DailyCVE

Flask-Security-Too, OAuth Reauthentication Bypass, GHSA-97r5-pg8x-p63p (critical) The vulnerability exists in Flask-Security-Too versions prior to fix, specifically in the OAuth reauthentication flow. When a user session becomes stale (not fresh), the application requires reauthentication before allowing sensitive actions like changing username. The flaw resides in the OAuth verification callback functions `_oauth_response_common()` and `oauth_verify_response()` in oauth_glue.py. The `_oauth_response_common()` resolves an OAuth provider identity to a Flask-Security user without validating that user matches the currently authenticated session user....

YesWiki, Unauthenticated SQL Injection, CVE-Pending (Critical) The vulnerability exists in YesWiki’s Bazar form‑import feature. An unauthenticated attacker can inject SQL into an INSERT statement because the `bn_id_nature` parameter is concatenated unsafely into the SQL query. The sink is in `FormManager::create()` at line 258 of tools/bazar/services/FormManager.php. The code builds an INSERT into `yeswiki_nature` without quoting or parameterizing the `bn_id_nature` value. An attacker sends a crafted HTTP POST request to `/?BazaR&vue=formulaire` with the parameter…...

ImageMagick, Race Condition, CVE-2022-28463 (Moderate) The distributed pixel cache server (magick -distribute-cache) listens on a TCP port and forks a child process to handle each client connection. When the child opens the pixel cache file on disk, a race window exists between the open() call and the subsequent fcntl() that sets the FD_CLOEXEC flag. An attacker with network access to the cache server can send a carefully timed request that triggers a fork and exec of a sub-process while the file descriptor still lacks close-on-exec....

Twig, Sandbox Property Allowlist Bypass, CVE-2026-46635 (Low) The CVE‑2026‑46635 vulnerability exists in Twig’s sandbox component and allows an attacker to bypass the property allowlist via the `column` filter. The `column` filter internally calls PHP’s native `array_column()` function. When the input array contains objects, `array_column()` reads properties directly by accessing `$obj->$name` (and $obj->$index). This native property read triggers any `__get()` or `__isset()` magic methods defined on the object....

Boxlite, Path Traversal Vulnerability, CVE-2026-46703 (Critical) How the CVE Works The vulnerability resides in how Boxlite extracts OCI image layers. When a malicious OCI image is loaded, the `extract_layer_tarball_streaming()` function passes a tar reader to apply_oci_layer(). The latter processes tar entries, and for symlinks (EntryType::Symlink), it calls `create_symlink()` without validating the symlink target. This allows an attacker to create a symlink pointing to an absolute path on the host (e.g., …...

Twig, Autoescaping Bypass via spaceless filter, CVE(N/A) (Medium) The vulnerability exists because Twig’s `spaceless` filter is registered with the `is_safe => ['html']` flag. This flag tells Twig’s auto-escaping mechanism that the filter’s output is already safe for HTML, so the engine does not escape it—even when `autoescape` is enabled and the developer never used |raw. When an attacker can control the input passed to spaceless, they can inject arbitrary HTML/JavaScript tags....

Twig, Sandbox Bypass Vulnerability, CVE-2024-45411 (Critical) The vulnerability stems from an incomplete fix for a previous sandbox bypass issue (CVE-2024-45411/GHSA-6j75-5wfj-gh66). The original fix added an explicit `$loaded->unwrap()->checkSecurity()` call in `CoreExtension::include()` to re-check a template’s security when it is included in a sandboxed context (sandboxed = true). However, the deprecated but still functional `{% sandbox %}{% include ... %}{% endsandbox %}` tag path was not updated....

ImageMagick, Heap Buffer Over-Write, GHSA-jqq5-8px3-9m6m (Moderate) The original vulnerability, tracked as GHSA-5592-p365-24xh (CVE-2026-40169) , was a heap buffer overflow (write) in the YAML and JSON encoders of ImageMagick. This flaw allowed a crafted image to cause an out‑of‑bounds heap write during encoding, leading to a crash or potentially arbitrary code execution. The issue was fixed in ImageMagick 7.1.2‑19 and Magick.NET 14.12.0. However, the applied fix was incorrect and introduced a new vulnerability: a heap buffer over‑write of a single byte....

MagickNET (NuGet packages), Information Disclosure, CVE-2026-XXXX (Low severity) The CVE arises from a flaw in the `PasskeyEncipherImage` method of ImageMagick (affecting its .NET wrappers via Magick.NET). ImageMagick scrambles only an image’s pixels to conceal its content, leaving metadata untouched. To perform this scrambling, it uses the AES cipher in Counter (CTR) mode, a stream cipher that XORs a keystream with plaintext. The keystream is generated by encrypting successive counter values with a cipher key, with each keystream block requiring a unique nonce (initial counter value)....

js-cookie, Prototype Pollution leading to Cookie Attribute Injection (Medium) How the CVE works: The vulnerability resides in js-cookie's internal `assign()` helper (src/assign.mjs). This function copies properties from source objects into a target object using a `for...in` loop and plain assignment (target = source). When the source object is generated via JSON.parse(), any `"__proto__"` key becomes an own enumerable property because JSON treats `__proto__` as a normal string key....