Vulnerabilidades

*** Pendiente de traducción *** Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.

*** Pendiente de traducción *** Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix.

*** Pendiente de traducción *** Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue affects X6000R: through V9.4.0cu.1498_B20250826.

*** Pendiente de traducción *** # Active Storage allowed transformation methods potentially unsafe<br /> <br /> Active Storage attempts to prevent the use of potentially unsafe image<br /> transformation methods and parameters by default.<br /> <br /> The default allowed list contains three methods allow for the circumvention<br /> of the safe defaults which enables potential command injection<br /> vulnerabilities in cases where arbitrary user supplied input is accepted as<br /> valid transformation methods or parameters.<br /> <br /> <br /> Impact<br /> ------<br /> This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.<br /> <br /> Vulnerable code will look something similar to this:<br /> ```<br /> params[:v]) %&gt;<br /> ```<br /> <br /> Where the transformation method or its arguments are untrusted arbitrary input.<br /> <br /> All users running an affected release should either upgrade or use one of the workarounds immediately.<br /> <br /> <br /> <br /> Workarounds<br /> -----------<br /> Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.<br /> <br /> Strict validation of user supplied methods and parameters should be performed<br /> as well as having a strong [ImageMagick security<br /> policy](https://imagemagick.org/script/security-policy.php) deployed.<br /> <br /> Credits<br /> -------<br /> <br /> Thank you [lio346](https://hackerone.com/lio346) for reporting this!

*** Pendiente de traducción *** LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base &gt; File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue.

*** Pendiente de traducción *** Improper Neutralization of Special Elements used in an Expression Language Statement (&amp;#39;Expression Language Injection&amp;#39;) vulnerability in The Wikimedia Foundation Mediawiki - DiscussionTools Extension allows Regular Expression Exponential Blowup.This issue affects Mediawiki - DiscussionTools Extension: 1.44, 1.43.

*** Pendiente de traducción *** Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues.

*** Pendiente de traducción *** SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database.

*** Pendiente de traducción *** aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.

*** Pendiente de traducción *** Salt&amp;#39;s junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process.

*** Pendiente de traducción *** Cleartext Storage of Sensitive Information vulnerability in OpenText™ Vertica allows Retrieve Embedded Sensitive Data.  <br /> <br /> The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X.

*** Pendiente de traducción *** A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.