https://spaceraccoon.github.io/vulnerability-spoiler-alert AI-powered early warning for open-source security patches — before the CVE drops. en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/127 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/127 Tue, 31 Mar 2026 08:11:46 GMT The yaml library before 2.8.3 was vulnerable to a stack overflow during node composition when parsing deeply nested or recursive YAML structures. An attacker could craft a malicious YAML document that causes the parser to recurse deeply enough to exhaust the call stack, crashing the Node.js process. The fix adds stack overflow detection during node composition. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/126 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/126 Mon, 30 Mar 2026 17:16:08 GMT The compiler playground parsed user-supplied config overrides using `new Function(...)`, which executes arbitrary JavaScript code in the browser context. An attacker could craft a malicious URL with a base64/encoded config payload containing arbitrary JS, which when shared and opened by a victim, would execute the attacker's code in the victim's browser. The patch replaces `new Function(...)` with JSON5 parsing, which only allows data literals and rejects executable code. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/125 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/125 Mon, 30 Mar 2026 12:36:49 GMT The OFREP endpoint's `validateNamespace` function used `io.ReadAll(r.Body)` without any size limit, allowing an attacker to send arbitrarily large request bodies that would be fully read into memory. This could exhaust server memory and cause a denial of service. The fix applies `http.MaxBytesReader` to limit the body to 1 MiB before reading. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/124 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/124 Sun, 29 Mar 2026 12:03:25 GMT When an ArrayBufferView backed by a zero-length ArrayBuffer (which has a null backing store data pointer) is passed to crypto functions like cipher.update(), the code unconditionally dereferenced the buffer's data pointer without checking for null. This caused a process crash (SIGSEGV/access violation). The patch adds a null check so that when buf_data is null, stack_storage_ is used as a fallback, preventing the crash. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/123 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/123 Fri, 27 Mar 2026 14:45:04 GMT The fill resampling feature in Grafana's SQL datasources (MySQL, PostgreSQL, MSSQL) could be exploited to cause excessive memory allocation. By crafting a query with a very large time range and a very small fill interval (e.g., time range spanning years with millisecond intervals), an attacker could trigger `sqlutil.ResampleWideFrame` to allocate an enormous number of data points, exhausting server memory and causing a denial of service. The patch adds a guard that skips the fill operation if the number of fill points would exceed the configured row limit. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/122 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/122 Fri, 27 Mar 2026 08:29:30 GMT When a user creates a Kubernetes resource containing inline secure values (raw secrets) via kubectl apply, the kubectl client automatically stores the full object including the raw secret value in the `kubectl.kubernetes.io/last-applied-configuration` annotation. This annotation is persisted in the API server and can be read back by anyone with read access to the resource, effectively leaking the raw secret value. The patch clears this annotation when a raw secret is detected in the inline secure values section, preventing the secret from being stored in plaintext in the annotation. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/121 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/121 Thu, 26 Mar 2026 22:22:17 GMT The Reset() method in Node.js's zlib binding did not check the write_in_progress_ flag before resetting the compression stream. This allowed calling reset() while an async write was being processed by a worker thread, causing the internal zlib/brotli state to be freed while still in use, resulting in a use-after-free condition that could lead to memory corruption or process crash. The fix adds a guard that throws an error if a write is in progress, consistent with how Close() and Write() already behave. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/120 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/120 Thu, 26 Mar 2026 09:05:25 GMT Before this patch, the Kubernetes-style IAM API endpoint `/apis/iam.grafana.app/v0alpha1/namespaces/{ns}/users/{name}/teams` used the generic `ResourceAuthorizer` which only checked `get` permission on the `users` resource itself, but did not properly enforce the `teams` subresource authorization. According to the commit, the RBAC service would ignore the 'teams' subresource check, meaning any user with generic `users:read` permission could potentially access team membership data for users they shouldn't be able to see. The patch adds a dedicated `UserAuthorizer` that explicitly checks `get` permission on the parent user when the `teams` subresource is requested. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/119 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/119 Wed, 25 Mar 2026 16:21:48 GMT The `/api/alertmanager/grafana/api/v2/status` endpoint was protected by the `alert.notifications:read` permission, which is granted to Viewers and Editors by default. This allowed any authenticated user (including low-privileged Viewers) to access Alertmanager system status information including routing configuration, receivers configuration, and other sensitive system details. The patch replaces this with a new dedicated `alert.notifications.system-status:read` permission that is only granted to Admin users. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/118 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/118 Wed, 25 Mar 2026 14:48:37 GMT Before the patch, the `validateWriteAccess` function did not handle `JobActionFixFolderMetadata` in its switch statement, meaning it fell through to the `default` case which applies no ref-based restriction. This allowed users to trigger a fix-folder-metadata job that would write directly to the default/main branch even when the repository was configured with only a 'branch' workflow (meaning the default branch should be read-only). The patch adds the missing case to extract the target ref from `FixFolderMetadata.Ref` and apply proper write permission checks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/117 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/117 Tue, 24 Mar 2026 22:57:48 GMT The Node.js Permission Model's `--allow-fs-read` restriction could be bypassed by using `fs.realpath.native()` instead of `fs.realpath()`. Before the patch, `RealPath` in node_file.cc lacked permission checks for both the async and sync code paths, allowing an attacker to read/resolve file paths that should be blocked by the permission model. The patch adds `ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS` and `THROW_IF_INSUFFICIENT_PERMISSIONS` checks to enforce the `kFileSystemRead` permission scope. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/116 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/116 Tue, 24 Mar 2026 22:57:35 GMT The Node.js Permission Model (introduced with --experimental-permission flag) did not enforce filesystem read/write permission checks on several `fs/promises` API functions including `lstat`, `fchmod`, and `fchown`. This allowed an attacker to bypass the permission model by using the promise-based filesystem API instead of the callback/sync APIs, which did have proper permission checks. The patch adds the missing permission checks to `lstat` (read permission) and disables `fchmod`/`fchown` entirely when the Permission Model is enabled. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/115 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/115 Tue, 24 Mar 2026 22:57:15 GMT Before the patch, `url.format()` called `CHECK(out)` after attempting to re-parse a URL string with `ada::parse<ada::url>`. If the URL (originally parsed by `ada::url_aggregator`) could not be re-parsed by `ada::url` (e.g., special scheme URLs with opaque paths like `ws:xn-ȫ`), the CHECK macro would trigger an abort/crash of the Node.js process. The patch replaces the hard crash with a graceful fallback that returns the original href unmodified. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/114 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/114 Tue, 24 Mar 2026 22:57:03 GMT Before the patch, if an SNICallback function threw a synchronous exception during TLS handshake processing in loadSNI(), the exception would propagate as an uncaught exception, crashing the Node.js process. The patch wraps the owner._SNICallback() invocation in a try/catch block, routing any thrown exceptions through owner.destroy() instead. A remote unauthenticated attacker can crash any Node.js TLS server by sending a TLS ClientHello with a crafted server_name value that causes the SNICallback to throw. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/113 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/113 Tue, 24 Mar 2026 22:56:45 GMT Node.js's permission model (--permission flag) failed to enforce network access controls for Unix Domain Socket (UDS) connections and server listeners via pipe_wrap.cc. Before the patch, calling net.createServer().listen('/tmp/sock') or net.connect({path:'/tmp/sock'}) would succeed even when --allow-net was not granted, bypassing the intended permission restrictions. The patch adds THROW_IF_INSUFFICIENT_PERMISSIONS checks to PipeWrap::Bind and PipeWrap::Listen to enforce the kNet permission scope. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/112 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/112 Tue, 24 Mar 2026 22:56:32 GMT When `headersDistinct` or `trailersDistinct` was accessed on an IncomingMessage, the destination object was initialized as a plain `{}` which inherits from `Object.prototype`. If a request included a `__proto__` header, `dst\["__proto__"\]` would resolve to `Object.prototype` (a truthy object rather than undefined), causing `_addHeaderLineDistinct` to call `.push()` on `Object.prototype` instead of an array, throwing an uncaught TypeError that crashes the Node.js process. The fix uses `{ __proto__: null }` to create a null-prototype object, preventing prototype chain lookups. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/111 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/111 Tue, 24 Mar 2026 22:56:15 GMT The Web Cryptography API's HMAC and KMAC `verify` operations used the non-constant-time `memcmp` function to compare the computed MAC against the provided signature. This allowed timing-based side-channel attacks where an attacker could measure response times to infer byte-by-byte information about the expected MAC value. The patch replaces `memcmp` with `CRYPTO_memcmp`, which executes in constant time regardless of where the comparison fails. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/110 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/110 Tue, 24 Mar 2026 22:55:57 GMT A malicious HTTP/2 client could send a WINDOW_UPDATE frame on stream 0 (connection level) with an increment that pushes the flow-control window past 2^31-1. nghttp2 internally responds with GOAWAY(FLOW_CONTROL_ERROR) but Node.js's OnInvalidFrame callback did not handle NGHTTP2_ERR_FLOW_CONTROL, so the Http2Session was never destroyed, causing a memory leak. An attacker can exploit this to exhaust server memory by repeatedly opening connections and sending the malicious frame, enabling denial of service. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/109 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/109 Tue, 24 Mar 2026 22:55:39 GMT V8's array index hash values for numeric strings were predictable because they directly encoded the integer value and string length without randomization. Consecutive numeric string keys (e.g., '0', '1', '2', ...) would have consecutive hash values, allowing an attacker to craft inputs that cause O(n^2) hash table probe collisions. This patch adds seeded scrambling of the 24-bit array-index value in Name's raw_hash_field using a 3-round xorshift-multiply scheme with random secrets derived from rapidhash, preventing an attacker from predicting hash distributions. This is tracked as CVE-2026-21717. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/108 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/108 Tue, 24 Mar 2026 20:47:40 GMT This commit patches multiple security vulnerabilities in Node.js 20.x LTS including: (1) CVE-2026-21713: timing-unsafe HMAC comparison in Web Crypto allowing key extraction via timing oracle; (2) CVE-2026-21710: missing null prototype for HTTP headers objects enabling prototype pollution; (3) CVE-2026-21716/21715: missing permission checks in fs.promises and realpath.native bypassing Node.js permission model; (4) CVE-2026-21714: unhandled NGHTTP2_ERR_FLOW_CONTROL causing HTTP/2 DoS; (5) CVE-2026-21637: uncaught SNICallback exception crashing TLS server. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/107 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/107 Tue, 24 Mar 2026 20:28:54 GMT This commit patches multiple CVEs in Node.js 22 LTS. The highest severity issues include CVE-2026-21710 (prototype pollution via HTTP headers using null prototype for headersDistinct/trailersDistinct) and CVE-2026-21637 (uncaught exception DoS via SNICallback). The patch also fixes a timing side-channel in HMAC comparison (CVE-2026-21713), permission bypass in fs.promises and realpath.native (CVE-2026-21715/16), HTTP/2 flow control error handling (CVE-2026-21714), and a V8 array index hash collision (CVE-2026-21717). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/106 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/106 Tue, 24 Mar 2026 20:28:37 GMT The HTTP module used regular objects for headersDistinct and trailersDistinct, which are populated with header names as keys. An attacker could send HTTP headers with names like '__proto__', 'constructor', or 'toString' to pollute the Object prototype, potentially affecting all objects in the Node.js process. The fix uses null-prototype objects (Object.create(null)) to prevent prototype chain pollution. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/105 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/105 Tue, 24 Mar 2026 20:28:21 GMT The HTTP module used regular objects (with Object.prototype) for headersDistinct and trailersDistinct, which could allow an attacker to pollute the prototype chain by sending HTTP headers with names like '__proto__' or 'constructor'. The fix uses null-prototype objects (Object.create(null)) to prevent prototype pollution attacks. This could lead to security bypasses or unexpected behavior in applications that rely on HTTP header processing. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/104 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/104 Tue, 24 Mar 2026 15:49:30 GMT In the nginx stream SSL module, the OCSP (Online Certificate Status Protocol) certificate revocation check was not being performed during client certificate validation. The code would verify the certificate chain but skip the OCSP status check, allowing clients with revoked certificates to successfully authenticate. The patch adds the missing `ngx_ssl_ocsp_get_status()` call that properly checks and enforces OCSP certificate revocation status. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/103 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/103 Tue, 24 Mar 2026 14:49:11 GMT On 32-bit platforms, multiplying a uint32_t `entries` value by the size of a struct (also size_t/32-bit) could overflow before being compared to the uint64_t `atom_data_size`. This allowed an attacker to craft a malicious MP4 file with a large entries count that, after overflow, appeared to pass the size validation check, causing nginx to process entries beyond the allocated buffer boundaries with out-of-bounds reads and writes. The fix casts `entries` to uint64_t before multiplication to prevent the overflow. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/102 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/102 Tue, 24 Mar 2026 14:48:53 GMT When nginx WebDAV module (ngx_http_dav_module) processed COPY or MOVE requests with an alias directive configured, supplying a Destination header with a URI shorter than the alias prefix caused an integer underflow in ngx_http_map_uri_to_path(). The underflow resulted in a heap buffer overwrite, which could allow an attacker to manipulate source or destination file paths to be outside the configured location root (path traversal via memory corruption). The patch adds a validation check that rejects Destination URIs shorter than the alias length before the vulnerable path mapping occurs. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/101 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/101 Tue, 24 Mar 2026 14:48:33 GMT Before the patch, when nginx's mail module resolved a client's IP address to a hostname, it used the resolved hostname without validation in auth_http requests and SMTP proxy communications. An attacker controlling DNS responses could return a hostname containing newlines, spaces, or other special characters, enabling injection of arbitrary headers into auth_http requests or arbitrary SMTP commands into the proxied SMTP session. The patch validates that the resolved hostname only contains RFC 1034-compliant characters (letters, digits, hyphens, dots). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/100 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/100 Tue, 24 Mar 2026 14:48:12 GMT When authenticating with CRAM-MD5 or APOP methods, the code set `s->passwd.data = NULL` but did not reset `s->passwd.len`. On a subsequent authentication attempt, the non-zero length would cause the code to attempt to use the null pointer as if it pointed to valid password data, resulting in a null pointer dereference and worker process crash. The fix uses `ngx_str_null(&s->passwd)` which correctly zeroes both the data pointer and the length. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/99 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/99 Tue, 24 Mar 2026 14:23:08 GMT The nginx mp4 module had off-by-one errors in bounds checking for stco and co64 atoms. When `trak->start_chunk` equaled `trak->chunks` (i.e., pointing exactly past the end of the chunks array), the old check `trak->start_chunk > trak->chunks` would pass, allowing out-of-bounds memory access. Similarly, empty stsz sample arrays could be processed leading to buffer overread/overwrite. The patch changes `>` to `>=` to properly reject these boundary cases. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/98 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/98 Mon, 23 Mar 2026 22:25:24 GMT Before the patch, an attacker could send an HTTP Range request with an arbitrarily large byte range (e.g., 'bytes=0-' on a large file) and the server would attempt to download and buffer the entire requested range into memory before sending it. This could exhaust server memory and cause a denial of service. The patch adds a `ranges_valid?` check that rejects any byte ranges whose total size exceeds 100MB (configurable via `ActiveStorage.streaming_chunk_max_size`). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/97 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/97 Mon, 23 Mar 2026 22:25:09 GMT The ActiveStorage streaming controller allowed multi-range HTTP byte range requests without limiting the number of ranges. An attacker could send a request with thousands of byte ranges, causing the server to download and assemble many chunks from storage in memory, exhausting server resources and potentially causing a DoS. The patch adds a configurable `streaming_max_ranges` limit (defaulting to 1) that rejects requests with more ranges than allowed. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/96 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/96 Mon, 23 Mar 2026 22:24:56 GMT BigDecimal in Ruby supports scientific notation (e.g., '9e99999999'), allowing an attacker to pass a short string that causes BigDecimal to allocate an enormous amount of memory when converting the number. Before the patch, any user-controlled string passed to number helper functions (like number_to_currency or number_to_percentage) could trigger this via BigDecimal(number). The patch rejects strings containing 'e' or 'd' (scientific notation indicators) before attempting BigDecimal conversion. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/95 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/95 Mon, 23 Mar 2026 22:24:41 GMT Before the patch, users could set protected metadata keys (analyzed, identified, composed) during a direct upload by including them in the metadata parameter. These keys control internal Active Storage state (e.g., whether a blob has been analyzed or identified), so a malicious user could set 'analyzed: true' or 'identified: true' to bypass file analysis/identification steps that might enforce security policies. The patch filters out these protected keys from user-supplied metadata in create_before_direct_upload!. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/94 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/94 Mon, 23 Mar 2026 22:24:27 GMT The `SafeBuffer#%` method failed to preserve the unsafe status of a SafeBuffer when used for string formatting. Before the patch, formatting an unsafe SafeBuffer (one that had been marked unsafe after mutation via gsub!, etc.) would return a new SafeBuffer that was incorrectly marked as html_safe?, allowing unescaped user input to be rendered as raw HTML. The fix propagates the `@html_unsafe` flag to the result of `%` formatting. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/93 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/93 Mon, 23 Mar 2026 22:23:58 GMT ActiveStorage's DiskService allowed path traversal via blob keys containing segments like '../../etc/passwd'. The `path_for` method directly joined the root directory with user-controlled key values without validating that the resolved path stayed within the storage root, allowing attackers to read or write arbitrary files on the server filesystem. The patch adds validation that rejects keys with dot segments and verifies the resolved path remains within the storage root directory. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/92 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/92 Mon, 23 Mar 2026 22:23:41 GMT Before the patch, `DiskService#delete_prefixed` passed a user-influenced blob key directly into `Dir.glob` without escaping glob metacharacters. If a blob key contained characters like `*`, `?`, `\[`, `\]`, `{`, or `}`, the glob expansion could match and delete unintended files on the filesystem. The patch escapes all glob metacharacters in the resolved path before passing it to `Dir.glob`. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/91 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/91 Mon, 23 Mar 2026 22:23:25 GMT When a blank string is used as an HTML attribute name in Rails Action View tag helpers, `xml_name_escape` returns an empty string, producing malformed HTML like `<img src="/safe.png" ="/onerror=alert(1)">`. This malformed HTML can be parsed differently by different HTML parsers, enabling mutation XSS attacks where a browser's HTML parser interprets the malformed attribute as executable code. The patch fixes this by skipping blank attribute keys before they are rendered into HTML. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/90 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/90 Mon, 23 Mar 2026 22:23:09 GMT The debug exceptions layout template used `raw` to output the exception message inside a `<script type="text/plain">` tag without HTML escaping. An attacker who can trigger an exception with a crafted message containing HTML/JavaScript could inject arbitrary script tags that would be rendered in the browser. The patch removes `raw` to use default ERB HTML escaping, ensuring special characters like `<`, `>` are escaped. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/89 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/89 Fri, 20 Mar 2026 23:04:40 GMT Before this patch, the GET /api/alertmanager/grafana/config/api/v1/alerts endpoint (which returns the raw Alertmanager configuration blob, potentially containing sensitive credentials like SMTP passwords, webhook secrets, and API tokens) was accessible to any user with the broad 'alert.notifications:read' permission, which was granted to Viewers and Editors. Similarly, GET /config/history and POST /config/history/{id}/_activate were accessible to users with alert.notifications:read/write. The patch restricts these endpoints to admin-only via new fine-grained RBAC actions (alert.notifications.config-history:read/write). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/88 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/88 Fri, 20 Mar 2026 17:43:15 GMT The patch fixes ICU-23109 in nfrule.cpp where `util64_pow(rule1->radix, rule1->exponent)` could overflow to zero, causing a subsequent modulo-by-zero operation (`rule1->baseValue % util64_pow(rule1->radix, rule1->exponent)`). While there was already a comment about preventing `% 0`, the existing check `rule1->radix != 0` did not guard against the case where the power computation itself overflows to zero. The patch introduces a pre-computed `mod` variable with an explicit overflow check, returning an error status if mod is zero. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/87 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/87 Fri, 20 Mar 2026 09:44:54 GMT GHSA-479m-364c-43vc describes a vulnerability in github.com/russellhaering/goxmldsig (used for SAML XML digital signature validation) where an attacker could bypass XML signature verification. The library also depends on github.com/beevik/etree for XML parsing, and the combination of versions before this fix allowed signature wrapping attacks where a malicious SAML response could include a valid signature over one element while the actual authenticated data came from a different, attacker-controlled element. This allowed authentication bypass in Grafana's SAML SSO implementation. critical unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/86 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/86 Thu, 19 Mar 2026 11:55:47 GMT The Grafana short URL feature allowed authenticated users to create short URLs with arbitrary target paths, including external URLs like `http://evil.com` or protocol-relative URLs like `//evil.com`. When a victim clicked a Grafana short URL, they would be silently redirected to the attacker-controlled external domain. The patch adds validation at both creation time and redirect time to ensure paths are always relative and cannot contain schemes, protocol-relative prefixes, or other external URL patterns. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/85 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/85 Thu, 19 Mar 2026 10:26:36 GMT This commit patches CVE-2026-33186 in the google.golang.org/grpc library by upgrading from v1.79.1 to v1.79.3. The vulnerability exists in the gRPC-Go HTTP/2 implementation and can be exploited to cause a denial of service condition. The patch updates the dependency across multiple Go modules in the Grafana repository to remediate the vulnerability. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/84 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/84 Wed, 18 Mar 2026 20:59:05 GMT The original example configuration had 'Require all granted' at the Directory level, which grants unauthenticated access to all users by default. The LimitExcept block only required authentication for non-GET/POST/OPTIONS methods, but the outer 'Require all granted' could override authentication requirements depending on configuration context. The patch removes 'Require all granted' and replaces the LimitExcept approach with a RequireAny block that properly requires either the correct HTTP method OR an authenticated admin user, ensuring write operations require authentication. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/83 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/83 Wed, 18 Mar 2026 11:30:36 GMT Before the patch, a resource manager could be changed directly from one manager to another (e.g., from repo:abc to terraform:xyz) in a single update operation without going through a remove-then-add workflow. This allowed one management system (e.g., Terraform) to silently take over resources managed by another system (e.g., a Git repository), potentially leading to unauthorized control over managed resources and unpredictable reconciliation conflicts. The patch adds an explicit check that blocks any update where both old and new objects have a manager set but with different values, returning HTTP 403. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/82 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/82 Tue, 17 Mar 2026 23:42:42 GMT Before this patch, the Grafana Live push endpoint (`/api/live/push/:streamId`) had no RBAC authorization check, allowing any authenticated user (including Viewers) to push metrics and events to Grafana Live streams. The patch adds an `authorize(ac.EvalPermission(ac.ActionLivePush))` middleware that restricts this endpoint to users with the `live:push` permission (granted to Editors and Admins by default). medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/81 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/81 Tue, 17 Mar 2026 23:13:17 GMT Before this patch, Next.js development servers only warned (but did not block) cross-origin requests to internal dev assets and endpoints (/_next/*, /__nextjs*) when `allowedDevOrigins` was not configured. An attacker could craft a malicious webpage that loads or interacts with internal dev-only resources (HMR WebSocket, error feedback endpoints, internal chunks) from any origin. The patch changes the default behavior from warn-only to blocking with a 403 response, preventing unauthorized cross-origin access to dev server internals. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/80 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/80 Tue, 17 Mar 2026 19:06:19 GMT The MSSQL connection string was built by directly concatenating the username and password without escaping special characters. Since semicolons are used as key-value delimiters in the connection string, a password containing a semicolon would be truncated at the semicolon, allowing authentication bypass or connection to unintended databases. For example, a password like `StrongPass;database=other` would cause the driver to parse `database=other` as a separate connection string parameter. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/79 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/79 Tue, 17 Mar 2026 15:19:41 GMT The provisioning API's `UpdateContactPoint` endpoint did not perform authorization checks for protected fields (e.g., webhook URLs, API keys) before the patch. Any user with access to the provisioning API could modify protected/sensitive fields in contact points without the required `receivers:update.protected` permission, bypassing the security controls enforced by the regular receiver API. The patch adds a `checkProtectedFields` method that verifies the user has appropriate permissions before allowing modifications to protected fields. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/78 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/78 Tue, 17 Mar 2026 11:03:07 GMT The `$B` (Blob) case in `parseModelString` did not validate that the FormData entry was actually a Blob before returning it. Since `FormData.get()` can return either a string or a Blob/File, an attacker could craft a malformed Server Action payload that stores a large string under a key and references it via `$B`, bypassing the `bumpArrayCount` size guard that applies to regular string values. The patch adds an `instanceof Blob` check that throws an error if the backing entry is not a real Blob, closing this bypass. While the PR notes this doesn't produce meaningful amplification on its own, it is a defense-in-depth fix against potential combined attacks. low unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/77 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/77 Tue, 17 Mar 2026 02:21:23 GMT The commit patches the compiled `http-proxy` / `follow-redirects` library bundled in Next.js, referencing security advisory GHSA-ggv3-7p47-pfv8. The vulnerability involves improper handling of HTTP redirects in the `follow-redirects` library, which could allow an attacker to manipulate redirect targets to leak sensitive request headers (such as Authorization) to unintended hosts or bypass security controls via crafted redirect responses. The patch updates the compiled bundle with fixes to the redirect handling logic. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/76 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/76 Tue, 17 Mar 2026 02:21:01 GMT Before the patch, when the `Origin` header was set to the string `'null'` (which browsers send from privacy-sensitive contexts like sandboxed iframes), Next.js would skip the CSRF origin check entirely because the code treated `'null'` as a missing/invalid origin and fell through without validation. This allowed an attacker to embed a sandboxed iframe that submits a Server Action cross-origin with user credentials (cookies) attached, bypassing CSRF protection. The patch now treats `'null'` as a valid but opaque origin and checks it against the `allowedOrigins` allowlist, blocking unauthorized cross-origin Server Action submissions from sandboxed contexts. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/75 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/75 Tue, 17 Mar 2026 00:49:23 GMT Before the patch, WebSocket connections to Next.js dev server endpoints (e.g., /_next/webpack-hmr) were accepted from privacy-sensitive origins (e.g., pages served with 'sandbox' CSP that sets origin to null). The old code only blocked requests when rawOrigin was truthy AND not equal to 'null', meaning requests with origin header 'null' (sent by sandboxed iframes/pages) bypassed origin validation entirely. The patch fixes this by treating a 'null' origin as a defined but non-allowed origin, causing such requests to be blocked. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/74 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/74 Mon, 16 Mar 2026 23:39:58 GMT Before this patch, the Kubernetes API endpoints for dashboard snapshots (GET, LIST, DELETE, POST /create, DELETE /delete/{deleteKey}, GET /settings) used a default `ServiceAuthorizer` that did not enforce RBAC permissions for snapshot resources. Any authenticated user, regardless of their assigned permissions, could read, list, create, and delete snapshots. The patch adds a `SnapshotAuthorizer` that maps K8s verbs to Grafana RBAC actions (`snapshots:read`, `snapshots:create`, `snapshots:delete`) and applies RBAC checks to the custom HTTP routes as well. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/73 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/73 Mon, 16 Mar 2026 19:56:58 GMT Public dashboard CRUD endpoints (Delete, Update, ExistsEnabledByDashboardUid) were only checking the user's role/permissions but not validating that the public dashboard being operated on belonged to the same organization as the requesting user. This allowed an authenticated user with Editor+ permissions in Org B to delete, update, or check the existence of public dashboards belonging to Org A, without having access to the source dashboard. The patch adds org_id checks to all relevant database queries to enforce org isolation. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/72 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/72 Fri, 06 Mar 2026 08:43:52 GMT DOMPurify 3.3.1 contained multiple security vulnerabilities: a bypass via jsdom's faulty raw-text tag parsing that could allow XSS payloads to pass through sanitization, a prototype pollution issue when working with custom elements, and a lenient config parsing issue in `_isValidAttribute`. These vulnerabilities could allow attackers to inject malicious HTML/JavaScript that bypasses DOMPurify's sanitization, leading to XSS attacks in Grafana's frontend which uses DOMPurify to sanitize user-supplied content. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/71 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/71 Fri, 06 Mar 2026 08:43:36 GMT The minimatch package prior to version 3.1.2 (and related versions) contained a ReDoS vulnerability (CVE-2022-3517) where specially crafted patterns could cause catastrophic backtracking in the regular expression engine. This patch upgrades minimatch from vulnerable versions (3.0.5, 9.0.3, 5.0.1, 7.4.6) to patched versions (3.1.4, 10.2.4, 5.1.9, 7.4.9) that fix the ReDoS issue. The vulnerability could allow an attacker to cause denial of service by providing a malicious glob pattern. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/70 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/70 Fri, 06 Mar 2026 08:23:33 GMT The immutable library versions prior to 5.1.5 contained a Prototype Pollution vulnerability (Improperly Controlled Modification of Object Prototype Attributes). This allowed attackers to manipulate JavaScript object prototypes through specially crafted keys like '__proto__', 'constructor', or 'prototype', potentially affecting all objects in the application. The patch upgrades immutable from 5.1.4 to 5.1.5 which fixes this vulnerability. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/69 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/69 Fri, 06 Mar 2026 06:01:47 GMT When pipelined HTTP requests arrive in a single TCP segment, llhttp_execute() processes all of them in one call. If a synchronous 'close' event handler calls freeParser() mid-execution, cleanParser() nulls out parser state while llhttp_execute() is still on the call stack, causing use-after-free/null-pointer dereference crashes on subsequent callbacks. The patch adds an is_being_freed_ flag that causes the Proxy::Raw callback to return early (HPE_USER) when set, aborting llhttp_execute() before it accesses freed/nulled parser state. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/68 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/68 Tue, 03 Mar 2026 23:22:09 GMT The minimatch library versions before 3.1.5 contained a ReDoS vulnerability where specially crafted glob patterns could cause catastrophic backtracking in regular expression matching, leading to excessive CPU consumption and denial of service. The fix in 3.1.5 includes limiting recursion in pattern matching to prevent exponential backtracking. However, this affects only developer tooling (clang-format), not the Node.js runtime itself, limiting real-world impact. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/67 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/67 Tue, 03 Mar 2026 15:02:11 GMT The `tar` npm package versions 6.x and earlier contain a path traversal vulnerability (CVE-2024-28863 and related CVEs) where specially crafted tar archives can write files outside the intended extraction directory. By bumping `tar` from version 6.x to 7.x, this patch removes the vulnerable version and its dependency chain (including the old `cacache@^15.2.0` which depended on `tar@^6.0.2`). The vulnerability allowed an attacker to craft a malicious tarball that, when extracted, could overwrite arbitrary files on the filesystem. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/66 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/66 Tue, 03 Mar 2026 14:31:49 GMT Django's URLField.to_python() used urlsplit() to detect URL schemes, which on Windows performs NFKC Unicode normalization. This normalization is disproportionately slow for inputs containing certain Unicode characters (e.g., characters like '¾'), allowing an attacker to craft a POST payload that causes excessive CPU consumption. The patch replaces urlsplit() with str.partition(':') for scheme detection, avoiding Unicode normalization entirely. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/65 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/65 Tue, 03 Mar 2026 14:31:34 GMT In multi-threaded Django applications, the file-based cache backend and filesystem storage used temporary umask changes (via os.umask()) to control directory permissions when creating directories. Because os.umask() is a process-wide operation, a temporary umask change in one thread could affect directory/file creation in other threads, resulting in file system objects being created with unintended (potentially overly permissive) permissions. The patch replaces the umask manipulation approach with a safe_makedirs() function that uses os.chmod() after os.mkdir() to enforce the exact requested permissions. low unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/64 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/64 Mon, 02 Mar 2026 19:13:15 GMT The `path` property on `ClientRequest` was only validated against `INVALID_PATH_REGEX` at construction time. After construction, an attacker (or vulnerable application code) could reassign `req.path` to include CRLF sequences (`\\r\\n`), which would then be flushed verbatim to the socket in `_implicitHeader()`, allowing injection of arbitrary HTTP headers or request smuggling. The patch adds a getter/setter using a symbol-backed property so validation runs on every assignment. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/63 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/63 Mon, 02 Mar 2026 13:23:35 GMT The `writeEarlyHints()` function in Node.js HTTP server directly concatenated user-supplied header names and values into the raw HTTP/1.1 response without any validation. Unlike `setHeader()` and `writeHead()`, no calls to `validateHeaderName()`, `validateHeaderValue()`, or `checkInvalidHeaderChar()` were made, allowing CRLF sequences to pass through unchecked and inject arbitrary HTTP headers or entire responses. The patch adds proper validation for header names, values, and Link header URLs. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/62 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/62 Mon, 02 Mar 2026 00:50:37 GMT The cache interceptor was spreading `result.vary` headers directly into revalidation requests without filtering out `null` values. When a request header specified in the `Vary` header was absent from the original request, it was stored as `null` in the cache entry's `vary` map. Spreading this `null` value into the revalidation headers could corrupt the header object and potentially send unintended null-valued headers to the server. The patch adds a null-check guard so only present header values are forwarded during revalidation. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/61 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/61 Sun, 01 Mar 2026 14:38:38 GMT This update to minimatch 10.2.4 adds mitigations for ReDoS vulnerabilities by introducing `maxGlobstarRecursion` and `maxExtglobRecursion` limits to prevent catastrophic backtracking when processing untrusted glob patterns. The README explicitly acknowledges that user-controlled glob patterns can be weaponized for DoS attacks. The patch adds depth tracking and recursion limits for extglob and globstar patterns to cap the complexity of the generated regular expressions. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/60 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/60 Fri, 27 Feb 2026 18:45:58 GMT Before the patch, Buffer.concat() computed the total allocation size using the user-controllable `.length` property of each element, then allocated with `Buffer.allocUnsafe(length)`. For typed arrays, an attacker could spoof a larger `.length` via a getter, causing an oversized uninitialized Buffer to be returned, leaking process memory contents. The patch fixes this by using the typed array’s intrinsic byte length (`TypedArrayPrototypeGetByteLength`) and by allocating via `allocate` plus explicit zero-filling of any slack. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/59 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/59 Fri, 27 Feb 2026 15:44:28 GMT Before the patch, the QUIC stateless reset token was derived only from a shared secret and the connection ID, making the token identical across workers. In a multi-worker configuration with packet steering, an attacker could intentionally route a victim connection's packet to a different worker to trigger emission/observation of the stateless reset token, then forge a QUIC Stateless Reset to immediately terminate the victim connection (remote DoS). The patch binds the derived token to the worker number by incorporating ngx_worker into the KDF input, making tokens differ per worker and preventing cross-worker token acquisition/abuse. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/58 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/58 Fri, 27 Feb 2026 15:44:07 GMT Before the patch, the QUIC OpenSSL compatibility keylog callback discarded failures from ngx_quic_compat_set_encryption_secret(). Under memory pressure (allocation failure), the encryption context (secret->ctx) could remain NULL, yet ngx_quic_compat_create_record() would proceed to encrypt and dereference the NULL ctx, crashing the NGINX worker. The patch checks the return value, marks the QUIC connection as errored to fail the handshake cleanly, and adds a NULL guard in record creation to prevent the crash. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/57 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/57 Thu, 26 Feb 2026 14:22:19 GMT Before the patch, `ProcessEnv::read_all()` returned a serializable `EnvMap`, which could be automatically persisted into Turbopack/Next.js' on-disk persistent cache. This meant any process environment variable (including secrets like API keys and tokens) could be written to disk and later recovered by anyone with read access to the cache directory (e.g., another local user, CI artifact consumers, or a compromised build agent). The patch introduces `TransientEnvMap` with `serialization = "none"` and changes `read_all()` to return it, preventing env vars from being persisted and forcing them to be re-read from the process environment after cache restore. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/56 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/56 Thu, 26 Feb 2026 14:19:34 GMT Before the patch, nginx would generate and send a QUIC Stateless Reset for every incoming packet that triggered the stateless reset path, with no per-source rate limiting. An attacker could spoof many UDP packets (often with spoofed source IPs) to force the server to spend CPU on hashing/random generation and to emit many Stateless Reset packets, creating resource exhaustion and reflected traffic. The patch adds a per-second Bloom-filter-based limiter keyed by source address so repeated triggers from the same address are declined. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/55 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/55 Tue, 24 Feb 2026 20:59:12 GMT The markdown conversion functionality was vulnerable to XSS attacks through malicious javascript: URLs that could bypass protocol filtering using obfuscation techniques like leading whitespace, HTML entity encoding, or case variations. The patch fixes this by delegating URI validation to Rails::HTML::Sanitizer.allowed_uri? which properly handles these bypass attempts. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/54 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/54 Tue, 24 Feb 2026 20:06:18 GMT The code allowed SAML authentication to create duplicate user_auth records for SCIM-provisioned users instead of updating existing ones. An attacker could exploit this by logging in via SAML with a SCIM user's credentials to create a new auth record with their own AuthID, potentially bypassing access controls or creating authentication confusion. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/53 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/53 Tue, 24 Feb 2026 19:55:06 GMT The code failed to check if BIO_meth_new() returns NULL before passing the result to BIO_meth_set_* functions, causing a null pointer dereference. This could lead to application crashes and potential denial of service when SSL/TLS operations are initiated under memory pressure conditions. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/52 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/52 Tue, 24 Feb 2026 18:15:02 GMT The minimatch library had a vulnerability where multiple consecutive asterisks (*) in glob patterns could cause exponential backtracking in the generated regular expression, leading to CPU exhaustion. The patch fixes this by coalescing multiple stars into a single star pattern, preventing the ReDoS condition. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/51 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/51 Tue, 24 Feb 2026 09:33:41 GMT The code before the patch used HTTP transport without proper TLS certificate validation when communicating with external image renderer services. This allowed attackers to intercept HTTPS communications through man-in-the-middle attacks, potentially exposing authentication tokens and sensitive data. The patch adds support for custom CA certificates to enable proper certificate validation. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/50 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/50 Tue, 24 Feb 2026 09:33:16 GMT The custom inspect methods in various Rails classes could potentially expose sensitive internal state or configuration data through debug output, error messages, or logs. The patch replaces these with a controlled inspection mechanism that only shows explicitly whitelisted instance variables. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/49 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/49 Tue, 24 Feb 2026 09:32:55 GMT The custom inspect methods in various Rails classes exposed sensitive internal state including cryptographic keys, secrets, and other confidential data in debug output, logs, and error messages. The patch replaces custom inspect methods with a standardized approach that only shows safe instance variables, preventing accidental leakage of sensitive information. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/48 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/48 Mon, 23 Feb 2026 17:06:28 GMT The code had a concurrency bug where the follower's aggregation number was read without proper locking, allowing the inner-vs-follower classification decision to be made on stale data if the aggregation number changed concurrently. This could lead to incorrect task classification and potential data corruption in the aggregation system. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/47 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/47 Mon, 23 Feb 2026 10:32:22 GMT The ValidateRedirectTo function was vulnerable to open redirect attacks through URL fragments. Attackers could bypass path validation by using URL fragments containing dangerous patterns like '../' or '//', which were not sanitized before the redirect. The patch fixes this by validating fragments and returning a sanitized URL string instead of the original user input. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/46 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/46 Mon, 23 Feb 2026 10:32:03 GMT The code failed to validate that sync sample values in MP4 stss atoms are 1-based as required by ISO 14496-12. A zero-valued stss entry caused the key_prefix calculation to exceed consumed samples, leading the backward loop in ngx_http_mp4_crop_stts_data() to walk past the beginning of the stts data buffer, causing out-of-bounds memory access. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/45 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/45 Sat, 21 Feb 2026 04:12:12 GMT The script accepts user-provided file paths without validation and directly converts them to file URLs, allowing attackers to access arbitrary files on the system. The patch adds proper path handling using pathToFileURL() which normalizes paths and prevents directory traversal attacks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/44 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/44 Fri, 20 Feb 2026 14:47:10 GMT The Django admin interface was vulnerable to XSS attacks when displaying model string representations that contained only whitespace or malicious scripts. The vulnerability occurred because whitespace-only strings were not properly sanitized before being rendered in HTML contexts, allowing attackers to inject malicious scripts through model __str__ methods. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/43 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/43 Fri, 20 Feb 2026 08:43:39 GMT The old authorization system used deprecated Compile method which performed authorization checks item-by-item during iteration, potentially allowing unauthorized access to resources due to race conditions or incomplete authorization state. The patch replaces this with FilterAuthorized using BatchCheck which performs more robust batch authorization before returning results. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/42 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/42 Fri, 20 Feb 2026 04:55:06 GMT The unhandled rejection filter module was being bundled twice, causing mutual recursion when handling unhandled Promise rejections. Each instance captured the other's handler, creating an infinite loop that would overflow the stack and crash the server on any unhandled rejection. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/41 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/41 Thu, 19 Feb 2026 18:31:51 GMT The code was truncating SHA256 hashes to only 10 characters when generating secret names, dramatically increasing collision probability from negligible to ~1 in 16^10. This allows attackers to craft field names that collide with existing secret field names, potentially accessing or modifying secrets they shouldn't have access to. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/40 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/40 Thu, 19 Feb 2026 17:05:56 GMT The original code used JSON.parse with a reviver function that could potentially allow __proto__ property manipulation during RSC payload deserialization. The patch explicitly deletes __proto__ keys during the walking phase and moves away from the reviver approach to prevent prototype pollution attacks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/39 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/39 Thu, 19 Feb 2026 17:05:30 GMT The session was not properly marked as accessed when only reading session metadata (keys, length checks), allowing responses to be cached without the Vary: Cookie header. This could lead to cache poisoning where one user's cached response is served to another user, potentially exposing session-dependent data. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/38 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/38 Thu, 19 Feb 2026 17:05:19 GMT The session was not being marked as accessed when only checking keys/metadata, allowing caching proxies to cache pages for different users. This could lead to session data being served to wrong users through shared caches. The patch fixes this by tracking session access at the request context level. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/37 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/37 Thu, 19 Feb 2026 17:05:03 GMT The session was not being marked as accessed when only reading operations like checking keys or length occurred, causing the 'Vary: Cookie' header to not be set. This could allow caching proxies to serve the same cached response to different users, potentially leaking session-dependent data between users. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/36 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/36 Thu, 19 Feb 2026 13:27:44 GMT The code had a race condition vulnerability during database migrations where concurrent writes to legacy tables could occur during unified storage migrations in rolling upgrade scenarios. This could lead to data corruption or inconsistent state as multiple processes could simultaneously modify the same database tables without proper synchronization. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/35 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/35 Thu, 19 Feb 2026 10:13:09 GMT The code had a fallback authentication mechanism that would allow any request to bypass authorization checks when the primary authenticator failed. The fallback would accept requests with only namespace validation, effectively allowing unauthorized access to resources. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/34 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/34 Wed, 18 Feb 2026 22:42:29 GMT The scope resolver cache was not invalidated when datasources were deleted, causing stale name-to-UID mappings. When a datasource was deleted and a new one created with the same name, the cached entry would resolve to the deleted datasource's UID, leading to incorrect authorization decisions. The patch fixes this by invalidating the cache entry for the datasource name scope during deletion. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/33 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/33 Wed, 18 Feb 2026 22:42:17 GMT The code exposed encrypted datasource secrets even when they were empty, potentially leaking secret metadata or encrypted empty values to unauthorized users. The patch fixes this by filtering out empty secrets before returning them in API responses. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/32 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/32 Wed, 18 Feb 2026 17:06:36 GMT The code had a missing size check for postponed request bodies in self-hosted setups, allowing attackers to send arbitrarily large payloads that would consume server memory and potentially crash the application. The patch ensures maxPostponedStateSize is consistently enforced across all code paths that buffer postponed bodies. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/31 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/31 Wed, 18 Feb 2026 12:05:51 GMT The audit logging configuration was exposing sensitive data source request and response bodies by default. This could lead to credentials, API keys, and sensitive query data being logged in plaintext audit files accessible to system administrators. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/29 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/29 Tue, 17 Feb 2026 16:03:27 GMT The rolebindings API was accessible to all authenticated users without proper authorization checks. This allowed any user to potentially view, modify, or create role bindings, leading to privilege escalation. The patch restricts access to only access policy identities. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/27 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/27 Tue, 17 Feb 2026 13:53:09 GMT The vulnerability allows attackers to cause a mismatch between the Content-Length header sent to SCGI backends and the actual request body size in unbuffered mode. This can lead to HTTP request smuggling or desynchronization between nginx and SCGI backends, potentially allowing request smuggling attacks. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/25 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/25 Mon, 16 Feb 2026 14:59:50 GMT The code used eval() to parse configuration data, which allows arbitrary Python code execution if an attacker can control the node_builtin_shareable_builtins configuration value. The patch replaces eval() with json.loads() to safely parse JSON data. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/22 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/22 Mon, 16 Feb 2026 10:04:29 GMT The endpoint allowed any authenticated user to access team member information without proper authorization checks. The patch adds a permission check requiring 'GetPermissions' verb on the Team resource before returning member data. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/21 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/21 Mon, 16 Feb 2026 08:00:28 GMT The code allowed updating Repository resources to remove all finalizers, which would cause immediate deletion without proper cleanup when the resource is later deleted. This bypasses the intended cleanup workflow and could lead to orphaned resources or incomplete cleanup operations. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/20 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/20 Mon, 16 Feb 2026 07:36:22 GMT The files API endpoints were not enforcing quota limits, allowing authenticated users to bypass resource quotas and create unlimited files/dashboards. This could lead to resource exhaustion and denial of service. The patch adds quota checks before allowing POST/PUT operations on files. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/19 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/19 Sat, 14 Feb 2026 08:55:44 GMT The Deduplicable module incorrectly treated virtual (generated) columns and regular columns as identical when they had the same name and type, causing regular columns to be silently excluded from INSERT/UPDATE operations. This resulted in NULL values being stored instead of the intended data, leading to silent data corruption. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/18 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/18 Sat, 14 Feb 2026 08:55:37 GMT The vulnerability allows silent data corruption where regular columns can be incorrectly deduplicated with virtual columns, causing INSERT and UPDATE statements to exclude legitimate columns and store NULL values instead of the intended data. This occurs when the deduplication registry encounters a virtual column first, then treats a regular column with the same name and type as identical. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/17 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/17 Fri, 13 Feb 2026 19:07:44 GMT The feature allows arbitrary webpack loader execution through import attributes without proper validation or sandboxing. An attacker can specify malicious loader code that gets executed during the build process, potentially leading to remote code execution on the build server. critical unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/16 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/16 Fri, 13 Feb 2026 18:44:38 GMT The MT IAM API server was using a no-op storage backend for RoleBindings, which silently dropped all write operations and returned empty results for reads. Additionally, the authorizer denied all access to rolebindings. This created an authorization bypass where RBAC role bindings were completely non-functional, potentially allowing unauthorized access or preventing proper access controls from being enforced. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/15 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/15 Fri, 13 Feb 2026 17:31:31 GMT A race condition in HTTP keep-alive socket reuse allowed responseKeepAlive() to be called twice, corrupting socket state and causing the agent to hand an already-assigned socket to multiple requests. This could cause requests to hang, timeout, or potentially leak data between requests sharing the same corrupted socket. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/14 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/14 Fri, 13 Feb 2026 16:47:01 GMT A Time-of-Check Time-of-Use race condition in worker thread process.cwd() caching allowed workers to cache stale directory values. The counter was incremented before the directory change completed, creating a race window where workers could read the old directory but cache it with the new counter value. low unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/11 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/11 Wed, 11 Feb 2026 12:26:16 GMT The vulnerability allows attackers to bypass time range restrictions on public dashboards when time selection is disabled. By manipulating request time parameters, attackers can access annotations outside the intended dashboard time range, potentially exposing sensitive data from unauthorized time periods. high confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/10 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/10 Wed, 11 Feb 2026 12:26:10 GMT The code was vulnerable to Cross-Site Scripting (XSS) by directly rendering user-controlled data via dangerouslySetInnerHTML without sanitization. Malicious trace data could inject JavaScript that would execute in users' browsers. The patch fixes this by sanitizing HTML content with DOMPurify before rendering. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/9 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/9 Wed, 11 Feb 2026 00:53:34 GMT The code forwards arbitrary HTTP headers from incoming requests to outgoing gRPC calls without proper validation or sanitization. An attacker can inject malicious headers that could be used to bypass security controls, manipulate downstream services, or perform request smuggling attacks. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/6 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/6 Tue, 10 Feb 2026 13:16:21 GMT The code was directly accessing the `$typeof` property on potentially untrusted objects without proper validation, allowing attackers to exploit prototype pollution to inject malicious `$typeof` properties. The patch introduces a `readReactElementTypeof` function that uses `hasOwnProperty.call()` to safely check for the property's existence on the object itself rather than the prototype chain. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/5 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/5 Tue, 10 Feb 2026 13:14:12 GMT The code performed integer division without checking for division by zero, which could cause a panic and crash the application. The patch replaces direct division with checked_div() to handle zero divisors safely. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/4 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/4 Tue, 10 Feb 2026 13:11:00 GMT The code incorrectly used max() instead of min() to clamp worker counts, causing all systems to be treated as having 64+ cores and potentially overflowing usize on systems with many actual cores. This could lead to memory exhaustion or application crashes. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/3 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/3 Tue, 10 Feb 2026 13:07:10 GMT The code had improper path resolution that allowed attackers to access files outside the intended directory structure. The patch fixes relative path resolution by properly normalizing paths relative to PROJECT_ROOT instead of allowing arbitrary relative paths from the current working directory. medium confirmed https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/2 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/2 Tue, 10 Feb 2026 13:06:22 GMT The recursive traversal of async node chains in visitAsyncNode causes stack overflow when processing deep async sequences. Database libraries creating long linear chains of async operations can trigger this DoS condition. The patch converts recursive traversal to iterative to prevent stack exhaustion. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/1 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/1 Tue, 10 Feb 2026 13:04:53 GMT The code incorrectly checked for debugChannel existence instead of debugChannelReadable, causing the server to signal debug info availability even with write-only channels. This could cause clients to block indefinitely waiting for debug data that never arrives, resulting in a denial of service condition. medium unverified