Dxleryt

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** A logic error exists in the PX4 Autopilot MAVLink FTP session validation. The validation uses incorrect boolean logic (&& instead of ||), allowing `BurstReadFile` and `WriteFile` operations to proceed with invalid sessions or closed file descriptors. This allows an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. The vulnerable component is the MAVLink FTP session validation logic. **Recommendations** Update to version 1.17.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** PX4 autopilot versions prior to 1.17.0-rc2 **Description** PX4 autopilot is a flight control solution for drones. A path traversal issue exists in the PX4 Autopilot MAVLink FTP implementation that allows any MAVLink peer to perform unauthorized file operations – including reading, writing, creating, deleting, and renaming – on the flight controller filesystem without authentication. On NuttX systems, the FTP root directory is empty, leading to direct passing of attacker-supplied paths to filesystem calls without any sanitization during read operations. On POSIX systems, the write-path validation function does not provide any protection. A time-of-check to time-of-use (TOCTOU) race condition in the write validation on NuttX systems further bypasses existing security measures. **Recommendations** Versions prior to 1.17.0-rc2 should be updated to version 1.17.0-rc2 or later.

**Name of the Vulnerable Software and Affected Versions** GetSimple CMS versions 3.3.22 massiveAdmin plugin version 6.0.3 **Description** GetSimple CMS, when used with the massiveAdmin plugin version 6.0.3, allows an authenticated administrator to overwrite the `gsconfig.php` configuration file with arbitrary PHP code through the gsconfig editor module. The form lacks Cross-Site Request Forgery (CSRF) protection, enabling a remote unauthenticated attacker to exploit this through CSRF against a logged-in administrator, potentially leading to Remote Code Execution (RCE) on the web server. This can be triggered by a malicious email containing an embedded form, resulting in a full server compromise. **Recommendations** For GetSimple CMS version 3.3.22 and massiveAdmin plugin version 6.0.3, ensure proper CSRF protection is implemented for the gsconfig editor module to prevent unauthorized modification of the `gsconfig.php` file.

**Name of the Vulnerable Software and Affected Versions** Homarr versions prior to 1.54.0 **Description** The integration.all tRPC endpoint in Homarr is accessible to unauthenticated users, potentially exposing a list of configured integrations. This exposed metadata includes sensitive information such as internal service URLs, integration names, and service types. The issue was addressed in version 1.54.0. **Recommendations** Update to version 1.54.0 or later.

**Name of the Vulnerable Software and Affected Versions** Statmatic versions prior to 5.73.11 Statmatic versions prior to 6.4.0 **Description** Statmatic is a content management system. When Glide image manipulation is used in insecure mode, an unauthenticated user can exploit the image proxy to make the server send HTTP requests to arbitrary URLs. This can potentially allow access to internal services and cloud metadata endpoints reachable from the server. **Recommendations** Update to version 5.73.11 or later. Update to version 6.4.0 or later.

**Name of the Vulnerable Software and Affected Versions** OneUptime versions prior to 10.0.7 **Description** OneUptime is a solution for monitoring and managing online services. A critical OS command injection vulnerability exists in the `NetworkPathMonitor.performTraceroute()` function. This flaw allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field. The vulnerability stems from the direct interpolation of the user-controlled `destination` parameter into a shell command string, which is then executed using `child process.exec()`. The `destination` parameter is not sanitized before being used in the command, allowing for the injection of malicious shell metacharacters such as semicolons, pipes, and subshells. Successful exploitation could lead to remote code execution, allowing attackers to read sensitive files, pivot to internal services, compromise monitoring data, and establish persistent backdoors. The vulnerability is present in the `Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts` file, specifically lines 149-191. **Recommendations** Upgrade to OneUptime version 10.0.7 or later to resolve this vulnerability. As a temporary workaround, audit monitor destinations for suspicious characters to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** yt-dlp versions prior to 2026.02.21 **Description** The `--netrc-cmd` option in yt-dlp contains an arbitrary command injection issue. The argument passed to the command in this option is now limited to a safe subset of characters to address this. This issue could potentially allow an attacker to execute arbitrary commands on the system. **Recommendations** Update to yt-dlp version 2026.02.21 or later.

**Name of the Vulnerable Software and Affected Versions** Gogs versions prior to 0.14.2 **Description** Gogs, a self-hosted Git service, contains a stored cross-site scripting (XSS) issue in the comment and issue description functionality. The HTML sanitizer allows `data:` URI schemes, enabling authenticated users to inject arbitrary JavaScript execution through malicious links. The vulnerability resides in the `internal/markup/sanitizer.go` file, where the `bluemonday` HTML sanitizer is configured to allow `data` URLs. Raw HTML anchor tags bypass the Markdown parser and are processed directly by the sanitizer, allowing payloads like `<a href="data:text/html...">` to be rendered. Exploitation involves creating a file with malicious HTML content, committing and pushing it to a repository, and then clicking the link in the Gogs web interface. Successful exploitation allows attackers to steal authentication cookies, perform actions on behalf of the victim, or redirect users to malicious sites. **Recommendations** Versions prior to 0.14.2 should be updated to version 0.14.2 or later.

**Name of the Vulnerable Software and Affected Versions** calibre versions prior to 9.2.0 **Description** calibre is an e-book manager. A Server-Side Template Injection (SSTI) vulnerability exists in calibre’s Templite templating engine. This allows for arbitrary code execution when a user converts an ebook using a malicious custom template file via the `--template-html` or `--template-html-index` command-line options. Server-Side Template Injection (SSTI) is a flaw that allows an attacker to inject malicious code into a template engine, potentially leading to unauthorized access or control of the system. **Recommendations** Update to calibre version 9.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** calibre versions prior to 9.4.0 **Description** calibre is an e-book manager used for viewing, converting, editing, and cataloging e-books. The Content Server’s brute-force protection mechanism relies on a ban key derived from both the `remote addr` and the `X-Forwarded-For` header. The `X-Forwarded-For` header is directly read from HTTP requests without validation or trusted-proxy configuration. This allows attackers to bypass IP-based bans by modifying or adding to the `X-Forwarded-For` header, effectively disabling the brute-force protection. This poses a risk to servers exposed to the internet, as brute-force protection is a primary defense against credential stuffing and password guessing attacks. **Recommendations** Update to calibre version 9.4.0 or later.