Richardoc

**Name of the Vulnerable Software and Affected Versions** Skill-scanner versions 1.0.1 and earlier **Description** Skill Scanner is a security scanner for AI Agent Skills designed to detect prompt injection, data exfiltration, and malicious code patterns. A flaw in the API Server component could permit an unauthenticated, remote attacker to interact with the server's API. This interaction could result in a denial-of-service (DoS) condition or the uploading of arbitrary files. The root cause of this issue is an incorrect binding to multiple interfaces. An attacker can exploit this by sending API requests to a device that exposes the affected API Server. A successful exploit could lead to excessive resource consumption (memory starvation) or unauthorized file uploads to arbitrary folders on the compromised device. The API Server is not enabled by default. **Recommendations** Upgrade to Skill-scanner version 1.0.2 or later to resolve this issue.

Name of the Vulnerable Software and Affected Versions: screenshot-desktop versions prior to 1.15.2 Description: screenshot-desktop is susceptible to a command injection issue. User-controlled input provided to the `format` option of the screenshot function is interpolated into a shell command without proper sanitization, leading to arbitrary command execution with the privileges of the calling process. Recommendations: Update to version 1.15.2 or later.

**Name of the Vulnerable Software and Affected Versions** kube-audit-rest versions prior to 1.0.16 **Description** The issue concerns a simple logger of mutation/creation requests to the k8s API, where the previous values of Kubernetes secrets would have been disclosed in the audit messages if the "full-elastic-stack" example vector configuration was used for a real cluster. **Recommendations** For versions prior to 1.0.16, update to version 1.0.16 to fix the issue. As a temporary workaround, replace the existing configuration in the vector "audit-files-json-parser-and-redaction" step with the updated configuration that redacts secret data and removes previously set secret data.

**Name of the Vulnerable Software and Affected Versions** AuthKit library for Next.js versions prior to 0.13.2 **Description** The issue concerns the logging of refresh tokens to the console when the `debug` flag is enabled. This flag is disabled by default. There are no known workarounds for this issue. **Recommendations** For versions prior to 0.13.2, upgrade to version 0.13.2 to resolve the issue. As a temporary workaround, consider disabling the `debug` flag until the upgrade is applied.