#perl

request-filtering-agent versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. **Impact:** Vulnerable patterns (requests that should be blocked but are allowed): - https://127.0.0.1:443/api - https://127.0.0.1:8443/admin - Any HTTPS request using direct IP address `https://127.0.0.1` This vulnerability primarily affects services using self-signed certificates on `127.0.0.1`. **Not affected (correctly blocked in all versions):** - http://127.0.0.1:80/api - HTTP requests are properly blocked - https://localhost:443/api - Domain-based requests trigger DNS lookup and are blocked - http://localhost:80/api - Domain-based HTTP requests are blocked - Requests to other private IPs like 192.168.x.x, 10.x.x.x, 172.16.x.x This allows attackers to potentially access internal HTTPS services running on localhost, bypassing the library's SSRF protection. The vulnerability is particularly dangerou...

### Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.

Development teams worldwide spend countless hours wrestling with the same persistent challenges: tight deadlines, resource constraints, and the…

## Summary - **Target:** ImageMagick (commit `ecc9a5eb456747374bae8e07038ba10b3d8821b3`) - **Type:** Undefined Behavior (function-type-mismatch) in splay tree cloning callback - **Impact:** Deterministic abort under UBSan (DoS in sanitizer builds). No crash in a non-sanitized build; likely low security impact. - **Trigger:** Minimal **2-byte** input parsed via MagickWand, then coalescing. ## Environment OS: macOS (Apple Silicon/arm64) Homebrew clang version 20.1.8 Target: arm64-apple-darwin24.5.0 Thread model: posix InstalledDir: /opt/homebrew/Cellar/llvm/20.1.8/bin Configuration file: /opt/homebrew/etc/clang/arm64-apple-darwin24.cfg Homebrew ImageMagick: `magick -version` → `ImageMagick 7.1.2-0 Q16-HDRI aarch64` pkg-config: `MagickWand-7.Q16HDRI` version `7.1.2` Library configure flags (capsule build): ./configure --disable-shared --enable-static --without-modules --without-magick-plus-plus --disable-openmp --without-perl --without-x --with-png=yes --without-jpeg --without-tiff --with...

Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions.

Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint.

### Impact A symlink traversal vulnerability was discovered in the `Read/Write File` node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the `Execute Command` node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of _n8n.cloud_ are not impacted. ### Patches Affected users should update to version 1.106.0 or later. ### Workarounds Until the patch is applied: - Disable or restrict access to the `Execute Command` node and any other nodes that allow arbitrary file system access. - Avoid using the `Read/Write File` node on untrusted paths or inputs that could be manipulated via symlinks.

### Summary In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to `innerHTML` during calculation of element size, causing XSS. ### Details Sequence diagram node labels with KaTeX delimiters are passed through `calculateMathMLDimensions`. This method passes the full label to `innerHTML` which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled). The vulnerability lies here: ```ts export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => { text = await renderKatex(text, config); const divElem = document.createElement('div'); divElem.innerHTML = text; // XSS sink, text has not been sanitized. divElem.id = 'katex-temp'; divElem.style.visibility = 'hidden'; divElem.style.position = 'absolute'; divElem.style.top = '0'; const body = document.querySelector('body'); body?.insertAdjacentElemen...

### Summary In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 `html()` method, creating a sink for cross site scripting. ### Details Architecture diagram service `iconText` values are passed to the d3 `html()` method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration. The vulnerability lies here: ```ts export const drawServices = async function ( db: ArchitectureDB, elem: D3Element, services: ArchitectureService[] ): Promise<number> { for (const service of services) { /** ... **/ } else if (service.iconText) { bkgElem.html( `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>` ); const textElemContainer = bkgElem.append('g'); const fo = textElemContainer .append('foreignObject') .attr('width', iconSize) .attr('he...

### Summary A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the **admin role** to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. --- ### Details In the LibreNMS web UI, when a user with the **admin role** visits `/templates` and clicks **"Create new alert template"**, the **"Template name"** field fails to properly sanitize input. By inserting a payload like: ``` &lt;script>alert(document.cookie)&lt;/script> ``` and filling the other fields with arbitrary content (e.g., `test`), once the template is saved, the script is executed. This confirms that user input is stored and later rendered without proper output encoding. This vulnerability can be exploited for session hijacking, data theft, or other malicious actions targeting other admin users. --- ### PoC 1. Log in to LibreNMS using an account with t...