Security
Headlines
HeadlinesLatestCVEs

Tag

#js

GHSA-xfp8-x3j6-h67v: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js

A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

ghsa
#xss#vulnerability#web#js#auth
GHSA-q4rg-7cjj-5r86: ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js

A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-9x9c-ghc5-jhw9: @astrojs/node's trailing slash handling causes open redirect issue

### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios. ### Details Astro 5.12.8 fixed a case where `https://example.com//astro.build/press` would redirect to the external origin `//astro.build/press`. However, with the Node deployment adapter in standalone mode and `trailingSlash` set to `"always"` in the Astro configuration, `https://example.com//astro.build/press` still redirects to `//astro.build/press`. ### Proof of Concept 1. Create a new minimal Astro project (`astro@5.12.8`) 2. Configure it to use the Node adapter (`@astrojs/node@9.4.0`) and force trailing slashes: ```js // astro.config.mjs import { defineConfig } from 'astro/config'; import node from '@astrojs/node'; export default defineConfig({ trailingSlash: 'always', adapter: node({ mode: 'standalone' }), }); ``` 3. Build the site by running `astro build`....

New Malvertising Attack Spreads Crypto Stealing PS1Bot Malware

Cisco Talos researchers have discovered a dangerous new malware framework called PS1Bot. Active since early 2025, this sophisticated…

GHSA-q4xx-mc3q-23x8: Flowise JS injection remote code execution

User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

GHSA-9h84-qmv7-982p: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Impact A malicious chart can point `$ref` in _values.schema.json_ to a device (e.g. `/dev/*`) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Patches This issue has been resolved in Helm v3.18.5. ### Workarounds Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of `$ref` pointing to `/dev/zero`. ### References Helm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document. ### Credits Disclosed by Jakub Ciolek at AlphaSense.

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

GHSA-c9rc-mg46-23w3: Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality

### Summary It is possible to bypass the mitigation introduced in response to [CVE-2025-1550](https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp), when an untrusted Keras v3 model is loaded, even when “safe_mode” is enabled, by crafting malicious arguments to built-in Keras modules. The vulnerability is exploitable on the default configuration and does not depend on user input (just requires an untrusted model to be loaded). ### Impact | Type | Vector |Impact| | -------- | ------- | ------- | |Unsafe deserialization |Client-Side (when loading untrusted model)|Arbitrary file overwrite. Can lead to Arbitrary code execution in many cases.| ### Details Keras’ [safe_mode](https://www.tensorflow.org/api_docs/python/tf/keras/models/load_model) flag is designed to disallow unsafe lambda deserialization - specifically by rejecting any arbitrary embedded Python code, marked by the “__lambda__” class name. https://github.com/keras-team/keras/blob/v3.8.0/keras/sr...

GHSA-w2cq-g8g3-gm83: content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE

### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you can override the Object prototype. For example: ``` const parse = require('content-security-policy-parser'); const x = parse("default-src 'self'; __proto__ foobar"); console.log('raw print:', x); console.log('toString:', x.toString()); ``` Outputs: ``` raw print: Array { 'default-src': [ "'self'" ] } toString: foobar ``` Whilst no gadget exists in this library, it is possible via other libraries expose functionality that enable RCE. It is customary to label prototype pollution vulnerabilities in this way. The most common effect of this is denial of service, as you can trivially overwrite properties. As the content security policy is provided in HTTP queries, it is incredibly likely that network exploitation is possible. ### Patches There has been a patch implemented a year ago (11 Feb 2024), but low uptake of patched versions has not b...

GHSA-pwh4-6r3m-j2rf: PyLoad vulnerable to SQL Injection via API /json/add_package in add_links parameter

### Summary The parameter `add_links` in the API /json/add_package is vulnerable to SQL Injection. SQL injection vulnerabilities can lead to sensitive data leakage. ### Details - Affected file:https://github.com/pyload/pyload/blob/develop/src/pyload/core/database/file_database.py#L271 - Affected code: ```python @style.queue def update_link_info(self, data): """ data is list of tuples (name, size, status, url) """ self.c.executemany( "UPDATE links SET name=?, size=?, status=? WHERE url=? AND status IN (1,2,3,14)", data, ) ids = [] statuses = "','".join(x[3] for x in data) self.c.execute(f"SELECT id FROM links WHERE url IN ('{statuses}')") for r in self.c: ids.append(int(r[0])) return ids ```` statuses is constructed from data, and data is the value of the add_links parameter entered by the user through /json/add_packge. Because `{statuses}` is directly spliced into th...