Vulnerabilities

Out of bounds read in CSS in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.

A security flaw has been discovered in bolo-blog 까지 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.<br /> <br /> ### Details<br /> <br /> In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:<br /> <br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.<br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.<br /> - plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.<br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.<br /> - plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).<br /> <br /> This means a non-moderator owner can submit status during update and transition moderation state.<br /> <br /> ### PoC<br /> <br /> Tested in local wp-env (Docker) with WPGraphQL 2.9.1.<br /> <br /> 1. Start environment:<br /> <br /> npm install<br /> npm run wp-env start<br /> <br /> 2. Run this PoC:<br /> <br /> ```<br /> npm run wp-env run cli -- wp eval &amp;#39;<br /> add_role("no_caps","No Caps",[]);<br /> $user_id = username_exists("poc_nocaps");<br /> if ( ! $user_id ) {<br /> $user_id = wp_create_user("poc_nocaps","Passw0rd!","poc_nocaps@example.com");<br /> }<br /> $user = get_user_by("id",$user_id);<br /> $user-&gt;set_role("no_caps");<br /> <br /> $post_id = wp_insert_post([<br /> "post_title" =&gt; "PoC post",<br /> "post_status" =&gt; "publish",<br /> "post_type" =&gt; "post",<br /> "comment_status" =&gt; "open",<br /> ]);<br /> <br /> $comment_id = wp_insert_comment([<br /> "comment_post_ID" =&gt; $post_id,<br /> "comment_content" =&gt; "pending comment",<br /> "user_id" =&gt; $user_id,<br /> "comment_author" =&gt; $user-&gt;display_name,<br /> "comment_author_email" =&gt; $user-&gt;user_email,<br /> "comment_approved" =&gt; "0",<br /> ]);<br /> <br /> wp_set_current_user($user_id);<br /> <br /> $result = graphql([<br /> "query" =&gt; "mutation U(\$id:ID!){ updateComment(input:{id:\$id,status:APPROVE}){ success comment{ databaseId status } } }",<br /> "variables" =&gt; [ "id" =&gt; (string)$comment_id ],<br /> ]);<br /> <br /> echo wp_json_encode([<br /> "role_caps" =&gt; array_keys(array_filter((array)$user-&gt;allcaps)),<br /> "status" =&gt; $result["data"]["updateComment"]["comment"]["status"] ?? null,<br /> "db_comment_approved" =&gt; get_comment($comment_id)-&gt;comment_approved ?? null,<br /> "comment_id" =&gt; $comment_id<br /> ]);<br /> &amp;#39;<br /> ```<br /> <br /> 3. Observe result:<br /> <br /> - role_caps is empty (or no moderate_comments)<br /> - mutation returns status: APPROVE<br /> - DB value becomes comment_approved = 1<br /> <br /> ### Impact<br /> <br /> This is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content.

llama.cpp is an inference of several LLM models in C/C++. Prior to b7824, an integer overflow vulnerability in the `ggml_nbytes` function allows an attacker to bypass memory validation by crafting a GGUF file with specific tensor dimensions. This causes `ggml_nbytes` to return a significantly smaller size than required (e.g., 4MB instead of Exabytes), leading to a heap-based buffer overflow when the application subsequently processes the tensor. This vulnerability allows potential Remote Code Execution (RCE) via memory corruption. b7824 contains a fix.

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

A vulnerability was identified in SourceCodester Online Catering Reservation 1.0. Impacted is an unknown function of the file /search.php. Such manipulation of the argument rcode leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.

The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP&amp;#39;s eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}).

The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user&amp;#39;s email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin&amp;#39;s `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.