Skip to content

Instantly share code, notes, and snippets.

View alon710's full-sized avatar
💪

Alon Barad alon710

💪
17 followers · 30 following
View GitHub Profile
@alon710
alon710 / CVE-2026-26017.md
Created March 6, 2026 18:40
CVE-2026-26017: CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain - CVE Security Report

CVE-2026-26017: CVE-2026-26017: CoreDNS ACL Bypass via TOCTOU in Plugin Chain

CVSS Score: 7.7 Published: 2026-03-06 Full Report: https://cvereports.com/reports/CVE-2026-26017

Summary

A logical vulnerability in CoreDNS versions prior to 1.14.2 allows attackers to bypass access control lists (ACLs) via a Time-of-Check Time-of-Use (TOCTOU) flaw. The default plugin execution order processes security enforcement plugins (such as acl, firewall, and opa) before the rewrite plugin. Consequently, an attacker can query a permitted domain name that is subsequently rewritten to a restricted internal domain, bypassing the intended security policies and resolving the restricted target.

TL;DR

@alon710
alon710 / CVE-2026-3419.md
Created March 6, 2026 18:10
CVE-2026-3419: CVE-2026-3419: Content-Type Validation Bypass in Fastify via Regex Anchor Missing - CVE Security Report

CVE-2026-3419: CVE-2026-3419: Content-Type Validation Bypass in Fastify via Regex Anchor Missing

CVSS Score: 5.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-3419

Summary

Fastify, a high-performance web framework for Node.js, contains a validation bypass vulnerability in its Content-Type header parsing logic. Due to an incomplete regular expression in lib/content-type.js, the framework fails to enforce the end-of-string anchor ($) when validating media subtypes. This omission allows attackers to supply malformed Content-Type headers containing illegal trailing characters (e.g., application/json garbage), which Fastify incorrectly accepts as valid. This behavior violates RFC 9110 §8.3.1 and can lead to parser confusion where malicious payloads are routed to incorrect content parsers, potentially bypassing security controls or triggering unexpected application behavior.

TL;DR

@alon710
alon710 / CVE-2026-29783.md
Created March 6, 2026 17:10
CVE-2026-29783: CVE-2026-29783: Command Injection via Bash Parameter Expansion in GitHub Copilot CLI - CVE Security Report

CVE-2026-29783: CVE-2026-29783: Command Injection via Bash Parameter Expansion in GitHub Copilot CLI

CVSS Score: 7.5 Published: 2026-03-06 Full Report: https://cvereports.com/reports/CVE-2026-29783

Summary

A critical command injection vulnerability exists in the GitHub Copilot CLI's shell safety assessment layer, affecting versions 0.0.422 and prior. The vulnerability allows attackers to bypass the CLI's "read-only" safety checks by leveraging advanced Bash parameter expansion features, specifically prompt expansion (${var@P}) and assignment operators. When the CLI processes a seemingly benign command containing these payloads, the shell evaluates the expansion, resulting in arbitrary code execution on the user's workstation.

TL;DR

@alon710
alon710 / GHSA-FWHJ-785H-43HH.md
Created March 6, 2026 05:10
GHSA-FWHJ-785H-43HH: GHSA-FWHJ-785H-43HH: Denial of Service via Null Pointer Dereference in OliveTin - CVE Security Report

GHSA-FWHJ-785H-43HH: GHSA-FWHJ-785H-43HH: Denial of Service via Null Pointer Dereference in OliveTin

CVSS Score: 7.5 Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-FWHJ-785H-43HH

Summary

A Null Pointer Dereference vulnerability has been identified in OliveTin, an open-source web interface for shell commands. The flaw exists within the API handlers responsible for action execution and management, specifically allowing unauthenticated remote attackers to trigger a server-side panic. By manipulating the sequence of API calls, an attacker can create an invalid internal state that crashes the application process, resulting in a Denial of Service (DoS).

TL;DR

@alon710
alon710 / CVE-2026-2833.md
Created March 6, 2026 04:40
CVE-2026-2833: CVE-2026-2833: HTTP Request Smuggling via Premature Upgrade in Cloudflare Pingora - CVE Security Report

CVE-2026-2833: CVE-2026-2833: HTTP Request Smuggling via Premature Upgrade in Cloudflare Pingora

CVSS Score: 9.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-2833

Summary

A critical HTTP request smuggling vulnerability exists in Cloudflare Pingora versions prior to v0.8.0 due to improper handling of HTTP connection upgrades. The proxy prematurely transitions to a blind tunneling state upon observing an 'Upgrade' header in a client request, without waiting for the upstream server's confirmation (101 Switching Protocols). This allows attackers to desynchronize the connection state between the proxy and the backend, enabling the smuggling of arbitrary HTTP requests that bypass security controls, WAFs, and authentication layers.

TL;DR

@alon710
alon710 / CVE-2026-2835.md
Created March 6, 2026 04:10
CVE-2026-2835: CVE-2026-2835: HTTP Request Smuggling in Cloudflare Pingora - CVE Security Report

CVE-2026-2835: CVE-2026-2835: HTTP Request Smuggling in Cloudflare Pingora

CVSS Score: 9.3 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2026-2835

Summary

A critical HTTP Request Smuggling vulnerability (CWE-444) exists in Cloudflare Pingora versions prior to 0.8.0. The vulnerability stems from non-compliant parsing of HTTP/1.0 request bodies and ambiguous 'Transfer-Encoding' headers. By crafting malicious HTTP requests that exploit these framing inconsistencies, unauthenticated attackers can desynchronize the proxy from backend servers, leading to cache poisoning, security control bypasses, and potential session hijacking.

TL;DR

@alon710
alon710 / GHSA-7RHV-H82H-VPJH.md
Created March 6, 2026 03:40
GHSA-7RHV-H82H-VPJH: CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface - CVE Security Report

GHSA-7RHV-H82H-VPJH: CVE-2026-30777: MFA Bypass in EC-CUBE Administrative Interface

CVSS Score: 4.9 Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-7RHV-H82H-VPJH

Summary

EC-CUBE, a widely used open-source e-commerce platform, contains a critical authentication bypass vulnerability in its Multi-Factor Authentication (MFA) implementation. The flaw allows an attacker who possesses valid administrative credentials (username and password) to bypass the secondary MFA challenge by directly accessing the MFA configuration route. This route was improperly excluded from the authentication listener's enforcement logic, allowing the attacker to overwrite the existing TOTP secret with a new one under their control, effectively taking over the administrator account.

TL;DR

@alon710
alon710 / GHSA-MH23-RW7F-V5PQ.md
Created March 6, 2026 03:10
GHSA-MH23-RW7F-V5PQ: GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets - CVE Security Report

GHSA-MH23-RW7F-V5PQ: GHSA-MH23-RW7F-V5PQ: Malicious 'time-sync' Crate Exfiltrating Environment Secrets

CVSS Score: 9.8 Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-MH23-RW7F-V5PQ

Summary

A critical security advisory has been issued for the Rust crate time-sync, which was identified as a malicious package intended to conduct a supply chain attack. Published to crates.io, the package purported to be a time synchronization utility but contained concealed logic to locate, read, and exfiltrate sensitive .env configuration files from the host system to a remote server controlling the timeapi.io domain or a spoofed variant thereof. The crate was removed from the registry approximately 50 minutes after publication.

TL;DR

@alon710
alon710 / CVE-2025-11143.md
Created March 6, 2026 02:40
CVE-2025-11143: CVE-2025-11143: URI Parsing Differential in Eclipse Jetty - CVE Security Report

CVE-2025-11143: CVE-2025-11143: URI Parsing Differential in Eclipse Jetty

CVSS Score: 3.7 Published: 2026-03-05 Full Report: https://cvereports.com/reports/CVE-2025-11143

Summary

A URI parsing vulnerability exists in Eclipse Jetty's HttpURI class where the parser's state machine deviates from RFC 3986 standards. This discrepancy leads to differential parsing issues, specifically regarding the prioritization of delimiters (such as #, ?, and @) and the validation of URI schemes. Attackers can leverage these inconsistencies to craft URIs that are interpreted differently by Jetty than by intermediary security devices (WAFs, load balancers), potentially leading to protection bypasses, host confusion, or Server-Side Request Forgery (SSRF) scenarios.

TL;DR

@alon710
alon710 / GHSA-X2G5-FVC2-GQVP.md
Created March 6, 2026 02:10
GHSA-X2G5-FVC2-GQVP: GHSA-X2G5-FVC2-GQVP: Insufficient Bcrypt Salt Rounds in Flowise - CVE Security Report

GHSA-X2G5-FVC2-GQVP: GHSA-X2G5-FVC2-GQVP: Insufficient Bcrypt Salt Rounds in Flowise

CVSS Score: Medium Published: 2026-03-05 Full Report: https://cvereports.com/reports/GHSA-X2G5-FVC2-GQVP

Summary

Flowise, an open-source low-code tool for LLM applications, contains a cryptographic weakness where user passwords were hashed using bcrypt with an insufficient work factor (salt rounds). Versions prior to 2.2.6 defaulted to 5 salt rounds, significantly below industry standards. This low computational cost allows attackers who obtain the database to crack password hashes via offline brute-force attacks at high speeds.

TL;DR