P-

**Name of the Vulnerable Software and Affected Versions** Quarkus version 3.32.4 **Description** An authorization bypass exists where semicolons used as matrix parameters in HTTP requests can circumvent security constraints, potentially granting unauthorized access to protected resources. Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (`;`) and arbitrary text to the request URL. This occurs due to a path-normalization inconsistency: the security layer performs authorization checks on the raw URL path, while the RESTEasy Reactive routing layer strips matrix parameters before matching endpoints. Consequently, a request to an endpoint like "/api/admin;anything" may bypass policies protecting "/api/admin" while still being routed to that protected endpoint. **Recommendations** Update Quarkus version 3.32.4 to a patched version.

Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.14.0 and 15.104.0 Description Frappe, a full-stack web application framework, allows unrestricted Doctype access via an API exploit. Recommendations Update to version 16.14.0 or later. Update to version 15.104.0 or later.

**Name of the Vulnerable Software and Affected Versions** Sentry versions prior to 26.1.0 **Description** Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) issue in the `GroupEventJsonView` endpoint. An Insecure Direct Object Reference occurs when an application uses user-supplied input to directly access objects, potentially allowing unauthorized access to data. **Recommendations** Update to version 26.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 **Description** Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated Insecure Direct Object Reference (IDOR) issue in several shop LiveComponents. This is due to unvalidated resource IDs accepted via the #[LiveArg] parameters. Actions accepting resource IDs via #[LiveArg] and loading them with ->find() without ownership validation are affected. Specifically, the Checkout address FormComponent’s `addressFieldUpdated` action accepts an `addressId` via #[LiveArg], potentially exposing another user's personal information including first name, last name, company, phone number, street, city, postcode, and country. The Cart WidgetComponent’s `refreshCart` action and Cart SummaryComponent’s `refreshCart` action both accept a `cartId` via #[LiveArg], allowing direct access to order data such as order total and item count, subtotal, discount, shipping cost, taxes, and order total. Because sylius order contains both active carts and completed orders in the same ID space, the cart IDOR can expose data from all orders. **Recommendations** Update Sylius to version 2.0.16 or later. Update Sylius to version 2.1.12 or later. Update Sylius to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 7.10.8 Rocket.Chat versions prior to 7.11.5 Rocket.Chat versions prior to 7.12.5 Rocket.Chat versions prior to 7.13.4 Rocket.Chat versions prior to 8.0.2 Rocket.Chat versions prior to 8.1.1 Rocket.Chat versions prior to 8.2.0 **Description** Rocket.Chat is a communications platform. A NoSQL injection issue exists in the account service within the ddp-streamer micro service. This allows unauthenticated attackers to manipulate MongoDB queries during authentication. The issue is present in the username-based login flow where user-provided input is directly incorporated into a MongoDB query selector without proper validation. An attacker can inject MongoDB operator expressions, such as `{ $regex: '.*' }`, in place of a username, causing the database query to match unintended user records. The vulnerability affects the ddp-streamer service. **Recommendations** Update Rocket.Chat to version 7.10.8 or later. Update Rocket.Chat to version 7.11.5 or later. Update Rocket.Chat to version 7.12.5 or later. Update Rocket.Chat to version 7.13.4 or later. Update Rocket.Chat to version 8.0.2 or later. Update Rocket.Chat to version 8.1.1 or later. Update Rocket.Chat to version 8.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 7.8.6 Rocket.Chat versions prior to 7.9.8 Rocket.Chat versions prior to 7.10.7 Rocket.Chat versions prior to 7.11.4 Rocket.Chat versions prior to 7.12.4 Rocket.Chat versions prior to 7.13.3 Rocket.Chat versions prior to 8.0.0 **Description** Rocket.Chat is a communications platform. A critical issue exists in the account service within the ddp-streamer micro service that allows an attacker to authenticate as any user with a set password, using an arbitrary password. This is due to a missing 'await' keyword when validating passwords asynchronously, resulting in a Promise object being incorrectly evaluated as a successful authentication. This could lead to account takeover if a username is known or can be guessed. **Recommendations** Update Rocket.Chat to version 7.8.6 or later. Update Rocket.Chat to version 7.9.8 or later. Update Rocket.Chat to version 7.10.7 or later. Update Rocket.Chat to version 7.11.4 or later. Update Rocket.Chat to version 7.12.4 or later. Update Rocket.Chat to version 7.13.3 or later. Update Rocket.Chat to version 8.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** Rocket.Chat versions prior to 7.10.8 Rocket.Chat versions prior to 7.11.5 Rocket.Chat versions prior to 7.12.5 Rocket.Chat versions prior to 7.13.4 Rocket.Chat versions prior to 8.0.2 Rocket.Chat versions prior to 8.1.1 Rocket.Chat versions prior to 8.2.0 **Description** Rocket.Chat is a communications platform. Authentication issues exist in the enterprise DDP Streamer service. The `Account.login` method, exposed through the DDP Streamer, does not enforce Two-Factor Authentication (2FA) or validate user account status, allowing deactivated users to log in. These checks are normally required in the standard Meteor login process. **Recommendations** Update to Rocket.Chat version 7.10.8 or later. Update to Rocket.Chat version 7.11.5 or later. Update to Rocket.Chat version 7.12.5 or later. Update to Rocket.Chat version 7.13.4 or later. Update to Rocket.Chat version 8.0.2 or later. Update to Rocket.Chat version 8.1.1 or later. Update to Rocket.Chat version 8.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.3 **Description** NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via `v-html` without sanitization enable stored Cross-Site Scripting (XSS). This allows for the injection of malicious scripts into comments, which are then executed when other users view those comments. The `v-html` directive bypasses standard HTML encoding, potentially allowing attackers to execute arbitrary JavaScript code within the context of the application. **Recommendations** Update to version 0.301.3 or later.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.3 **Description** NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via `v-html` without sanitization allows for stored cross-site scripting (XSS). The issue occurs because content is rendered without proper sanitization, potentially allowing malicious scripts to be executed. **Recommendations** Update to version 0.301.3 or later.

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 **Description** Spree, an open source e-commerce solution, contains a flaw where unauthenticated users can view completed guest orders using the Order ID. This can lead to the disclosure of Personally Identifiable Information (PII) of guest users, including names, addresses, and phone numbers. The issue stems from the `OrdersController#show` action allowing order lookup by number without requiring the associated order token. The `authorize access` function does not properly enforce authorization for guest orders. An attacker with a leaked Order ID, or through brute-forcing, can access the order details via the `/orders/{id}` API endpoint. The Order IDs are securely generated but have relatively low entropy, potentially making brute-force attacks feasible. **Recommendations** Versions prior to 5.0.8 should be updated to version 5.0.8 or later. Versions prior to 5.1.10 should be updated to version 5.1.10 or later. Versions prior to 5.2.7 should be updated to version 5.2.7 or later. Versions prior to 5.3.2 should be updated to version 5.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** Spree versions prior to 4.10.3 Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 **Description** An IDOR vulnerability exists in Spree Commerce's guest checkout flow. This allows a guest user to manipulate address ID parameters and bind arbitrary guest addresses to their order. This enables unauthorized access to other guests' personally identifiable information (PII), including names, addresses, and phone numbers. The issue bypasses existing ownership validation checks and affects all guest checkout transactions. The vulnerability stems from incomplete authorization validation in Spree’s checkout address assignment logic, specifically in how plain ID parameters (`bill address id` and `ship address id`) are handled without proper validation. The vulnerable assignment logic resides in the `bill address id=` and `ship address id=` setters within the `spree/order/address book.rb` model. These setters check if `address.user id == order.user id`, which evaluates to true for guest orders (nil == nil), effectively bypassing the intended security check. The permitted attributes in `spree/permitted attributes.rb` allow `bill address id` and `ship address id` without validation, and the checkout update process in `spree/order/checkout.rb` applies these parameters directly to the Order model. **Recommendations** Update to Spree version 4.10.3 or later. Update to Spree version 5.0.8 or later. Update to Spree version 5.1.10 or later. Update to Spree version 5.2.7 or later. Update to Spree version 5.3.2 or later.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.0 **Description** NocoDB has a stored cross-site scripting (XSS) issue in its attachment handling. Authenticated users can upload malicious SVG files containing embedded JavaScript. These files are rendered inline and executed in the browsers of other users who view the attachment. The root cause is overly permissive MIME type checks and a lack of content sanitization when serving SVG files. Specifically, the `isPreviewAllowed` function in `attachmentHelpers.ts` uses a substring-based check that incorrectly classifies SVG files as safe for preview. The `fileReadv3` endpoint in `attachments.controller.ts` serves these files without sanitization or content-type enforcement, allowing browsers to execute the embedded JavaScript under the NocoDB application’s origin. Successful exploitation can lead to account compromise, data exfiltration, and unauthorized actions performed on behalf of affected users. **Recommendations** Versions prior to 0.301.0 should be updated to version 0.301.0 or later.

**Name of the Vulnerable Software and Affected Versions** NocoDB versions prior to 0.301.0 **Description** An unvalidated redirect, specifically an open redirect, exists in NocoDB’s login flow due to insufficient validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and navigates to the specified URL without restrictions on its origin, domain, or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login, potentially enabling phishing attacks by exploiting user trust in the legitimate NocoDB login process. The issue does not allow arbitrary code execution or privilege escalation, but it compromises authentication integrity. The vulnerable component uses a regular expression `^(https?:)?///` to validate URLs, which permits any HTTP(S) URL and protocol-relative URLs. The `navigateTo()` function then performs the redirection based on this validation. An attacker can craft a malicious login URL containing a controlled redirect target, such as `https://victim-nocodb.example/#/signin?continueAfterSignIn=https://evil-phishing.com/fake-login`, to redirect users to a phishing site after successful authentication. **Recommendations** Versions prior to 0.301.0 should be updated to version 0.301.0 or later.

Name of the Vulnerable Software and Affected Versions: HomeAssistant-Tapo-Control versions prior to commit 2a3b80f Description: HomeAssistant-Tapo-Control, a component offering control for Tapo cameras within Home Assistant, contained a code injection vulnerability in the GitHub Actions workflow located at `.github/workflows/issues.yml`. The vulnerability stemmed from the direct insertion of user-controlled content from the issue body (`github.event.issue.body`) into a Bash conditional without adequate sanitization. This allowed a malicious GitHub user to craft an issue body capable of executing arbitrary commands on the GitHub Actions runner with elevated privileges upon issue creation. The impact is limited to the repository’s CI/CD environment, potentially exposing repository contents or GitHub Actions secrets. Recommendations: Disable the affected workflow (`issues.yml`). Replace the unsafe Bash comparison with a safe quoted grep or a pure GitHub Actions expression check. Ensure minimal permissions in workflows (permissions: block) to reduce potential impact.

Name of the Vulnerable Software and Affected Versions: OpenKilda versions prior to 1.164.0 Description: OpenKilda, an open-source OpenFlow controller, contains an XML external entity (XXE) injection vulnerability. This vulnerability, in combination with GHSL-2025-024, allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running, potentially leading to information disclosure. Recommendations: Update to version 1.164.0 or later.

**Name of the Vulnerable Software and Affected Versions** Umbrel versions prior to 1.2.2 **Description** The login functionality of Umbrel contains a reflected cross-site scripting (XSS) vulnerability in `use-auth.tsx`. An attacker can specify a malicious `redirect` query parameter to trigger the vulnerability. If a JavaScript URL is passed to the `redirect` parameter, the attacker-provided JavaScript will be executed after the user enters their password and clicks on login. **Recommendations** For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider disabling the login functionality until a patch is available. Restrict access to the `use-auth.tsx` module to minimize the risk of exploitation. Avoid using the `redirect` parameter in the login functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 5.19.0 **Description** A path traversal vulnerability inside of `LocalMode`'s `open local file` method allows an authenticated user with adequate permissions to download any `.txt` via the `ScreensController#show` on the web server COSMOS is running on, depending on the file permissions. This issue may lead to Information Disclosure. **Recommendations** For versions prior to 5.19.0, update to version 5.19.0 to resolve the issue. As a temporary workaround, consider restricting access to the `ScreensController#show` endpoint or limiting the permissions of authenticated users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS Open Source Edition versions prior to 5.19.0 **Description** The login functionality of OpenC3 COSMOS contains a reflected cross-site scripting (XSS) vulnerability. This issue may lead to Remote Code Execution (RCE). The vulnerability affects the Open Source Edition, not the OpenC3 COSMOS Enterprise Edition. **Recommendations** For OpenC3 COSMOS Open Source Edition versions prior to 5.19.0, update to version 5.19.0 to resolve the issue. As a temporary workaround, consider restricting access to the login functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** OpenC3 COSMOS versions prior to 5.19.0 **Description** OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting. The issue may lead to Information Disclosure. This only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition. **Recommendations** For versions prior to 5.19.0, update to version 5.19.0 to resolve the issue. As a temporary workaround, consider clearing the LocalStorage of the web browser to minimize the risk of password exfiltration. Restrict access to sensitive data and embedded systems until the update is applied.

**Name of the Vulnerable Software and Affected Versions** openHAB versions prior to 4.2.1 **Description** The issue concerns the CometVisu add-on of openHAB, which has file system endpoints that do not require authentication. Additionally, the endpoint to update an existing file is susceptible to path traversal, making it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time, this can allow remote code execution by an attacker. **Recommendations** For openHAB versions prior to 4.2.1, upgrade to version 4.2.1 to receive a patch. As a temporary workaround, consider restricting access to the file system endpoints to minimize the risk of exploitation. Avoid using the endpoint to update an existing file until the issue is resolved.