#git

In a 6-3 decision, the Supreme Court held that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned it burdens adults and ignores First Amendment precedent.

An invitation to sign a DocuSign document went through mysterious ways and a way-too-easy Captcha to fingerprint the target.

### Summary A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Note: In torch versions <2.6, the default setting is `weights_only=False`, and Llama Factory's `setup.py` only requires `torch>=2.0.0`. ### Affected Version Llama Factory versions <=0.9.3 are affected by this vulnerability. ### Details 1. In LLaMA Factory's WebUI, when a user sets the `Checkpoint path`, it modifies the `adapter_name_or_path` parameter passed to the training process. code in src/llamafactory/webui/runner.py <img w...

### Impact With older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. ### Patches jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. ### Workarounds Users should avoid parsing input files from untrusted sources.

## Summary ## The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. ## Impact ## The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the *uid* of the server process. ## Vulnerability Description ## Many Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the `find` command and nothing else, this restriction can be circumvented by using the `-exec` flag. Some common commands having the ability to launch external commands and which are included in the offici...

## Summary ## The Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser ## Impact ## A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed. Malicious actions that are possible include: * Obtaining a user's session token * Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights) ## Vulnerability Description ## Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called `xss.md` with the following content: ```markdown # Hallo <b>foo</b> <img src="xx" onerror=alert(9)> <i>bar</i> ``` Bold and italic text ...

## Summary ## The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the *umask* configuration has not been hardened before, this makes all the stated files readable by any operating system account. ## Impact ## The default permissions for new files on a standard Linux system are `0644`, making them world-readable. That means that at least the following parties have full read access to all files managed by the Filebrowser from all *scopes*, as well as its database (including the password hashes stored in there): * All OS accounts on the server * All other applications running on the same server * Any Filebrowser user with *Command Execution* privileges having access to a command that allows reading a file's content ## Vulnerability Description ## On a Linux system, the file access permissions of new files are designated by the syst...

### Impact This is an Open Redirect (CWE-601) vulnerability in the login flow of n8n. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to: - Phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com) - Credential or 2FA theft if users are tricked into re-entering sensitive information - Reputation risk due to the visual similarity between attacker-controlled domains and trusted ones The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. ### Patches The issue has been patched in [1.98.0](https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0). All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login. Patch commit: https://github.com/n8n-io/n8n/pull/16034

### Impact OpenBao and HashiCorp Vault allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. ### Patches In OpenBao v2.2.2 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. In a future OpenBao release [communicated on our website](https://openbao.org/docs/deprecation/), we will set this to `true` for all users and provide an authenticated alternative. This vulnerability has been disclosed to HashiCorp; see their website for more information. ### Workarounds If an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges. ### References See the [deprecation notice](https://openbao.org/docs/deprecation/unauthed-rekey/).

### Impact OpenBao before v2.3.0 and HashiCorp Vault as of the current v1.19.5 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. ### Patches This issue has been fixed in OpenBao v2.3.0 and later. ### Workarounds Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients. ### Remediation Users with the capability to search through server and audit logs for any possible exposed secrets can refer to the following snippets to aid in searching: Audit Log ``` ... "error":"error converting input for field \"password\": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>'" ... ``` Server Log ``` error converting input for field "password": expected type 'string', got unconvertible type 'map[string]interface {}', value: '<sensitive data>' ``` If any matches are found, rotating the affected secre...