Reindaelman

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.3.0 Description hoppscotch, an open source API development ecosystem, contains an open redirect flaw. This flaw can result in the theft of tokens, potentially allowing an attacker to compromise user accounts by signing in as the victim. Recommendations Update hoppscotch to version 2026.3.0 or later.

Name of the Vulnerable Software and Affected Versions hoppscotch versions prior to 2026.3.0 Description hoppscotch, an open source API development ecosystem, contains a stored Cross-Site Scripting (XSS) issue that could potentially lead to Cross-Site Request Forgery (CSRF). Recommendations Update to version 2026.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** Storybook versions prior to 7.6.23 Storybook versions prior to 8.6.17 Storybook versions prior to 9.1.19 Storybook versions prior to 10.2.10 **Description** Storybook’s dev server WebSocket functionality, used for creating and updating stories, is susceptible to WebSocket hijacking. This issue impacts the dev server only and does not affect production builds. Exploitation requires a developer to visit a malicious website while running the local Storybook dev server. The WebSocket connection lacks origin validation, allowing a malicious site to send WebSocket messages to the local instance without user interaction. If the Storybook dev server is publicly exposed, an unauthenticated attacker can directly send WebSocket messages. The WebSocket message handlers for creating and saving stories are vulnerable to injection through unsanitized input in the `componentFilePath` field, potentially leading to persistent Cross-Site Scripting (XSS) or Remote Code Execution (RCE). **Recommendations** Update Storybook to version 7.6.23 or later. Update Storybook to version 8.6.17 or later. Update Storybook to version 9.1.19 or later. Update Storybook to version 10.2.10 or later.

**Name of the Vulnerable Software and Affected Versions** Astro versions prior to 9.5.4 **Description** Astro, a web framework, is affected by a Server-Side Request Forgery (SSRF) issue in versions prior to 9.5.4. Server-Side Rendered pages returning an error with a prerendered custom error page (such as `404.astro` or `500.astro`) are susceptible. If the `Host:` header is manipulated to point to an attacker's server, it can be fetched when requesting a resource like `/500.html`, allowing redirection to any internal URL and enabling the attacker to read the response body from the initial request. An attacker can access the application without `Host:` header validation, potentially by discovering the origin IP address behind a proxy, and fetch their own server to redirect to internal IP addresses. This allows access to cloud metadata IPs and interaction with services within the internal network or localhost. The issue requires direct access to the server without any intervening proxies. **Recommendations** Update to Astro version 9.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** Langfuse versions 3.146.0 and below **Description** Langfuse is an open source large language model engineering platform. The `/api/public/slack/install` endpoint initiates Slack OAuth using a `projectId` provided by the client without authentication or authorization. The `projectId` is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. **Recommendations** Update to version 3.147.0 or later.

Name of the Vulnerable Software and Affected Versions: Confidant versions prior to 6.6.2 Description: The issue is a cross-site scripting (XSS) vulnerability that affects various API endpoints in Confidant, an open-source secret management service. These endpoints include `GET /v1/credentials`, `GET /v1/credentials/`, `GET /v1/archive/credentials/`, `GET /v1/archive/credentials`, `POST /v1/credentials`, `PUT /v1/credentials/`, `PUT /v1/credentials//<to revision>`, `GET /v1/services`, `GET /v1/services/`, `GET /v1/archive/services/`, `GET /v1/archive/services`, `PUT /v1/services/`, and `PUT /v1/services//<to revision>`. An attacker needs to be authenticated and have privileges to create new credentials to exploit this vulnerability, which could allow them to show information and run scripts on other users within the same Confidant instance. Recommendations: For versions prior to 6.6.2, upgrade to version 6.6.2 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until the upgrade can be applied. Avoid using the affected endpoints for creating or managing credentials and services until the issue is resolved. There are no known workarounds for this vulnerability other than upgrading to the patched version.