Grumpinout1

**Name of the Vulnerable Software and Affected Versions** GitButler versions prior to 0.19.7 **Description** A remote code execution issue exists in the Tauri-based desktop application. An attacker can inject a malicious link into a pull request body; if a user clicks this link, it allows for arbitrary script execution within the Tauri webview. This issue only affects users who have enabled forge integration. **Recommendations** Update to version 0.19.7. Disable forge integration to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tauri versions 2.0 through 2.10.2 **Description** A flaw in the `is local url()` function causes remote URLs to be incorrectly classified as trusted local origins on Windows and Android. On these platforms, Tauri maps custom URI scheme protocols to `http://<scheme>.localhost/` because the WebView implementations cannot serve custom URI schemes directly. The issue arises because the check for local origins only validates the first subdomain of the URL. An attacker can exploit this by hosting a page on a domain where the first subdomain matches the application's custom scheme (e.g., `http://app.attacker.com/`). This allows an attacker-controlled page to invoke backend commands that were intended to be restricted to the application's own frontend and protected from external or remote origins. **Recommendations** Update to version 2.10.3.

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.3.0 Description hoppscotch, an open source API development ecosystem, contains a stored Cross-Site Scripting (XSS) issue that could potentially lead to Cross-Site Request Forgery (CSRF). Recommendations Update to version 2026.3.0 or later.

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.3.0 Description hoppscotch, an open source API development ecosystem, contains an open redirect flaw. This flaw can result in the theft of tokens, potentially allowing an attacker to compromise user accounts by signing in as the victim. Recommendations Update hoppscotch to version 2026.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Storybook versions prior to 7.6.23 Storybook versions prior to 8.6.17 Storybook versions prior to 9.1.19 Storybook versions prior to 10.2.10 **Description** Storybook’s dev server WebSocket functionality, used for creating and updating stories, is susceptible to WebSocket hijacking. This issue impacts the dev server only and does not affect production builds. Exploitation requires a developer to visit a malicious website while running the local Storybook dev server. The WebSocket connection lacks origin validation, allowing a malicious site to send WebSocket messages to the local instance without user interaction. If the Storybook dev server is publicly exposed, an unauthenticated attacker can directly send WebSocket messages. The WebSocket message handlers for creating and saving stories are vulnerable to injection through unsanitized input in the `componentFilePath` field, potentially leading to persistent Cross-Site Scripting (XSS) or Remote Code Execution (RCE). **Recommendations** Update Storybook to version 7.6.23 or later. Update Storybook to version 8.6.17 or later. Update Storybook to version 9.1.19 or later. Update Storybook to version 10.2.10 or later.

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 9.5.4 **Description** Astro, a web framework, is affected by a Server-Side Request Forgery (SSRF) issue in versions prior to 9.5.4. Server-Side Rendered pages returning an error with a prerendered custom error page (such as `404.astro` or `500.astro`) are susceptible. If the `Host:` header is manipulated to point to an attacker's server, it can be fetched when requesting a resource like `/500.html`, allowing redirection to any internal URL and enabling the attacker to read the response body from the initial request. An attacker can access the application without `Host:` header validation, potentially by discovering the origin IP address behind a proxy, and fetch their own server to redirect to internal IP addresses. This allows access to cloud metadata IPs and interaction with services within the internal network or localhost. The issue requires direct access to the server without any intervening proxies. **Recommendations** Update to Astro version 9.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Langfuse versions 3.146.0 and below **Description** Langfuse is an open source large language model engineering platform. The `/api/public/slack/install` endpoint initiates Slack OAuth using a `projectId` provided by the client without authentication or authorization. The `projectId` is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. **Recommendations** Update to version 3.147.0 or later.