Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Security Intel Hub 23479+

Curated security advisories, vulnerability analyses, and exploit write-ups — auto-cleaned and translated to English. Updated continuously.

Examples: RCE · SSRF · GHSA · log4j
praisonal CVE-2025-39890 YAML Deserialization RCE Vulnerability and PoC
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** The vulnerability exists in the `AgentService.loadAgentFromFile` method within the `praisonal` package. This method uses the `js-yaml` library to p…

Read more
Template Injection in Agent Tool Definitions Leading to RCE
github.com · 2026-04-09

### Vulnerability Summary: Template Injection in Agent Tool Definitions **Vulnerability Overview** This vulnerability exists within the `create_agent_centric_tools()` function. The tools returned by t…

Read more
Hono v4.12.12 Security Update: Path Traversal, Middleware Bypass, Cookie Validation Issues
github.com · 2026-04-09

# Hono v4.12.12 Security Vulnerability Summary **Version Information**: Hono v4.12.12 **Vulnerability Overview and Scope**: 1. **Serve Static Middleware Bypass via Repeated Slashes in serveStatic** * …

Read more
Stored XSS in ci4ms ci4-cms-erp <= 0.31.3.0 with PoC
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** This is a Stored Cross-Site Scripting (XSS) vulnerability present in the `ci4-cms-erp/ci4ms` package. * **Root Cause**: The `ban` remark parameter …

Read more
MinIO S3 Select Unbounded Memory Allocation DoS via CSV Parsing
github.com · 2026-04-09

### Vulnerability Overview * **Vulnerability Name**: DoS via Unbounded Memory Allocation in S3 Select CSV Parsing * **CVSS Score**: 7.1 (High) * **CWE ID**: CWE-770 (Allocation of Resources Without Li…

Read more
SSRF via $ref Dereferencing in mcp-from-openapi
github.com · 2026-04-09

### Vulnerability Summary: SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications **Vulnerability Overview** This vulnerability exists in the `mcp-from-openapi` library. When the `OpenAPITool…

Read more
OpenTelemetry Go OTLP HTTP Exporters Unbounded Response Body Read DoS
github.com · 2026-04-09

### Vulnerability Summary: OTLP HTTP Exporters Read Unrestricted HTTP Response Bodies **1. Vulnerability Overview** This vulnerability exists within the OTLP HTTP exporters of OpenTelemetry Go. These …

Read more
Sonatype Nexus Repository 3.91.0 Vulnerability Fixes Summary
help.sonatype.com · 2026-04-09

# Sonatype Nexus Repository 3.91.0 Vulnerability and Remediation Summary ## Vulnerability Overview Sonatype Nexus Repository version 3.91.0 primarily addresses functional defects, metadata cache error…

Read more
Liquid Engine sort Filter Prototype Pollution via ownPropertyOnly Bypass
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** In the `sort` and `sort_natural` filters, property access does not adhere to the `ownPropertyOnly` security option. This allows attackers to perfor…

Read more
cl4ms CMS .env CRLF Injection Vulnerability and POC
github.com · 2026-04-09

### Vulnerability Overview This vulnerability exists in the `cl4-cms-erp/cl4ms` package and is a `.env` file CRLF injection flaw. The `Install::index()` controller reads the `host` POST parameter with…

Read more
Nix Fixed-Output Derivations File Descriptor Leak Leading to Store Path Tampering Fix
github.com · 2026-04-09

### Vulnerability Key Information Summary **Vulnerability Overview** This commit addresses a security vulnerability in the Nix package manager related to **Fixed-Output Derivations (FODs)**. An attack…

Read more
Hono Web Framework Cookie Parsing Discrepancy Vulnerability Analysis
github.com · 2026-04-09

### Vulnerability Key Information Summary **1. Vulnerability Overview** This is a **Cookie Parsing Discrepancy** or **Cookie Parsing Bypass** vulnerability. An attacker can bypass parsing logic by ins…

Read more
cl4ms Fileeditor Auth Bypass and RCE via Unvalidated Path Access
github.com · 2026-04-09

# Fileeditor Authorization Bypass Vulnerability Summary ## Vulnerability Overview The Fileeditor controller defines a `$hiddenItems` array containing sensitive paths (e.g., `.env`, `composer.json`, `v…

Read more
KCP Cache Server Unauthorized Access Vulnerability Analysis
github.com · 2026-04-09

# Vulnerability Summary: KCP Cache Server Unauthorized Access Vulnerability ## 1. Vulnerability Overview * **Title**: Cache server is accessible without authentication or authorization checks * **Seve…

Read more
NixOS Build Sandbox File Descriptor Leak Allows Store Path Tampering Fix
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** This vulnerability exists within the NixOS build sandbox mechanism. An attacker can leak file descriptors from the build sandbox and utilize these …

Read more
Nix Sandbox Escape Vulnerability Fix Analysis
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** This is a fix for a **Sandbox Escape** vulnerability in the Nix build system. During the Nix build process, if a builder directly overwrites an out…

Read more
LightRAG JWT Algorithm Confusion Vulnerability and Fix
github.com · 2026-04-09

### Vulnerability Key Information Summary **Vulnerability Overview** The LightRAG API contains an Algorithm Confusion vulnerability in its JWT handling. An attacker can forge tokens by specifying `alg…

Read more
Remnawave HWID Device Registration Race Condition Bypass
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** A race condition vulnerability exists in the HWID (Hardware ID) device registration logic. Authenticated users can bypass configured HWID device li…

Read more
LiquidJS CVE-2025-39412 Prototype Property Information Disclosure via Sort Filter
github.com · 2026-04-09

# LiquidJS Prototype Property Information Disclosure Vulnerability Summary ## Vulnerability Overview A security bypass vulnerability exists in the `sort_natural` and `sort` filters within the `liquidj…

Read more
Shell Command Injection Vulnerability Fix: Safe Placeholder Replacement Logic
github.com · 2026-04-09

### Vulnerability Summary **Vulnerability Overview** This is a **Command Injection** vulnerability. In the `command_collector.sh` and `parse_artifact.sh` scripts, user-controllable input variables (su…

Read more

All articles are auto-cleaned (markdown extraction + LLM noise removal) and translated to English by our offline pipeline. Source URL is always preserved at the bottom of each article.

Want a specific source covered? Email us — we add new feeds weekly.