Outrightly

FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks

### Summary The `/api/auth/login` endpoint does not implement rate limiting, account lockout, or progressive backoff for repeated authentication failures. As a result, an attacker can perform unlimited login attempts against the endpoint. When combined with the username enumeration timing vulnerability, valid accounts can be identified and then brute-forced without restriction. The risk is further increased by a weak default password policy that only enforces a minimum length of five characters.

GHSA-r4v7-6wcg-ghj5MEDIUM4d ago

FileBrowser: Missing Rate Limiting on Authentication Endpoint Enables Brute Force Attacks

GHSA-r4v7-6wcg-ghj5MEDIUM4d ago

fixurjavainstall: Previous Fuji versions can accidentally wipe `/usr/share/man/man8`

### Impact Affects: Anyone who generates the UNIX man pages in Fuji <= `0.8.0` build with the `dev` crate feature. Consequences: `/usr/share/man/man8` may be entirely removed & re-created without any of the previous entries. ### Patches At the time of writing, no new version has been released on crates.io, due to an unrelated CI/CD publishing issue. Due to the same unrelated publishing issue, no new GitHub Releases version has been released. ### Workarounds Do not run `fuji manual` on non-`dev

GHSA-fq3w-p4fg-mw73LOW4d ago

neotoma has tenant isolation gap in relationship query endpoints

## Summary The `/list_relationships` and `/retrieve_graph_neighborhood` endpoints call `getAuthenticatedUserId` (confirming a valid session exists) but do not pass the resolved user ID into the Supabase query as an `.eq("user_id", userId)` filter. As a result, queries return rows from all users rather than scoping to the authenticated caller's data. ## Affected code **`/list_relationships`** (`src/actions.ts`): - Calls `getAuthenticatedUserId` but does not apply `.eq("user_id", userId)` to th

GHSA-wrr4-782v-jhwhLOW4d ago

justhtml: to_markdown() code-span blank-line breakout enables XSS

# justhtml: to_markdown() code-span blank-line breakout enables XSS ### Summary In `justhtml` 0.9.0 through 1.21.0, `to_markdown()` renders `<code>` text (and `<pre>` text inside a link) as an inline Markdown code span whose only protection is backtick-fence length. A blank line (`\n\n`) in that text terminates the inline span in any compliant Markdown renderer, so attacker-controlled text that survived HTML sanitization is emitted **unescaped** after the blank line and is re-parsed as live ra

GHSA-jf6w-2mvx-633jMEDIUM4d ago

i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string

### Impact `i18next-fs-backend` ≤ 2.6.5, when used to persist missing translation keys (e.g. via `i18next-http-middleware`'s `missingKeyHandler` exposed to untrusted input), is vulnerable to prototype pollution via crafted missing-key strings. `Backend.writeFile()` splits each queued missing-key string on the configured `keySeparator` (default `.`) before calling the internal `setPath()` walker. The walker (`getLastOfPath` in `lib/utils.js`) did not guard against unsafe segments, so a key like

CVE-2026-48713CRITICAL4d ago

i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names

### Impact `i18next-http-middleware` ≤ 3.9.6's `missingKeyHandler` blocked the literal request-body keys `__proto__`, `constructor`, and `prototype` (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as `"__proto__.polluted"`. Downstream backends that split the missing-key string on a configured `keySeparator` (notably `i18next-fs-backend` ≤ 2.6.5) hand these keys to an unguarded `setPath()` walker that writes to `Object.prototype`. Applications that expose `mis

CVE-2026-48714CRITICAL4d ago

OpenAM: Unauthenticated Authentication Bypass via RADIUS Spoofing

## Summary **Description** An Improper Verification of Cryptographic Signature (CWE-347) issue in OpenAM's RADIUS authentication module allows an unauthenticated network attacker to spoof an Access-Accept response and obtain an OpenAM session for any RADIUS username, without knowing the configured shared secret. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1. The RADIUS client opens an unconnected datagram socket and treats the first UDP datagra

CVE-2026-46560HIGH4d ago

OpenAM Arbitrary OAuth Token Minting via Push Registration

## Summary **Description** An Authorization Bypass Through User-Controlled Key (CWE-639) exists in OpenAM's stateful OAuth2 token-read path. Under certain conditions, this may allow an attacker to forge OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject, client, realm, and scope. This affects OpenAM Community Edition through version 16.0.6. The OAuth2 token-read path reads caller-supplied token identifiers from the shared Core Token Store (CTS) without placing them in an OAuth-onl

CVE-2026-46498HIGH4d ago

@anthropic-ai/claude-code has an Insecure Temporary File in /copy Command that Enables Response Disclosure and Symlink-Based File Write

The Claude Code `/copy` command wrote responses to a hardcoded, predictable path (`/tmp/claude/response.md`) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the ex

CVE-2026-46406MEDIUM4d ago

OpenAM has Unsafe Java Deserialization via SNS

## Summary **Description** A Deserialization of Untrusted Data (CWE-502) issue exists in OpenAM's Push Notification SNS callback resource. The REST route that handles SNS push messages is mounted with anonymous access and, when a supplied message identifier has expired from the in-memory dispatcher, falls back to a CTS-stored predicate blob whose top-level keys are treated as Java class names and passed to Class.forName(...) before attacker-controlled JSON is deserialized via Jackson. This imp

CVE-2026-45794HIGH4d ago

OliveTin has Unvalidated `ot_`-prefixed Arguments that Bypass Input Filtering

### Description The `filterToDefinedArgumentsOnly` function in the executor is intended to discard any arguments not explicitly defined in the action's configuration. However, a special case allows any argument whose name starts with `ot_` to bypass this filter. While two system arguments (`ot_executionTrackingId` and `ot_username`) are injected by OliveTin and overridden, all other `ot_`-prefixed arguments supplied by the user pass through unmodified. These bypassed arguments are: 1. **Not t

CVE-2026-53541MEDIUM5d ago

OliveTin: ValidateArgumentType API Endpoint's Missing Authentication Allows Action and Argument Enumeration

## Summary The `ValidateArgumentType` RPC endpoint in `service/internal/api/api.go` does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call `auth.UserFromApiCall` or `checkDashboardAccess`. When `AuthRequireGuestsToLogin` is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configuration

CVE-2026-48709LOW5d ago

OliveTin has a Concurrent Template Parsing Race Condition which Leads to Cross-Request Command Contamination

## Summary OliveTin's template engine uses a **single shared `text/template.Template` instance** (`tpl` package-level variable in `service/internal/tpl/templates.go`) across all goroutines. Every action execution calls `tpl.Parse(source)` followed by `t.Execute()` on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each `ExecRequest` spawns a goroutine), a race condition occurs: one goroutine's `Parse` overwrites the templat

CVE-2026-48708HIGH5d ago

OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints

## Summary **Description** An Improper Authorization (CWE-285) issue in OpenAM's Liberty Web Services SOAP receiver allows an unauthenticated remote attacker to write persistent entries into the Liberty Discovery store on any user's LDAP entry, and into a shared root-realm Discovery branch. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1. Liberty ID-WSF is a legacy protocol superseded by SAML 2.0, OAuth, and OIDC, and deployments that int

CVE-2026-45052CRITICAL5d ago

OpenAM: Pre-auth RCE via Java Deserialization in WebAuthn Authenticator Storage

## Summary **Description** A deserialization of untrusted data vulnerability (CWE-502) exists in OpenAM's WebAuthn authentication module. Under certain conditions, this may allow an attacker to achieve arbitrary code execution in the context of the application server. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1. This is not the default configuration. Exploitation requires that an attacker has previously been able to write attacker-controlled

CVE-2026-45051CRITICAL5d ago

Snipe-IT API Vulnerable to Cross-Tenant Accessory Injection

### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by supplying a foreign company_id value in the API request body. The issue occurs because the API create path mass-assigns request parameters directly to the Accessory model, and the Accessory model allows company_id to be mass

CVE-2026-54329HIGH6d ago

Snipe-IT's S3 signature image retrieval lacks authorization before temporary URL

### Impact Snipe-IT S3 signature image retrieval lacks authorization before temporary URL. On S3-backed deployments, authenticated users who know a signature filename can obtain a 5-minute signed S3 URL because the S3 branch returns before the `authorize()` call used by the local-file branch. ## Key evidence `routes/web.php:135-143`; `app/Http/Controllers/ActionlogController.php:16-44`; `app/Http/Controllers/Account/AcceptanceController.php:160,175`; `app/Listeners/LogListener.php:56`; `app/H

CVE-2026-55542LOW6d ago

Snipe-IT has Improper Authorization in File Deletion (IDOR)

### Impact A vulnerability was identified in Snipe-IT v8.4.0 (build 21280-g91a95dbc6) that allows any authenticated user with generic asset edit permissions to delete files attached to any asset in the system, regardless of ownership or company assignment. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability caused by a class-level authorization check in the file deletion endpoint, where an instance-level check is required. The vulnerability exists in both the web and API c

CVE-2026-55519LOW6d ago

Snipe-IT Vulnerable to Privilege Escalation via Missing admin Permission Check in User Creation

### Impact The `store()` method in both the web and API `UsersController` only strips the superuser permission when a non-superuser creates a user. It does not strip the admin permission. This allows any authenticated user with the `users.create` permission to create a new user with full admin privileges. The `users.create permission` may commonly be delegated to HR staff, department leads, or similar roles. ### Patches Patched in [aea3877718](https://github.com/grokability/snipe-it/commit/ae

CVE-2026-55483MEDIUM6d ago

Snipe-IT has Multi-Tenancy Bypass via Bulk Asset Update

### Impact The `BulkAssetsController::update()` method accepts `company_id` directly from user input without calling `Company::getIdForCurrentUser()`, the standard company-scoping function used by every other controller in the codebase. A non-superadmin user can move assets across company boundaries, breaking multi-tenancy isolation. ### Patches Patched in https://github.com/grokability/snipe-it/commit/d58fda626e8febfeff4cabbc20ba03edfc411e18

CVE-2026-55482MEDIUM6d ago

CVEs