Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Security Intel Hub 23479+

Curated security advisories, vulnerability analyses, and exploit write-ups — auto-cleaned and translated to English. Updated continuously.

Examples: RCE · SSRF · GHSA · log4j
Fix CSRF vulnerability in Mailboxes OAuth disconnect feature
github.com · 2026-04-22

### Vulnerability Overview The webpage screenshot shows a fix record for a CSRF (Cross-Site Request Forgery) vulnerability. The vulnerability involves the absence of a `csrf_token` in OAuth disconnect…

Read more
Flarum ConversationsController Attachment Deletion Authorization Bypass Fix
github.com · 2026-04-22

### Vulnerability Overview This vulnerability involves improper sanitization of `attachments_to_remove` when deleting attachments, which may lead to potential security issues. ### Impact Scope - **Fil…

Read more
FreeScout <1.8.215 Insecure Direct Object Reference Allows Attachment Deletion
github.com · 2026-04-22

# Vulnerability Summary: Client-controlled attachment IDs allow deletion of existing conversation attachments ## Overview This vulnerability allows an attacker to delete original attachments from exis…

Read more
Freescout Zip Slip Path Traversal Leading to Arbitrary File Write and RCE
github.com · 2026-04-22

# Zip Slip Path Traversal Vulnerability Leads to Arbitrary File Write and RCE ## Vulnerability Overview The module installation feature of Freescout fails to validate file paths when extracting ZIP ar…

Read more
Chumper Zipper extractTo Path Traversal Vulnerability Fix
github.com · 2026-04-22

### Vulnerability Overview This vulnerability involves insufficient validation of file paths in the `extractTo` method of the Zipper class, leading to a risk of directory traversal attacks. An attacke…

Read more
FreeScout OAuth Disconnect CSRF Vulnerability with POC
github.com · 2026-04-22

# Vulnerability Summary: Mailbox OAuth Disconnect Uses State-Changing GET Request and Has CSRF Vulnerability ## Overview This vulnerability exists in the `freescout-help-desk` project. The mailbox OAu…

Read more
ClearanceKit Vulnerability: Ad-hoc Signed Binaries Spoof Apple Process IDs to Bypass FAA
github.com · 2026-04-22

# Vulnerability Summary: Ad-hoc signed binaries can spoof Apple process identities in the global allowlist ## Vulnerability Overview ClearanceKit incorrectly treats processes with an empty Team ID and…

Read more
ClearanceKit opfilter Extension Susceptible to Signal Interruption for Policy Bypass (CVE-2024-40604)
github.com · 2026-04-22

# opfilter System Extension Can Be Suspended or Interrupted by Signals, Disabling File Access Policy Enforcement ## Vulnerability Overview The `opfilter` system extension of ClearanceKit (bundle ID: `…

Read more
Path Traversal Arbitrary File Write in lego Webroot HTTP-01 Provider
github.com · 2026-04-22

# Vulnerability Summary: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider ## Vulnerability Overview - **Vulnerability Name**: Arbitrary File Write via Path Traversal in Webroot HTTP…

Read more
CVE-2026-40588: Authenticated Password Change Without Current Password Verification Analysis
github.com · 2026-04-22

# Vulnerability Summary: Authenticated Password Change Does Not Verify Current Password ## Vulnerability Overview - **Vulnerability Name**: Authenticated Password Change Does Not Verify Current Passwo…

Read more
MCP Server: Fix DoS via Request Body Size Limit on HTTP Endpoints
github.com · 2026-04-22

### Vulnerability Overview This vulnerability relates to request body size limits for MCP HTTP endpoints. Specifically, all three POST handlers (`/api/state`, `/api/restore`, `/api/history/svg`) now u…

Read more
pyload-ng Session Cookie Security Downgrade via X-Forwarded-Proto Spoofing
github.com · 2026-04-22

### Vulnerability Overview **Title**: Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) **Description**: - **Vulnerability Type**: Session…

Read more
CVE-2025-40026: Unbounded HTTP Body DoS in next-ai-drawio/mcp-server
github.com · 2026-04-22

# Vulnerability Overview **Vulnerability Name**: Unbounded HTTP Body — Denial of Service **CVE ID**: CVE-2025-40026 **CVSS Score**: 6.2 / 10 (Moderate) **Affected Version**: `next-ai-drawio/mcp-server…

Read more
CVE-2026-40587: Session Not Invalidated After Password Change
github.com · 2026-04-22

# Vulnerability Summary: Active Sessions Not Invalidated After Password Change or Reset ## Vulnerability Overview **Title**: Active Sessions Are Not Invalidated After Password Change or Reset **CVE ID…

Read more
FreeScout <1.8.215 Assigned-only Visibility Bypass via save_draft
github.com · 2026-04-22

### Vulnerability Overview **Vulnerability Name**: Assigned-only visibility bypass via save_draft allows hidden conversation draft injection **Description**: When `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS…

Read more
FreeScout 1.8.215 Security Patch Summary: Path Traversal, CSRF, and Authorization Fixes
github.com · 2026-04-22

# Vulnerability Summary ## Overview This page lists multiple security vulnerabilities fixed in version `1.8.215` of `freescout-help-desk`, mainly involving file path checks, permission controls, varia…

Read more
FreeScout CVE-2024-41189 Visibility Bypass Vulnerability with POC
github.com · 2026-04-22

### Vulnerability Overview - **Vulnerability Name**: Assigned-only visibility bypass allows editing hidden customer-authored threads - **Vulnerability Description**: Customer thread editing is authori…

Read more
FreeScout Help Desk Unauthorized Access Vulnerability Fix Analysis
github.com · 2026-04-22

# Vulnerability Summary ## Overview In the `freescout-help-desk` project, there is an access control vulnerability. When a user edits a customer message, the system fails to properly verify whether th…

Read more
Twenty Stored XSS Vulnerability Fix Details
github.com · 2026-04-22

# Vulnerability Summary: TwentyHQ Stored XSS Vulnerability ## Vulnerability Overview - **Vulnerability Type**: Stored Cross-Site Scripting (Stored XSS) - **Vulnerability ID**: #19282 - **Discovery Tim…

Read more
FreeScout Unauthorized Mailbox Chat Setting Change via Signature Permission Bypass
github.com · 2026-04-22

### Vulnerability Overview - **Vulnerability Name**: Signature only mailbox permission allows unauthorized mailbox chat setting changes - **Vulnerability Description**: The `MailboxesController::updat…

Read more

All articles are auto-cleaned (markdown extraction + LLM noise removal) and translated to English by our offline pipeline. Source URL is always preserved at the bottom of each article.

Want a specific source covered? Email us — we add new feeds weekly.