Y4Tacker

**Name of the Vulnerable Software and Affected Versions** Qwik versions prior to 1.19.2 **Description** Qwik is a JavaScript framework where versions before 1.19.2 incorrectly interpreted arrays from dotted form field names during FormData parsing. An attacker could submit mixed array-index and object-property keys for the same path, potentially writing user-controlled properties onto values expected to be arrays. When processing `application/x-www-form-urlencoded` or `multipart/form-data` requests, Qwik City converted dotted field names (e.g., `items.0`, `items.1`) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys—such as `items.toString`, `items.push`, `items.valueOf`, or `items.length`—could alter the server-side value unexpectedly. This could lead to request handling failures, denial of service through malformed array state or oversized lengths, and type confusion in downstream code. The issue affects form parsing in Qwik City request handling and does not require authentication if the vulnerable route is publicly accessible. An attacker can send crafted form submissions that cause parsed input to differ from the application’s expected shape, potentially triggering runtime errors or causing type confusion. **Recommendations** Update to Qwik version 1.19.2 or later. Avoid trusting parsed form data to be a well-formed array when using dotted field names. Validate or normalize action input before using array methods or relying on array shape.

**Name of the Vulnerable Software and Affected Versions** Cursor versions prior to 2.0 **Description** Cursor is a code editor designed for programming with AI. Prior to version 2.0, if a visited website contained maliciously crafted instructions, the model could attempt to follow them to assist the user. When combined with a bypass of the command whitelist mechanism, these indirect prompt injections could result in commands being executed automatically, without the user’s explicit intent, posing a significant security risk. **Recommendations** Update to version 2.0 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions 1.* Apache Shiro versions 2.* through 2.0.6 **Description** An observable timing discrepancy exists in Apache Shiro. Before version 2.0.7, the code paths used for non-existent and existing users differ sufficiently, allowing a brute-force attack to determine if a request fails due to an invalid user or an incorrect password by measuring request timing. The most likely attack vector is a local attack. This issue is related to username enumeration, as discussed in the Shiro security model. Brute force attacks can typically be mitigated at the infrastructure level. **Recommendations** Upgrade to Apache Shiro version 2.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** Cursor versions 1.7 and earlier **Description** Cursor, a code editor for programming with AI, has an issue where, when using OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious server and inject commands. This can lead to command injection and potential remote code execution. If combined with an untrusted MCP service via OAuth, this could allow arbitrary code execution on the host with full user privileges. The vulnerable process involves interaction during OAuth authentication, where crafted commands are returned by the malicious server. The API endpoint used for OAuth authentication is susceptible to manipulation. The `MCP` server is involved in the authentication process. **Recommendations** Apply patch 2025.09.17-25b418f.

**Name of the Vulnerable Software and Affected Versions** Apache ZooKeeper versions 3.9.0 through 3.9.2 **Description** The issue is related to the IPAuthenticationProvider in the ZooKeeper Admin Server, which allows for authentication bypass via spoofing. This impacts IP-based authentication and is due to the default configuration using HTTP request headers to detect the client's IP address, specifically honoring the X-Forwarded-For HTTP header. This can be easily spoofed by an attacker, allowing them to bypass authentication. Successful exploitation could lead to information leakage or service availability issues, as Admin Server commands like snapshot and restore can be executed arbitrarily. **Recommendations** For Apache ZooKeeper versions 3.9.0 through 3.9.2, upgrade to version 3.9.3 to fix the issue. As a temporary workaround, consider restricting access to the IPAuthenticationProvider or disabling the use of X-Forwarded-For HTTP headers to minimize the risk of exploitation. Avoid using the X-Forwarded-For request header in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions through 18.12.14 **Description** This issue affects Apache OFBiz, allowing unauthenticated endpoints to execute screen rendering code of screens if certain preconditions are met, such as when screen definitions do not explicitly check user permissions. The vulnerability is related to incorrect authorization and can lead to remote code execution. It is being actively exploited, and proof-of-concept exploits are available. Users are recommended to upgrade to version 18.12.15 to fix the issue. **Recommendations** Apache OFBiz versions through 18.12.14: Upgrade to version 18.12.15 to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache DolphinScheduler versions prior to 3.2.1 **Description** The issue is related to the exposure of sensitive information to an unauthorized actor. Users are advised to ensure that logs are only available to trusted operators as a temporary measure. **Recommendations** For versions prior to 3.2.1, upgrade to version 3.2.1 when it becomes available, as it fixes the issue. In the meantime, make sure the logs are only available to trusted operators.

**Name of the Vulnerable Software and Affected Versions** Apache Derby versions prior to 10.17.1.0 **Description** A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. In LDAP-protected databases which weren't also protected by SQL GRANT/REVOKE authorization, this vulnerability could also let an attacker view and corrupt sensitive data and run sensitive database functions and procedures. **Recommendations** To resolve the issue, users should upgrade to Java 21 and Derby 10.17.1.0. Alternatively, users who wish to remain on older Java versions should build their own Derby distribution from one of the release families to which the fix was backported: 10.16, 10.15, and 10.14. Those are the releases which correspond, respectively, with Java LTS versions 17, 11, and 8.

**Name of the Vulnerable Software and Affected Versions** Apache DolphinScheduler versions prior to 3.2.1 **Description** The issue is related to the exposure of Remote Code Execution in Apache DolphinScheduler, which can be exploited by a remote attacker to execute arbitrary code. This could potentially lead to complete system compromise, data extraction, and lateral movement within the network. The issue is caused by incorrect code generation management. **Recommendations** To resolve the issue, upgrade Apache DolphinScheduler to version 3.2.1, which fixes the issue. As a temporary workaround, consider restricting access to the system until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 **Description** The issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks can result in unauthorized update, insert, or delete access to some of Oracle WebLogic Server's accessible data, as well as unauthorized read access to a subset of Oracle WebLogic Server's accessible data and the ability to cause a partial denial of service of Oracle WebLogic Server. This is due to insufficient input validation in the Core component. **Recommendations** For versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Kafka Connect versions prior to 3.4.0 Apache Kafka versions 2.3.0 through 3.3.x Bitbucket Data Center and Server versions 7.21.0 through 8.12.0 **Description** A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol. When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config` property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the `producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties. This will allow the server to connect to the attacker's LDAP server and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server. Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath. **Recommendations** For Apache Kafka Connect versions prior to 3.4.0, upgrade to Apache Kafka Connect 3.4.0 or later. For Bitbucket Data Center and Server versions 7.21.0 through 8.12.0, upgrade to the specified supported fixed versions: * Bitbucket Data Center and Server 7.21: Upgrade to a release greater than or equal to 7.21.16 * Bitbucket Data Center and Server 8.9: Upgrade to a release greater than or equal to 8.9.4 * Bitbucket Data Center and Server 8.10: Upgrade to a release greater than or equal to 8.10.4 * Bitbucket Data Center and Server 8.11: Upgrade to a release greater than or equal to 8.11.3 * Bitbucket Data Center and Server 8.12: Upgrade to a release greater than or equal to 8.12.1 As a temporary workaround, consider disabling the `com.sun.security.auth.module.JndiLoginModule` in the SASL JAAS configuration. Restrict access to the Kafka Connect REST API to minimize the risk of exploitation. Validate connector configurations and only allow trusted JNDI configurations. Examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3, IIOP to compromise the server. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. It is estimated that millions of servers worldwide are affected, with 166,000 in Brazil alone. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0, update to a version that includes the fix released by Oracle on January 24. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix released by Oracle on January 24. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache XML Graphics versions prior to 1.16 Confluence Data Center and Server versions 7.13.0 through 7.19.0, specifically versions prior to 7.19.16 **Description** A vulnerability in the Apache Batik library for working with SVG images is related to insufficient checking of incoming requests. This issue allows an attacker to run untrusted Java code from an SVG, potentially enabling remote execution of arbitrary Java code. The estimated impact of this issue is high, with potential exposure of assets in the environment susceptible to exploitation, affecting confidentiality. **Recommendations** For Apache XML Graphics versions prior to 1.16, update to version 1.16. For Confluence Data Center and Server versions 7.13.0 through 7.19.0, upgrade to a release greater than or equal to 7.19.16. As a temporary workaround, consider restricting the use of SVG images in your environment until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Apache XML Graphics versions prior to 1.16 Confluence Data Center and Server versions 7.13.0 and 7.19.0 **Description** A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue is related to insufficient checking of incoming requests. The exploitation of this issue may allow a remote attacker to execute arbitrary Java code. **Recommendations** For Apache XML Graphics versions prior to 1.16, upgrade to version 1.16. For Confluence Data Center and Server version 7.19, upgrade to a release greater than or equal to 7.19.16.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue allows a high privileged attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash of Oracle WebLogic Server, as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web Container component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Shiro versions prior to 1.10.0 **Description** The issue is related to an authentication bypass vulnerability in Apache Shiro when forwarding or including via RequestDispatcher. **Recommendations** For versions prior to 1.10.0, update to version 1.10.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pebble Templates version 3.1.5 **Description** The issue allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok. It is noted that the vendor disputes this, as input to the Pebble templating engine is intended to include arbitrary Java code. The vendor suggests that either the input should not arrive from an untrusted source, or else the application using the engine should apply restrictions to the input, as the engine is not responsible for validating the input. **Recommendations** For version 3.1.5, consider applying restrictions to the input of the Pebble templating engine to prevent arbitrary code execution, or ensure that the input does not arrive from an untrusted source. As a temporary workaround, consider restricting the use of the springbok functionality until a more robust solution is implemented.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.3.0 through 12.2.1.4.0 Oracle WebLogic Server version 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Web Container component of Oracle WebLogic Server, allowing a high-privileged attacker with logon access to the infrastructure to compromise the server. Successful attacks can result in unauthorized access to critical data or all accessible data, including creation, deletion, or modification of data. **Recommendations** For Oracle WebLogic Server versions 12.2.1.3.0 and 12.2.1.4.0, update to a version that includes the fix for this issue. For Oracle WebLogic Server version 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web Container component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Piwigo versions 12.x **Description** A Cross Site Scripting (XSS) issue exists via the `pwg activity` function in `include/functions.inc.php`. This allows for potential malicious script execution. **Recommendations** For Piwigo versions 12.x, consider disabling the `pwg activity` function as a temporary workaround until a patch is available. Restrict access to the `include/functions.inc.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThinkPHP versions 3.x.x **Description** A Remote Code Execution (RCE) issue exists via the `value[ filename]` in index.php, allowing a malicious user to obtain server control privileges. **Recommendations** For ThinkPHP versions 3.x.x, update to a version that fixes this issue to prevent exploitation. As a temporary workaround, consider restricting access to the index.php file or disabling the `value[ filename]` parameter to minimize the risk of exploitation.