Sebastion
All topics

vulnerability

97 pieces of writing

security12 min read

Gogs, PraisonAI and KnowledgeDeliver show authentication bypass is a self-hosted platform design failure

Gogs, PraisonAI and KnowledgeDeliver show why authentication bypass in self-hosted platforms is often an architectural failure, not a missing if statement.

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results
vulnerability8 min read

maboloshi/github-chinese PR #692 fixed DOM XSS in translation results

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64
vulnerability7 min read

RAGFlow PR #14803 removed a CWE-502 pickle RCE footgun from deserialize_b64

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution
vulnerability9 min read

getsentry/XcodeBuildMCP PR #289 hardens shell escaping in MCP tool execution

getsentry/XcodeBuildMCP accepted MCP tool parameters that could reach /bin/sh -c through unsafe double-quote escaping. PR #289 replaces that path with POSIX single-quote escaping and adds regression coverage.

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds
vulnerability9 min read

AReaL PR #1323 refuses the default admin API key on network-facing proxy binds

Harbor PR #236 blocks CWE-78 in remote profile downloads
vulnerability7 min read

Harbor PR #236 blocks CWE-78 in remote profile downloads

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding
vulnerability7 min read

Softeria ms-365-mcp-server PR #456 validates redirect_uri before Microsoft Entra forwarding

Softeria's ms-365-mcp-server forwarded client-supplied OAuth redirect_uri values to Microsoft Entra without local validation. PR #456 adds scheme checks, loopback-only HTTP defaults and an exact-match allowlist for hosted deployments.

CodeGraphContext PR #882 rejects write Cypher on /api/graph
vulnerability7 min read

CodeGraphContext PR #882 rejects write Cypher on /api/graph

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction
vulnerability7 min read

mcp-searxng PR #71 fixed a CWE-1333 ReDoS in section extraction

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.
vulnerability6 min read

NVIDIA's RAG Blueprint had a path traversal in its MCP server. We got the fix merged in three days.

A CWE-22 path traversal in NVIDIA's RAG Blueprint MCP server allowed any MCP client to read arbitrary files and ingest them into the RAG collection. We submitted the fix and NVIDIA merged it.

security11 min read

Seven authentication bypasses that keep shipping in 2025 and 2026: the same architectural antipatterns, rewritten in new frameworks

ics8 min read

CVE-2025-10492: a Java deserialisation flaw in JasperReports gives attackers remote code execution on Hitachi Energy Ellipse

Edict's file:// handler let anyone read files outside the project directory (CWE-22)
vulnerability5 min read

Edict's file:// handler let anyone read files outside the project directory (CWE-22)

The add_remote_skill endpoint in cft0808/edict applied path traversal protection to local and relative paths but skipped the file:// branch entirely. One .resolve() and an allowed_roots check closed the gap.

AIPex's localhost daemon let any website control your browser through a WebSocket
vulnerability5 min read

AIPex's localhost daemon let any website control your browser through a WebSocket

siemens6 min read

Two CVEs in Siemens SICAM 8 firmware expose three product families to unauthenticated denial of service

Weekly digests

Weekly threat intelligence digest — 2026-W25

Digest

Weekly threat intelligence digest — 2026-W23

Digest

Weekly threat intelligence digest — 2026-W22

Digest

Weekly threat intelligence digest — 2026-W21

Digest

Weekly threat intelligence digest — 2026-W20

Digest

Weekly threat intelligence digest — 2026-W19

Digest

Weekly threat intelligence digest — 2026-W17

Digest

Weekly threat intelligence digest — 2026-W16

Digest

Weekly threat intelligence digest — 2026-W15

Digest

Weekly threat intelligence digest — 2026-W14

Digest

Weekly threat intelligence digest — 2026-W13

Digest

Weekly threat intelligence digest — 2026-W12

Digest

Weekly threat intelligence digest — 2026-W11

Digest

Weekly threat intelligence digest — 2026-W10

Digest

Weekly threat intelligence digest — 2026-W09

Digest

Weekly threat intelligence digest — 2026-W08

Digest

Weekly threat intelligence digest — 2026-W07

Digest

Weekly threat intelligence digest — 2026-W06

Digest

Weekly threat intelligence digest — 2026-W05

Digest

Weekly threat intelligence digest — 2026-W04

Digest

Weekly threat intelligence digest — 2026-W03

Digest

Weekly threat intelligence digest — 2026-W02

Digest

Weekly threat intelligence digest — 2025-W52

Digest

Weekly threat intelligence digest — 2025-W51

Digest

Weekly threat intelligence digest — 2025-W50

Digest

Weekly threat intelligence digest — 2025-W49

Digest

Weekly threat intelligence digest — 2025-W48

Digest

Weekly threat intelligence digest — 2025-W47

Digest

Weekly threat intelligence digest — 2025-W46

Digest

Weekly threat intelligence digest — 2025-W45

Digest

Weekly threat intelligence digest — 2025-W44

Digest

Weekly threat intelligence digest — 2025-W43

Digest

Weekly threat intelligence digest — 2025-W42

Digest

Weekly threat intelligence digest — 2025-W41

Digest

Weekly threat intelligence digest — 2025-W40

Digest

Weekly threat intelligence digest — 2025-W39

Digest

Weekly threat intelligence digest — 2025-W38

Digest

Weekly threat intelligence digest — 2025-W37

Digest

Weekly threat intelligence digest — 2025-W36

Digest

Weekly threat intelligence digest — 2025-W35

Digest

Weekly threat intelligence digest — 2025-W34

Digest

Weekly threat intelligence digest — 2025-W33

Digest

Weekly threat intelligence digest — 2025-W32

Digest

Weekly threat intelligence digest — 2025-W31

Digest

Weekly threat intelligence digest — 2025-W30

Digest

Weekly threat intelligence digest — 2025-W29

Digest

Weekly threat intelligence digest — 2025-W28

Digest

Weekly threat intelligence digest — 2025-W27

Digest

Weekly threat intelligence digest — 2025-W26

Digest

Weekly threat intelligence digest — 2025-W25

Digest

Weekly threat intelligence digest — 2025-W24

Digest

Weekly threat intelligence digest — 2025-W23

Digest

Weekly threat intelligence digest — 2025-W21

Digest

Weekly threat intelligence digest — 2025-W20

Digest

Weekly threat intelligence digest — 2025-W19

Digest

Weekly threat intelligence digest — 2025-W17

Digest

Weekly threat intelligence digest — 2025-W16

Digest

Weekly threat intelligence digest — 2025-W15

Digest

Weekly threat intelligence digest — 2025-W13

Digest

Weekly threat intelligence digest — 2025-W12

Digest

Weekly threat intelligence digest — 2025-W11

Digest

Weekly threat intelligence digest — 2025-W10

Digest

Weekly threat intelligence digest — 2025-W07

Digest

Weekly threat intelligence digest — 2025-W06

Digest

Weekly threat intelligence digest — 2025-W05

Digest

Weekly threat intelligence digest — 2025-W03

Digest

Weekly threat intelligence digest — 2025-W02

Digest

Weekly threat intelligence digest — 2025-W01

Digest