DedeCMS Arbitrary Code Execution Vulnerability Volerion Risk Score: 7.8 Why this matters An input validation flaw in the array_filter component of DedeCMS (versions through 5.7.118) allows unauthenticated remote attackers to execute arbitrary code on the server. Successful exploitation grants full control of the underlying system, posing a severe threat to data integrity and service availability. Recommended actions Volerion has not observed any remediation so far. Affected products &...
6 days ago • 1 min read
libsoup Integer Underflow Vulnerability Leading to Buffer Overread and Denial-of-Service Volerion Risk Score: 8.1 Why this matters An integer underflow introduced in libsoup 3.6.1+ allows a buffer overread when zero-length resources are processed. A remote, unauthenticated attacker can trigger this flaw to crash applications that rely on libsoup or potentially access data held in adjacent memory, causing denial-of-service and information exposure. Recommended actions Upgrade to the latest...
6 days ago • 1 min read
mkj Dropbear Signature Verification Vulnerability in Curve25519 Component Volerion Risk Score: 8.6 Why this matters A signature malleability flaw in Dropbear SSH (versions ≤ 2025.89) lets remote attackers craft alternate Ed25519 signatures that pass verification in the unpackneg function of src/curve25519.c. Successful exploitation breaks signature uniqueness, undermining security controls or audit logs that rely on distinct signatures for integrity. Recommended actions Apply the vendor patch...
17 days ago • 1 min read
Fiber Path Traversal Vulnerability Allowing Arbitrary File Read on Windows Volerion Risk Score: 7.6 Why this matters A path traversal flaw in Gofiber Fiber versions ≤ 3.0.0 on Windows allows unauthenticated remote attackers to bypass static middleware sanitization by abusing double-encoded backslashes. Successful exploitation lets attackers read arbitrary files outside the web root, potentially exposing application secrets, configuration files, or other sensitive data. Recommended actions...
29 days ago • 1 min read
GNU Inetutils Telnetd Remote Authentication Bypass Vulnerability Volerion Risk Score: 8 Why this matters A flaw in GNU Inetutils telnetd (versions 1.9.3–2.7) lets a remote client bypass authentication entirely by sending the USER=-f root environment variable. Successful exploitation grants a shell running as root, enabling full system compromise without any credentials. Recommended actions Disable the telnetd service entirely whenever possible. If telnet access is required, configure a custom...
2 months ago • 1 min read
libsoup WebSocket Out-of-Bounds Read Vulnerability Volerion Risk Score: 8.2 Why this matters When max_incoming_payload_size is left unset (or set to 0), a remote attacker can send crafted WebSocket frames that cause the libsoup function process_frame() to read outside a buffer. This out-of-bounds read may crash applications using libsoup or leak memory contents, exposing sensitive information and setting the stage for more severe exploits. Recommended actions Configure applications to set...
2 months ago • 1 min read
OWASP Core Rule Set Multipart Request Processing Vulnerability in Rule 922110 Volerion Risk Score: 7.4 Why this matters In affected versions of the OWASP Core Rule Set (CRS), rule 922110 keeps only the last Content-Type charset it encounters when inspecting multipart requests. An attacker can therefore smuggle a malicious charset (e.g. utf-7) into an earlier part and overwrite it with a benign value later in the request, bypassing the intended WAF protection and allowing harmful payloads to...
3 months ago • 1 min read
cpp-httplib CRLF Injection Vulnerability in Header Processing Allowing SSRF Volerion Risk Score: 7.7 Why this matters cpp-httplib versions ≤ 0.29.0 fail to sanitize carriage return and line feed characters in user-supplied header values. A remote attacker can inject additional headers, alter the HTTP request body, and leverage the issue for server-side request forgery (SSRF) against back-end systems that interpret pipelined requests. Recommended actions Upgrade to cpp-httplib 0.30.0 or later,...
3 months ago • 1 min read
Parse Server Elevated Permissions Vulnerability in GitHub Actions Workflow Volerion Risk Score: 7.5 Why this matters A GitHub Actions workflow in Parse Server versions prior to 8.6.0-alpha.2 runs with elevated permissions. When triggered from a fork, the workflow can access repository secrets and obtain write access, allowing attackers to exfiltrate confidential information or inject malicious code into the project’s CI/CD pipeline. Recommended actions Upgrade Parse Server to 8.6.0-alpha.2 or...
3 months ago • 1 min read
