#vulnerability

### Impact The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. **Who is impacted:** - Any application using prosemirror_to_html to convert ProseMirror documents to HTML - Applications that process user-generated ProseMirror content are at highest risk - End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers **Attack vectors include:** - `href` attributes with `javascript:` protocol: `<a href="javascript:alert(document.cookie)">` - Event handlers: `<div onclick="maliciousCode()">` - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` - Other HTML attributes that can execute JavaScript ### Patches A fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML ...

### Overview This report **demonstrates a real-world privilege escalation** vulnerability in [pdfminer.six](https://github.com/pdfminer/pdfminer.six) due to unsafe usage of Python's `pickle` module for CMap file loading. It shows how a low-privileged user can gain root access (or escalate to any service account) by exploiting insecure deserialization in a typical multi-user or server environment. ## Table of Contents - [Background](#-background) - [Vulnerability Description](#-vulnerability-description) - [Demo Scenario](#-demo-scenario) - [Technical Details](#-technical-details) - [Setup and Usage](#-setup-and-usage) - [Step-by-step Walkthrough](#-step-by-step-walkthrough) - [Security Standards & References](#-security-standards--references) --- ## Background **pdfminer.six** is a popular Python library for extracting text and information from PDF files. It supports CJK (Chinese, Japanese, Korean) fonts via external CMap files, which it loads from disk using Python's `pickle` m...

Many critical systems are still being maintained, and the cloud provides some security cover. But experts say that any lapses in protections like patching and monitoring could expose government systems.

### Summary The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, the implementation of this feature and more specifically the `DiskOrCreate` option which creates a file if it doesn't exist, has a logic bug that allows an attacker to read and write arbitrary files owned by more privileged users on the host system. ### Details The `hostDisk` feature gate in KubeVirt allows mounting a QEMU RAW image directly from the host into a VM. While similar features, such as mounting disk images from a PVC, enforce ownership-based restrictions (e.g., only allowing files owned by specific UID, this mechanism can be subverted. For a RAW disk image to be readable by the QEMU process running within the `virt-launcher` pod, it must be owned by a user with UID 107. **If this ownership check is considered a security barrier, it can be bypassed**. In addition, the ownership of the host files mounted via this feature is changed to th...

AstrBot Project v3.5.22 has an arbitrary file read vulnerability in function _encode_image_bs64. Since the _encode_image_bs64 function defined in entities.py opens the image specified by the user in the request body and returns the image content as a base64-encoded string without checking the legitimacy of the image path, attackers can construct a series of malicious URLs to read any specified file, resulting in sensitive data leakage.

AstrBot Project v3.5.22 contains a directory traversal vulnerability. The handler function install_plugin_upload of the interface '/plugin/install-upload' parses the filename from the request body provided by the user, and directly uses the filename to assign to file_path without checking the validity of the filename. The variable file_path is then passed as a parameter to the function `file.save`, so that the file in the request body can be saved to any location in the file system through directory traversal.

A now-patched security flaw in Samsung Galaxy Android devices was exploited as a zero-day to deliver a "commercial-grade" Android spyware dubbed LANDFALL in targeted attacks in the Middle East. The activity involved the exploitation of CVE-2025-21042 (CVSS score: 8.8), an out-of-bounds write flaw in the "libimagecodec.quram.so" component that could allow remote attackers to execute arbitrary

### Summary Open WebUI v0.6.33 and below contains a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) `execute` events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. ### Details ROOT CAUSE ANALYSIS: Open WebUI's Direct Connections feature allows users to add external OpenAI-compatible model servers without proper validation of the Server-Sent Events (SSE) these servers emit. VULNERABLE COMPONENT: Frontend SSE Event Handler The frontend JavaScript code processes SSE events from external servers and specifically handles an `execute` eve...

### Summary The functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink `.innerHtml` without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding `/` command to insert the prompt. ### Details The affected line is https://github.com/open-webui/open-webui/blob/7a83e7dfa367d19f762ec17cac5e4a94ea2bd97d/src/lib/components/common/RichTextInput.svelte#L348 ```js export const replaceCommandWithText = async (text) => { const { state, dispatch } = editor.view; const { selection } = state; const pos = selection.from; // Get the plain text of this document // const docText = state.doc.textBetween(0, state.doc.content.size, '\n', '\n'); // Find the word boundaries at cursor const { start, end } = getWordBoundsAtPos(state.doc, pos); let tr = sta...

Security researchers discovered multiple vulnerabilities in AI infrastructure products, including one capable of remote code execution.