Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Security Intel Hub 24696+

Curated security advisories, vulnerability analyses, and exploit write-ups — auto-cleaned and translated to English. Updated continuously.

Examples: RCE · SSRF · GHSA · log4j
Filter
Premium intel
CVSS 9.8
Electerm npm global install bypasses Chrome sandbox due to missing setuid/root permissions
github.com · 2026-05-08

# Vulnerability Summary ## Overview The Electron project has a security configuration issue that can lead to security vulnerabilities when `npm install` is executed. This vulnerability allows for the …

Read more
CVSS 3.3
kimai Team API Missing Object-Level Authorization Vulnerability (CVE-2025-41498)
github.com · 2026-05-08

# Vulnerability Summary: Team API Missing Object-Level Authorization ## Vulnerability Overview - **Vulnerability ID**: CVE-2025-41498 - **CVSS Score**: 3.3 / 10 (Low) - **Vulnerability Type**: Missing…

Read more
CVSS 5.5
Nuclei Template Engine Sandbox Bypass via Module Cache
github.com · 2026-05-08

# Vulnerability Summary: Nuclei Template Sandbox Escape ## Overview A security vulnerability exists in the Nuclei template engine that allows attackers to access the local file system within a sandbox…

Read more
CVSS 5.5
Nuclei JavaScript require() Bypasses allow-local-file-access via Module Caching
github.com · 2026-05-08

# Vulnerability Summary: Nuclei JavaScript `require()` Function Does Not Respect `allow-local-file-access` Restrictions ## Overview In the `projectdiscovery/nuclei` project, a security vulnerability e…

Read more
CVSS 5.5
Nuclei CVE-2025-41648: Local File Read via require() Module Loader Bypass
github.com · 2026-05-08

# Vulnerability Summary: Local File Read via `require()` Module Loader Bypass ## Vulnerability Overview The JavaScript protocol runtime in Nuclei contains a vulnerability that allows JavaScript templa…

Read more
CVSS 7.1
PromptHub Authenticated SSRF via IPv6 Filter Bypass in POST /api/skills/fetch-remote
github.com · 2026-05-08

# Vulnerability Summary: Authenticated SSRF via IPv6 filter bypass in `POST /api/skills/fetch-remote` ## Vulnerability Overview An authenticated Server-Side Request Forgery (SSRF) vulnerability exists…

Read more
CVSS 5.1
Weblate HTML Injection Vulnerability Fix and Test Code Analysis
github.com · 2026-05-08

# Vulnerability Summary ## Overview A vulnerability exists in the Weblate project due to improper escaping of HTML output, which may lead to HTML injection. This issue arises because keys and values r…

Read more
CVSS 5.1
wlc HTML Output Unescaped XSS Vulnerability Fix
github.com · 2026-05-08

### Vulnerability Overview This vulnerability involves improper escaping of user input during HTML output generation, leading to potential Cross-Site Scripting (XSS) risks. ### Affected Scope - **File…

Read more
CVSS 7.4
Axios Prototype Pollution Leading to Request Hijacking (GHSA-q8qp-cvcw-x6jg)
github.com · 2026-05-08

### Vulnerability Overview - **Vulnerability Name**: Prototype Pollution leading to Header Injection and Request Hijacking - **CVE/Advisory ID**: GHSA-q8qp-cvcw-x6jg - **Description**: By injecting he…

Read more
CVSS 7.4
Axios Security Patches: CRLF Injection, Prototype Pollution, and Arbitrary File Upload Fixes
github.com · 2026-05-08

# Axios Security Vulnerability Summary ## Vulnerability Overview This webpage screenshot displays multiple security patch submissions for the Axios library, primarily addressing the following vulnerab…

Read more
BerriAI litellm Authenticated Command Execution via MCP Endpoints (CVE-2026-4271)
github.com · 2026-05-08

# BerriAI / litellm Authenticated Command Execution Vulnerability Summary ## Vulnerability Overview - **Vulnerability Name**: Authenticated command execution via MCP stdio test endpoints - **CVE ID**:…

Read more
Fix for Host Header Case-Insensitive Matching Vulnerability
github.com · 2026-05-08

### Vulnerability Overview This vulnerability relates to the case-insensitive matching of hostnames (Host Header) during HTTP request processing. Specifically, the case of hostnames is not handled cor…

Read more
CVSS 7.4
Axios Prototype Pollution Leading to Credential Injection and SSRF
github.com · 2026-05-08

# Vulnerability Summary: Prototype Pollution in HTTP Adapter Leads to Credential Injection and Request Hijacking ## Vulnerability Overview In the HTTP adapter of the Axios library, five configuration …

Read more
CVE-2024-42273: Heimdall Host Header Case Sensitivity Bypass
github.com · 2026-05-08

# Vulnerability Summary: Case-Sensitive Host Matching in Heimdall May Lead to Policy Bypass ## Vulnerability Overview Heimdall performs host matching in a **case-sensitive** manner, whereas HTTP hostn…

Read more
CVSS 7.4
Axios v1.15.2 Prototype Pollution Fix and SSRF Mitigation
github.com · 2026-05-08

# Axios v1.15.2 Security Update Summary ## Vulnerability Overview This update primarily fixes a Prototype Pollution vulnerability in the Node.js HTTP adapter and introduces new security hardening meas…

Read more
Heimdall CVE-2024-42272: Case-Sensitive URL Encoding Slash Handling Leads to Authorization Bypass
github.com · 2026-05-08

### Vulnerability Overview - **Vulnerability Name**: Case-sensitive URL-encoded slash handling may lead to inconsistent path interpretation - **Description**: Heimdall handles URL-encoded slashes (`%2…

Read more
Heimdall Authorization Bypass via Path Normalization Mismatch (CVSS 7.8)
github.com · 2026-05-08

# Vulnerability Summary: Authorization bypass via path normalization mismatch ## Vulnerability Overview Heimdall performs rule matching on the raw (unnormalized) request path, while downstream compone…

Read more
Premium intel
CVSS 8.7
openziti/zrok WebDAV Symlink Traversal Fix
github.com · 2026-05-08

### Vulnerability Overview This vulnerability affects the `drive` backend mode in the `openziti/zrok` project. Specifically, the `WebDAV` implementation has been updated to prevent symlink traversal b…

Read more
Kimai XLSX Formula Injection Vulnerability (CVE-2026-4257) Analysis
github.com · 2026-05-08

# Vulnerability Summary: Formula Injection in XLSX Export ## Vulnerability Overview **Title**: Formula Injection via tag names in XLSX export **Severity**: Moderate **CVE ID**: CVE-2026-4257 **Vulnera…

Read more
CVSS 8.7
zrok WebDAV Backend Symlink Following Allows Host Filesystem Read/Write (CVE-2026-42275)
github.com · 2026-05-08

# WebDAV Drive Backend Follows Symlinks Outside DriveRoot, Leading to Host File System Read/Write Vulnerability ## Vulnerability Overview - **Vulnerability Name**: WebDAV drive backend follows symlink…

Read more

All articles are auto-cleaned (markdown extraction + LLM noise removal) and translated to English by our offline pipeline. Source URL is always preserved at the bottom of each article.

Want a specific source covered? Email us — we add new feeds weekly.