Ayushparkara

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2026.2.3 **Description** The WS-Federation provider in this open-source identity provider validates the user-supplied `wreply` parameter using a raw string prefix check instead of proper URL parsing. An attacker can craft a login link with a `wreply` value from a different origin that bypasses this check, leading the victim's browser to POST the signed WS-Federation login response to infrastructure controlled by the attacker. **Recommendations** Update to version 2026.2.3.

**Name of the Vulnerable Software and Affected Versions** authentik versions prior to 2025.12.5 authentik versions prior to 2026.2.3 **Description** The SAML source response processor `ResponseProcessor.parse()` fails to validate the Conditions element on assertions. Specifically, `NotBefore`, `NotOnOrAfter`, and `AudienceRestriction` are ignored, which enables the replay of expired assertions and the acceptance of assertions intended for different service providers. **Recommendations** Update to version 2025.12.5. Update to version 2026.2.3.

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to v5 **Description** A path validation issue allows crafted repository data to affect files outside the intended checkout target, including the repository's `.git` directory. This occurs because the software drifted from validation checks implemented in upstream Git. Some attack vectors are platform-specific, affecting only Windows or macOS users, while others apply across all supported platforms. Isolation may be provided if non-descendant `go-billy` filesystem instances or different filesystem types are used for the `Storer` and `Worktree`, such as using `memfs` for the `.git` directory and `osfs` for the worktree. However, this isolation may not apply to repositories containing submodules, as submodule dotgit directories may still be materialized within the worktree context. **Recommendations** Upgrade to a supported go-git version v5 or later.

**Name of the Vulnerable Software and Affected Versions** Portainer Community Edition versions 2.33.0 through 2.33.7 Portainer Community Edition versions 2.39.0 through 2.39.1 Portainer Community Edition versions prior to 2.41.0 **Description** Portainer includes a security setting to disable bind mounts for non-administrators, intended to prevent regular users from binding host paths into containers via the Portainer-mediated Docker API. However, the enforcement mechanism only inspected the `HostConfig.Binds` array and ignored the equivalent `HostConfig.Mounts` array. Since both fields are interchangeable on the Docker daemon, an authenticated user with container-creation rights can bypass this restriction by submitting a `bind`-typed entry under `HostConfig.Mounts` at the 'POST /containers/create' endpoint. This allows the user to mount any host path into their container, potentially gaining read or write access to the host filesystem as the Docker daemon user (typically `root`). This can lead to the exposure of sensitive files, compromise of other containers on the same host, or full Docker API access if the Docker socket is mounted. **Recommendations** Update Portainer Community Edition versions 2.33.0 through 2.33.7 to 2.33.8. Update Portainer Community Edition versions 2.39.0 through 2.39.1 to 2.39.2. Update Portainer Community Edition versions prior to 2.41.0 to 2.41.0. Revoke container-create rights from non-administrator accounts on affected environments. Segregate tenants by environment to provide stronger control than the bind-mount toggle.

**Name of the Vulnerable Software and Affected Versions** Gotenberg versions prior to 8.32.0 **Description** Gotenberg is a Docker-powered stateless API for PDF files. The Chromium URL-to-PDF endpoint '/forms/chromium/convert/url' lacks default protection against Server-Side Request Forgery (SSRF) for HTTP and HTTPS requests, as the default deny-list only blocks `file://` URIs. This allows an unauthenticated attacker to direct Chromium to internal IP addresses, including loopback, RFC 1918 ranges, and cloud metadata endpoints, receiving the response rendered as a PDF. Additionally, the `downloadFrom` and `webhook` endpoints are also affected by a redirect-based bypass. Even when a custom deny-list is configured, the Chromium instance and other endpoints follow HTTP 302 redirects from attacker-controlled external URLs to internal targets without re-validating the destination against the deny-list. **Recommendations** Update to version 8.32.0. As a temporary workaround, restrict access to the '/forms/chromium/convert/url' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.35.10 **Description** The `budibase:auth` cookie, which contains the JWT session token, is configured with `httpOnly: false` in the `packages/backend-core/src/utils/utils.ts` file. This allows JavaScript to access the cookie via `document.cookie`, enabling an attacker to steal the JWT and achieve full account takeover if a Cross-Site Scripting (XSS) flaw is present. Additionally, the cookie lacks the `secure: true` flag, meaning it can be sent over plaintext HTTP, and it lacks the `sameSite` attribute, making it susceptible to cross-site request attachment. **Recommendations** Update to version 3.35.10.

**Name of the Vulnerable Software and Affected Versions** go-git versions prior to 5.18.0 go-git versions prior to 6.0.0-alpha.2 **Description** During smart-HTTP clone and fetch operations, the library may leak HTTP authentication credentials when following redirects. If a remote repository responds to the initial '/info/refs' request with a redirect to a different host, the session endpoint is updated to the redirected location and the original authentication, such as Authorization headers, is reused for subsequent requests. This allows an attacker controlling the redirect target to capture credentials and potentially access the victim's repositories or other resources. This issue occurs when interacting with untrusted or misconfigured Git servers or when using unsecured HTTP connections. **Recommendations** Update to version 5.18.0. Update to version 6.0.0-alpha.2.

**Name of the Vulnerable Software and Affected Versions** Budibase versions prior to 3.35.4 **Description** The authenticated middleware uses unanchored regular expressions to match public endpoint patterns against the `ctx.request.url` variable. Because `ctx.request.url` in Koa includes the query string, an attacker can bypass authentication and access protected endpoints by appending a public endpoint path as a query parameter. For example, using the endpoint '/api/global/users/search' with a query parameter like `x=/api/system/status` allows unauthorized access because the regular expression matches the query string portion of the URL. **Recommendations** Update to version 3.35.4.