CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
The @rtk-ai/rtk-rewrite plugin version 1.0.0 fails to sanitize user input before passing it to a shell-backed execSync() template string, allowing arbitrary OS command injection. JSON.stringify() does not protect against shell metacharacters like $() and backticks, which are executed by /bin/sh -c.
In versions prior to 0.185.0, Daytona allowed organization role updates and deletions without verifying if the role belonged to the specified organization. An authenticated user owning any organization could modify permissions or delete a role belonging to another organization using that role's identifier.
In versions from 0.101.0 to 0.184.0, sandboxes switched from public to private could remain accessible without authentication for a short period after the change, due to a cached visibility state that was not invalidated.
In versions prior to 0.184.0, users could accept or decline organization invitations even if their email address was not verified. Daytona's authentication system did not require email verification for these actions, creating a risk of unauthorized access.
In versions prior to 0.186, Daytona's sandbox volume reference (volumeId) was forwarded to the runner, potentially allowing unauthorized access to paths outside the intended base directory. The use of path-traversal sequences could enable the construction of the host bind-mount source path without proper confinement.
Crawl4AI prior to version 0.8.9 contains an SSRF vulnerability that allows an unauthenticated attacker to bypass the destination URL check and route traffic through a proxy to internal IP addresses. The attacker can exploit this flaw to access internal services and cloud metadata endpoints while providing a valid crawl URL.
Crawl4AI before version 0.8.8 has an SSRF vulnerability in the Docker API server that allows an attacker to bypass the CIDR blocklist and access internal services and cloud metadata endpoints (e.g., 169.254.169.254) by encoding an IPv4 address in an IPv6 transition form or using the IPv6 unspecified address. Since the Docker API is unauthenticated by default, no credentials are required for the attack.
Crawl4AI before version 0.8.7 has a vulnerability in the _safe_eval_expression() function in the computed fields feature. The AST validator only blocks attributes starting with underscore, but generator and frame object attributes (gi_frame, f_back, f_builtins) do not start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution. The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema.
Vulnerability in the CMS parser in gpgsm of GnuPG (up to version 2.5.20) mishandles the CMS format for AES-GCM encryption. The aes-ICVlen field should be 12 bytes but 4 bytes is also accepted, which may lead to errors in data integrity verification.
GNU libidn before version 1.44 is vulnerable to out-of-bounds reads of uninitialized memory in the ToUnicode APIs due to mishandling in the idna_to_unicode_internal function. The vulnerable code is not present in libidn2.
A vulnerability in Deno before version 2.7.5 allows a remote WebSocket server to crash the Deno process by sending a response with Sec-WebSocket-Protocol or Sec-WebSocket-Extensions headers containing non-printable ASCII bytes (0x80-0xFF). The flaw is due to improper parsing of these headers, causing a panic that terminates the entire process.
In Daytona, prior to version 0.185.0, there was a cross-tenant authorization flaw in the notification WebSocket gateway that allowed authenticated users to subscribe to another organization's real-time notification channels.
In versions prior to 0.185.0, the git clone implementation in the Daytona daemon disabled TLS certificate verification. This allowed attackers to intercept traffic and steal Git credentials.
Home Assistant prior to version 2026.5.3 has a vulnerability in the LocationSensorManager component where the BroadcastReceiver is exported without required permissions. Any installed app, even without runtime permissions, can send a forged Google Play Services LocationResult that is trusted and forwarded to the Home Assistant server as the device's real location.
In Home Assistant before version 2026.6.0, the Konnected integration exposes an HTTP endpoint where GET requests require no authentication, contrary to the code comment. Write requests (POST/PUT) are token-protected, but read requests (GET) are completely unprotected.
A vulnerability in Claude Code (versions 0.2.54 to 2.1.163) auto-approves WebFetch requests to huggingface.co without a permission prompt or --allowedTools restrictions. An attacker can exploit this to send requests to attacker-controlled repositories, creating a covert channel for data exfiltration.
In versions 42.3.1 to 42.3.3, the Electron framework has an issue with incorrect byte length calculations in Buffer, leading to heap buffer under/overflow. Most applications crash, and some may perform incorrect buffer allocations in the Node.js Buffer API, resulting in unexpected truncation or allocation.
LobeHub prior to version 2.1.57 had a vulnerability in the /webapi/proxy endpoint that accepted a URL in the POST body without authentication. An attacker could exploit this to make arbitrary outbound requests from LobeHub's infrastructure and leak Vercel deployment details.
In Open WebUI prior to version 0.8.11, there is a vulnerability that allows an attacker to bypass authorization checks when joining a document room. By manipulating the document identifier, the attacker can access the victim's private note contents.
Open WebUI before version 0.9.6 has a vulnerability in Ollama proxy routes where the url_idx parameter is used as a raw index into the OLLAMA_BASE_URLS list. An authenticated user can force a request to any Ollama backend, including internal, privileged, or admin-disabled ones, without proper authorization.

