CVEs

### Summary The Konnected integration registers an HTTP endpoint, `KonnectedView` (`homeassistant/components/konnected/__init__.py`), that is marked as **not requiring authentication** (`requires_auth = False`). A comment next to that line says auth is instead handled "via the access token from configuration." That promise is only half true: - **Write requests (POST and PUT)** are handled by `update_sensor()`, which *does* check the request's `Authorization: Bearer <token>` header against the

# Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters ## Summary `Faraday::NestedParamsEncoder`, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query string such as: ```text a[x][x][x][x]...[x]=1 ``` causes Faraday to build a deeply nested Ruby `Hash` structure. The internal `dehash` routine then recursively walks this attacker-controlled

### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations from the checkpoint archive rather than relying solely on the pod's create-time specification. This allows a user with pod creation permissions to bypass standard Kubernetes resource allocation and device plugin enforcement

### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the following containerd versions: * 2.3.2 * 2.2.5 * 2.1.9 Users should update to these versions to resolve the issue. ### Workarounds Ensure that only trusted images and checkpoints are used. ### Credits The containerd project w

### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels for some operations. ### Patches This bug has been fixed in the following containerd versions: * 2.3.2 * 2.2.5 * 2.1.9 * 2.0.10 * 1.7.33 Users should update to these versions to resolve the issue. ### Workarounds Ensu

### Summary `Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the `(size_t)` cast preserves the large value and `memset` writes 2 GB into the stack-allocated `out` buffer (4,184 bytes), corrupting the stack and crashing the process. ### Version - **Software**: oj g

### Summary Disabling `symbol_keys` on a reused `Oj::Parser` instance triggers a heap use-after-free. When `symbol_keys` is toggled from `true` to `false`, `opt_symbol_keys_set` frees the internal key cache (`cache_free`) but does not clear the pointer. The next `parse` call reads from the freed cache via `cache_intern`, producing a use-after-free. ### Version - **Software**: oj gem - **Affected**: all versions with `ext/oj/usual.c` - **Latest tested**: 3.17.1 (confirmed present) ### Details

### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may le

### Impact The default `security.http.urls` policy denies requests to loopback, internal, and cloud-metadata IPv4 literals (e.g. `http://127.0.0.1/`, `http://169.254.169.254/`). The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, which contain no dot — passed the policy: - `http://2130706433/` → `127.0.0.1` - `http://2852039166/` → `169.254.169.254` (cloud metadata) - `http://0x7f000001/`, `http://01770

# Unauthenticated nested page API leaks restricted & unpublished content - **Location:** `app/controllers/alchemy/api/pages_controller.rb:28` (`Api::PagesController#nested`) - **Affected version:** Alchemy CMS 8.3.0.dev (Rails 8.1.3) ## Description The unauthenticated `GET /api/pages/nested` endpoint returns the full page tree to any anonymous caller, including restricted (member-only) pages and unpublished/draft pages that should be hidden. Appending `?elements=true` additionally dumps the e

### Impact Possible data exposure. #### Summary While downloading packages from a maliciously crafted URL, some git operations against that URL could allow arbitrary file read. This might allow disclosure of confidential information. #### Details OpenTofu relies on [go-getter](https://github.com/hashicorp/go-getter) for downloading packages like providers and modules. While doing so from a maliciously crafted URL, the operator could be affected by confidential information disclosure. The go-g

## Summary `agentic-flow` versions `<= 2.0.13` MCP server tools interpolated attacker-influenceable tool parameters (e.g. `agent`, `task`, `name`, `language`, `agentdb` arguments) directly into shell command strings passed to `execSync()`. A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server. This was a partial-fix gap: prior commit `6a06854` (#

### Impact The CVE-2026-47211 fix (0.39.0) added `_UNTRUSTED_ENV_DENYLIST` to stop an untrusted project-directory `.env` from redirecting execution. The denylist was incomplete — several execution-routing keys of the same RCE class were omitted, so a malicious cloned repo can still reach arbitrary command execution by shipping a `.env` (auto-loaded at import, no review step): - **Backend config-home roots** `CODEX_HOME`, `OPENCODE_CONFIG`, `OPENCODE_CONFIG_DIR`, `XDG_CONFIG_HOME`: a spawned ven

### Impact This impacts users which use multiple unconstrained route parameters not separated by a `/`. For instance, the following code is vulnerable: ``` var route = new DotvvmRoute("edit/{a}-{b}-{c}/done", null, "testpage", null, null, configuration); var adversarialInput = "edit/" + new string('-', 32000); route.IsMatch(adversarialInput, out _); ``` ### Patches DotVVM versions 4.3.15, 4.2.11 and 5.0.0-preview09 apply a 1 second timeout to route regex operations. When it is triggered, Dot

## Gradle Wrapper Execution During Dependency Discovery Enables Arbitrary Code Execution ### Summary `agent-coderag` unconditionally executes a repository-controlled `gradlew` script during its default `sync` dependency-discovery flow. An attacker who can induce a victim to index a malicious Gradle repository (one containing `build.gradle` and a crafted `gradlew`) achieves arbitrary code execution with the victim's OS privileges. No authentication, no extra flags, and no elevated permissions a

### Impact Parse Server is vulnerable to denial of service. A remote attacker can send a single, small query (~1 KB) containing deeply nested query condition operators. Parse Server processes the nested structure with exponential time complexity, which blocks the Node.js event loop and makes the server unresponsive to all clients for the duration of processing. A single request can occupy the event loop for many seconds, and the request is repeatable. The issue affects the REST API and LiveQuer

### Summary The AWS Bedrock AgentCore Python SDK (bedrock-agentcore) is an open-source SDK that enables developers to build, deploy, and manage agents on AWS Bedrock AgentCore. An issue exists in the install_packages() method of the Code Interpreter client where crafted package name arguments can bypass input validation and allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox. ### Impact The install_packages() method constructs a 'pip install' she

### Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow policy injection. ### Impact **Cedar-expression injection via unescaped `toCedarExpr()`** The `toCedarExpr()` method on Cedar Value types does not escape special characters (`"` or `\`) when converting values to Cedar source code. If an integrator uses `toCedarExpr()` to build policy text at r

### Summary CedarJava is an open source Java implementation of the Cedar policy language, used for fine-grained authorization decisions. Under certain circumstances, improper input handling could allow type confusion across the Java-Rust FFI boundary. ### Impact **Record-to-Entity type confusion across the Java-Rust FFI boundary** CedarJava sends authorization requests to the Rust cedar-policy evaluator as JSON. The JSON protocol reserves magic single-key object shapes (`__entity` and `__ext