#rce

### Impact n8n is affected by an authenticated Remote Code Execution (RCE) vulnerability. Under certain conditions, an authenticated user may be able to cause untrusted code to be executed by the n8n service. This could result in full compromise of the affected instance. Both self-hosted and n8n Cloud instances are impacted. ### Patches The issue has been resolved in n8n version 1.121.3. Users are advised to upgrade to this version or later to fully address the vulnerability. ### Workarounds If upgrading is not immediately possible, administrators can reduce exposure by disabling the Git node and limiting access for untrusted users. ### References - n8n documentation: [Blocking access to nodes](https://docs.n8n.io/hosting/securing/blocking-nodes/)

Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart

### Summary Authenticated users with backup permissions can read arbitrary files within the webroot via path traversal in the Backup addon's file export functionality. <img width="664" height="899" alt="image" src="https://github.com/user-attachments/assets/fd1ca69e-b275-4daf-9a62-621cde6525f5" /> <img width="2358" height="445" alt="image" src="https://github.com/user-attachments/assets/fad81152-9e1b-413e-9823-09540a23e2fb" /> ### Details The Backup addon does not validate the `EXPDIR` POST parameter against the UI-generated allowlist of permitted directories. An attacker can supply relative paths containing `../` sequences (or even absolute paths inside the document root) to include any readable file in the generated `.tar.gz` archive. Vulnerable code: - `redaxo/src/addons/backup/pages/export.php` (lines 72-76) – directly uses `$_POST['EXPDIR']` - `redaxo/src/addons/backup/lib/backup.php` (lines ~413 & ~427) – concatenates unsanitized user input with base path This allows disclo...

Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ### Summary This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS. Leveraging a legitimate but maliciously crafte...

Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ## Affected Endpoints - `POST /admin/actions/app/migrate` (unauthenticated) - `POST /admin/actions/updater/backup` ## Vulnerability Details ### Root Cause Certain admin actions are explicitly configured with anonymous access: ```php // AppController.php protected array|bool|int $allowAnonymous = [ 'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE, // ... ]; // BaseUpdaterController.php protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_L...

For this to work, users must have administrator access to the Craft Control Panel, and [allowAdminChanges](https://craftcms.com/docs/5.x/reference/config/general.html#allowadminchanges) must be enabled for this to work, which is against Craft CMS' recommendations for any non-dev environment. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Alternatively, a non-administrator account with allowAdminChanges disabled can be used, provided access to the System Messages utility is available. It is possible to craft a malicious payload using the Twig `map` filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. References: https://github.com/craftcms/cms/commit/d82680f4a05f9576883bb83c3f6243d33ca73ebe https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821...

The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit. This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions,

### Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. ### Details 1. Go to `http://127.0.0.1:8000/` and login or signup 2. Go to `http://127.0.0.1:8000/customer/account/profile` 3. Now edit the first name and last name to {{7*7}} 4. Notice it appears as 49 ### POC - Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912 ### Impact This can lead to RCE, command injection.

### Summary SSTI when normal customer orders any product in add address step can inject value run in admin view. ### Details `As normal user` 1. Go to `http://127.0.0.1:8000/` 2. Add order to cart and continue to checkout 3. In step of add address inject this value {{7*7}} in any input `As admin` 1. Go to `http://127.0.0.1:8000/admin/sales/orders` 2. And notice the vlaue appear in admin view 49 `As normal user` 3. Go to add address normally `http://127.0.0.1:8000/customer/account/addresses/create` and inject {{7*7}} on it and will notice it appear 49 <img width="1868" height="868" alt="image" src="https://github.com/user-attachments/assets/279627e9-6361-4d39-a500-0fc20e163d25" /> ### PoC - Video attached with the report: https://github.com/user-attachments/assets/a814b30c-a3e2-4a40-8644-336e21e60d0d ### Impact - Can lead to RCE

### Summary SSTI is possible in Bagisto via type parameter can lead to RCE and other exploitations. ### Details 1. Go to `http://127.0.0.1:8000/admin/reporting/products/view?type={{7*7}}` <img width="1251" height="282" alt="image" src="https://github.com/user-attachments/assets/652e96f4-631e-4322-8561-63f4d897a480" /> ### Impact Can lead to RCE, command injection.