#git

### Impact It was possible to trigger repository updates for many repositories via a crafted webhook payload. ### Patches * https://github.com/WeblateOrg/weblate/pull/17221 ### Workarounds Disabling webhooks completely using ENABLE_HOOKS avoids this vulnerability. ### References Thanks to Hector Ruiz Ruiz & NaxusAI for responsibly disclosing this vulnerability to us.

### Summary When using an untrusted reverse proxy or not using a reverse proxy at all, attackers can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been added in config file to prevent this from happening. However, it is initialized with an insecure default value before version 2025.12.0, making it still vulnerable if the configuration is not set correctly. ### Workaround If you are running Misskey with a trusted reverse proxy, you should *not* be affected by this vulnerability. - There is no workaround for the Misskey itself. Please update Misskey to the latest version or set up a trusted reverse proxy. - From v2025.9.1 to v2025.11.1, workaround is available. Set `trustProxy: false` in config file. - This is patched in v2025.12.0 by flipping default value of `trustProxy` to `false`. If you are using trusted reverse proxy and not remember you manually overrided this value, please take time to check your...

### Summary After adding private posts (followers, direct) that you do not have permission to view to your favorites or clips, you can export them to view the contents of the private posts. ### PoC 1. Create an account (X) for testing and an account (Y) for private posts on the same server. 2. Send appropriate content from Y using "Follow" 3. Send appropriate content to any user using "Nominate" from Y 4. Obtain the URLs for the two posts above using Y's account. 5. Query the URLs for the two posts using X and add them to your favorites or clips. 6. Export your favorites or clips using X. 7. Check the exported data. Note: Verified in v2025.11.1 ### Impact This could allow an attacker to view the contents of private posts. If you have pinned private posts, this could be a real problem, as the ID of the private post can be obtained by viewing the user page on the original server.

### Impact It was possible to accept an invitation opened by a different Weblate user. ### Patches * https://github.com/WeblateOrg/weblate/pull/16913 ### Workarounds Users should avoid leaving Weblate sessions with an unattended opened invitation. ### References Thanks to Nahid0x for responsibly disclosing this vulnerability to Weblate.

A flaw was found in runtimes-inventory-rhel8-operator. An internal proxy component is incorrectly configured. Because of this flaw, the proxy attaches the cluster's main administrative credentials to any command it receives, instead of only the specific reports it is supposed to handle. This allows a standard user within the cluster to send unauthorized commands to the management platform, effectively acting with the full permissions of the cluster administrator. This could lead to unauthorized changes to the cluster's configuration or status on the Red Hat platform.

A flaw was found in OpenShift GitOps. Namespace admins can create ArgoCD Custom Resources (CRs) that trick the system into granting them elevated permissions in other namespaces, including privileged namespaces. An authenticated attacker can then use these elevated permissions to create privileged workloads that run on master nodes, effectively giving them root access to the entire cluster.

grav before v1.7.49.5 has a Stored Cross-Site Scripting (Stored XSS) vulnerability in the page editing functionality. An authenticated low-privileged user with permission to edit content can inject malicious JavaScript payloads into editable fields. The payload is stored on the server and later executed when any other user views or edits the affected page.

In grav <1.7.49.5, a SSRF (Server-Side Request Forgery) vector may be triggered via Twig templates when page content is processed by Twig and the configuration allows undefined PHP functions to be registered.

A GitHub repository posing as a vulnerability scanner for CVE-2025-55182, also referred to as “React2Shell,” was exposed as…

An issue was discovered in allauth-django before 65.13.0. Both Okta and NetIQ were using preferred_username as the identifier for third-party provider accounts. That value may be mutable and should therefore be avoided for authorization decisions. The providers are now using sub instead.