via the production container registry. A patch was not available at the time of publication.

The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.

The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in unexpected ways, potentially leading to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. This issue was fixed in version 1.19.2.

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New() without calling SetSanitize(true), allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any additional sanitization. A malicious package author can embed arbitrary JavaScript in their README that executes when a user clicks to view the package details. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution. The issue was patched in version 3.6.1.

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields (displayName, description) using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when any user browses the Bazaar page. Because SiYuan's Electron configuration enables nodeIntegration: true with contextIsolation: false, this XSS escalates directly to full Remote Code Execution on the victim's operating system — with zero user interaction beyond opening the marketplace tab. This issue has been fixed in version 3.6.1.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: xt_IDLETIMER: reject rev0 reuse of ALARM timer labels<br /> <br /> IDLETIMER revision 0 rules reuse existing timers by label and always call<br /> mod_timer() on timer-&gt;timer.<br /> <br /> If the label was created first by revision 1 with XT_IDLETIMER_ALARM,<br /> the object uses alarm timer semantics and timer-&gt;timer is never initialized.<br /> Reusing that object from revision 0 causes mod_timer() on an uninitialized<br /> timer_list, triggering debugobjects warnings and possible panic when<br /> panic_on_warn=1.<br /> <br /> Fix this by rejecting revision 0 rule insertion when an existing timer with<br /> the same label is of ALARM type.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: ensure ctx-&gt;rings is stable for task work flags manipulation<br /> <br /> If DEFER_TASKRUN | SETUP_TASKRUN is used and task work is added while<br /> the ring is being resized, it&amp;#39;s possible for the OR&amp;#39;ing of<br /> IORING_SQ_TASKRUN to happen in the small window of swapping into the<br /> new rings and the old rings being freed.<br /> <br /> Prevent this by adding a 2nd -&gt;rings pointer, -&gt;rings_rcu, which is<br /> protected by RCU. The task work flags manipulation is inside RCU<br /> already, and if the resize ring freeing is done post an RCU synchronize,<br /> then there&amp;#39;s no need to add locking to the fast path of task work<br /> additions.<br /> <br /> Note: this is only done for DEFER_TASKRUN, as that&amp;#39;s the only setup mode<br /> that supports ring resizing. If this ever changes, then they too need to<br /> use the io_ctx_mark_taskrun() helper.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: add xmit recursion limit to tunnel xmit functions<br /> <br /> Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own<br /> recursion limit. When a bond device in broadcast mode has GRE tap<br /> interfaces as slaves, and those GRE tunnels route back through the<br /> bond, multicast/broadcast traffic triggers infinite recursion between<br /> bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing<br /> kernel stack overflow.<br /> <br /> The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not<br /> sufficient because tunnel recursion involves route lookups and full IP<br /> output, consuming much more stack per level. Use a lower limit of 4<br /> (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.<br /> <br /> Add recursion detection using dev_xmit_recursion helpers directly in<br /> iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel<br /> paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).<br /> <br /> Move dev_xmit_recursion helpers from net/core/dev.h to public header<br /> include/linux/netdevice.h so they can be used by tunnel code.<br /> <br /> BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160<br /> Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11<br /> Workqueue: mld mld_ifc_work<br /> Call Trace:<br /> <br /> __build_flow_key.constprop.0 (net/ipv4/route.c:515)<br /> ip_rt_update_pmtu (net/ipv4/route.c:1073)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)<br /> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> ip_finish_output2 (net/ipv4/ip_output.c:237)<br /> ip_output (net/ipv4/ip_output.c:438)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> ip_finish_output2 (net/ipv4/ip_output.c:237)<br /> ip_output (net/ipv4/ip_output.c:438)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)<br /> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> mld_sendpack<br /> mld_ifc_work<br /> process_one_work<br /> worker_thread<br />