Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Security Intel Hub 23479+

Curated security advisories, vulnerability analyses, and exploit write-ups — auto-cleaned and translated to English. Updated continuously.

Examples: RCE · SSRF · GHSA · log4j
CVE-2025-40895: follow-redirects Custom Auth Header Leakage
github.com · 2026-04-22

# Vulnerability Summary: Custom Authentication Header Leakage in follow-redirects ## Overview When an HTTP request follows cross-domain redirects (301/302/307/308), the `follow-redirects` library only…

Read more
CSRF in wwbn/avideo configurationUpdate.json.php Enables Full Site Takeover and Persistent XSS
github.com · 2026-04-22

# Vulnerability Summary: CSRF in configurationUpdate.json.php ## Vulnerability Overview **Vulnerability Name**: CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including …

Read more
ElectricSQL Shape API SQL Injection via ORDER BY Parameter (CVSS 10.0)
github.com · 2026-04-22

# SQL Injection Vulnerability Summary: ORDER BY Parameter in Shape API ## Vulnerability Overview In ElectricSQL's `/v1/shape` API, the `order_by` parameter is vulnerable to a blind SQL injection flaw.…

Read more
YPTSocket Plugin Code Injection Vulnerability Fix Analysis
github.com · 2026-04-22

# Vulnerability Summary ## Overview This vulnerability involves the risk of `eval` injection in the `YPTSocket` plugin. Specifically, when processing messages from browsers or guests, failure to prope…

Read more
wwbn/avideo YPTSocket Unauthenticated Cross-User JavaScript Execution via WebSocket Relay
github.com · 2026-04-22

# AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution ## Vulnerability Overview * **Vulnerability Type**: Unauthenticated Cross-User JavaScript Executio…

Read more
Authentication bypass in frp HTTP vhost routing via routeByHTTPUser
github.com · 2026-04-22

### Vulnerability Overview - **Vulnerability Name**: Authentication bypass in frp HTTP vhost routing when `routeByHTTPUser` is used for access control - **Vulnerability Description**: In the HTTP vhos…

Read more
Python CPython asyncio.sock_recv_into buffer boundary check fix
github.com · 2026-04-22

# Python CPython Vulnerability Fix Summary ## Vulnerability Overview This vulnerability involves the `asyncio.AbstractEventLoop.sock_recv_into` method. When using the `bytes` parameter, if the provide…

Read more
Python asyncio sock_recv_into Buffer Overflow Fix (GH-148809)
github.com · 2026-04-22

# Vulnerability Summary ## Overview - **Vulnerability ID**: GH-148809 - **Description**: In the `asyncio.AbstractEventLoop.sock_recv_into` method, there is a lack of boundary checking for the `nbytes`…

Read more
Python http.client HTTP Tunnel Header Injection Fix
github.com · 2026-04-22

### Vulnerability Overview This vulnerability involves rejecting CR/LF characters in HTTP tunnel request headers. Specifically, when attempting to include control characters (such as CR/LF) in an HTTP…

Read more
Gogs CSRF Vulnerability: File Deletion and Directory Creation via GET Routes
github.com · 2026-04-22

# Vulnerability Summary: Gogs CSRF Leads to File Deletion and Directory Creation in State-Changing GET Routes ## Vulnerability Overview Gogs has a Cross-Site Request Forgery (CSRF) vulnerability. Sinc…

Read more
CVE-2026-40885: gosh public collaborator feed leaks Basic Auth credentials
github.com · 2026-04-22

# Vulnerability Summary: Public collaborator feed leaks .gosh ACL credentials ## Vulnerability Overview **Vulnerability Name**: Public collaborator feed leaks .gosh ACL credentials and enables unautho…

Read more
OpenHarness Plugin Trust Boundary Bypass Leading to RCE and Remote State Tampering
github.com · 2026-04-22

# Vulnerability Summary: OpenHarness Plugin Trust Boundary Bypass ## Vulnerability Overview This vulnerability involves two security flaws in the OpenHarness plugin system, with the core issue being a…

Read more
OpenHarness Plugin System Address Code Execution Fix
github.com · 2026-04-22

# Vulnerability Summary ## Vulnerability Overview **Vulnerability ID**: #156 **Vulnerability Type**: Address Code Execution **Severity**: Security Fix **Submitter**: Hinotol-agent **Submission Time**:…

Read more
WWBN AVideo IDOR in Live Restreams Exposes RTMP Keys and OAuth Tokens
github.com · 2026-04-22

# IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens ## Vulnerability Overview In the `WWBN/AVideo` plugin, an **Insecure Direct Object Reference (IDOR)** vulnerabi…

Read more
CVE-2024-40854: Empty-username SFTP password authentication bypass in gosh
github.com · 2026-04-22

# Vulnerability Summary: Empty-Username Based SFTP Password Authentication Bypass in gosh ## Vulnerability Overview **Vulnerability Name**: Empty-username SFTP password authentication bypass in gosh *…

Read more
CVE-2025-40876: gosh SFTP Root Directory Escape via Prefix Validation Flaw
github.com · 2026-04-22

# SFTP Root Directory Escape Vulnerability Summary (CVE-2025-40876) ## Vulnerability Overview **Vulnerability Name**: SFTP root escape via prefix-based path validation in gosh **CVE ID**: CVE-2025-408…

Read more
IDOR Vulnerability Fix in Live_restreams Module
github.com · 2026-04-22

# Vulnerability Summary ## Overview In the JSON response handling of the `Live_restreams` module, there is an issue with improper user ID processing. Non-administrator users can bypass permission rest…

Read more
Go smartypants out-of-bounds read vulnerability fix in smartLeftAngle
github.com · 2026-04-22

### Vulnerability Overview - **Vulnerability Description**: In the `smartypants.go` file, there is an out-of-bounds read issue when the `>` symbol is not found. - **Submitters**: JulesDT and kjc - **S…

Read more
WWBN AVideo Unauthenticated Information Disclosure via git.json.php (CVE-2026-40908)
github.com · 2026-04-22

# Vulnerability Summary: Unauthorized Information Disclosure (CVE-2026-40908) ## Vulnerability Overview * **Vulnerability Name**: Unauthenticated Information Disclosure via git.json.php * **CVE ID**: …

Read more
wwbn/avideo Path Traversal to Arbitrary PHP File Write and RCE
github.com · 2026-04-22

### Vulnerability Overview **Vulnerability Name**: Path Traversal in Locale Save Endpoint Enables Arbitrary PHP File Write to Any Web-Accessible Directory (RCE) **Vulnerability Description**: - In the…

Read more

All articles are auto-cleaned (markdown extraction + LLM noise removal) and translated to English by our offline pipeline. Source URL is always preserved at the bottom of each article.

Want a specific source covered? Email us — we add new feeds weekly.