-
NextCloud Desktop, Credential Disclosure via Unvalidated directDownloadUrlBug Bounty 2026. 4. 14. 01:58
https://hackerone.com/reports/3400143 Nextcloud disclosed on HackerOne: Credential Disclosure via... hackerone.comThe Nextcloud Desktop Client automatically includes user credentials (Authorization header with username:password in Base64) when downloading files via the directDownloadUrl feature. A malicious Nextcloud server can exploit this by setting directDownloadUrl to an attacker-controlled ..
-
Ollama, Javascript Injection via DeeplinkBug Bounty 2026. 3. 23. 03:04
https://huntr.com/bounties/d515f43a-c9d9-4e7b-95f6-e05516717f2a huntr - The world’s first bug bounty platform for AI/ML huntr.com // app/cmd/app/webview.go:468-472} else { w.webview.Eval(fmt.Sprintf(` history.pushState({}, '', '%s'); `, path)) showWindow(w.webview.Window())}1. ollama:// 딥링크에서 경로를 sanitize 하지 않고 Eval()에 사용함2. 때문에 ollama webview 위에서 임의의 자바스크립트 실행 가능3. ollama는 로컬에 1..
-
Arbitrary file write via tarslip in esm.sh (CVE-2025-65025)Bug Bounty 2025. 11. 19. 07:09
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-h3mw-4f23-gwpw Arbitrary file write via tarslip### Summary The esm.sh CDN service is vulnerable to a Path Traversal (CWE-22) vulnerability during NPM package tarball extraction. An attacker can craft a malicious NPM package containing speci...github.com
-
JS Template Literal Injection in esm.sh (CVE-2025-65026)Bug Bounty 2025. 11. 19. 07:06
https://github.com/esm-dev/esm.sh/security/advisories/GHSA-hcpf-qv9m-vfgp JS Template Literal Injection in CSS-to-JavaScript### Summary The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the `?modu...github.com
-
Command Injection in pgAdmin for Windows (CVE-2025-12763)Bug Bounty 2025. 11. 19. 00:10
SummaryCommand Injection vulnerability occurs in pgAdmin4 running on Windows environment due to the use of shell=True parameter in subprocess.Popen() when executing backup/restore processes. Attackers can execute arbitrary system commands through file path input.DetailsReproduce step:1.Login to pgAdmin4 on Windows environment2.Connect to a database server3.Select Restore function4.Send the follo..
-
Langfuse Server Side Request Forgery(SSRF)Bug Bounty 2025. 8. 31. 01:44
https://github.com/langfuse/langfuse GitHub - langfuse/langfuse: 🪢 Open source LLM engineering platform: LLM Observability, metrics, evals, prompt management, pla🪢 Open source LLM engineering platform: LLM Observability, metrics, evals, prompt management, playground, datasets. Integrates with OpenTelemetry, Langchain, OpenAI SDK, LiteLLM, and more. 🍊YC W23 ...github.comPatchedhttps://github.c..