Tasks

Path traversal via backslash normalization discrepancy across FTP/SFTP handlers and VFS backends allows directory escape.

Apache Kafka does not validate JWT tokens in its OAUTHBEARER authentication implementation

Port of i18next-http-middleware CVE-2026-41690 prototype-pollution-via-dotted-segment into mashpie/i18n-node. The i18n-node library already hosts an analogous dotted-key traversal in localeMutator / localeAccessor (i18n.js): `singular.split(objectNotation).reduce((object, index) => ... object[index] = value, locales[locale])`. The vulnerable port weakens the per-segment existence check from Object.prototype.hasOwnProperty.call to a plain `object[index] === undefined`, matching the shape of i18next-http-middleware's pre-3.9.3 setPath. Attacker-controlled dotted keys reaching the public `__` / `__n` API then walk through inherited Object members and write to the shared prototype — leading (`__proto__.polluted`), non-leading (`foo.__proto__.x` — the v3.9.7-style follow-up bypass), and deeper constructor.prototype chains all reach Object.prototype. Fix re-introduces the segment guard at every position via a small lib/safe-set.js helper referenced from both traversal functions.

Authentication bypass in CodeChecker permission system grants unauthenticated users full access when authentication is enabled.

pip Vulnerable to Inclusion of Functionality from Untrusted Control Sphere

quinn-proto transport parameter parsing panics on truncated varints via bare .unwrap() calls, enabling unauthenticated remote DoS with a single UDP packet.

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only

details redacted — score and metadata only