GitLab Advisory Database

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the CVE-2025-68121.

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the CVE-2025-68121.

There is a potential vulnerability in Traefik managing HTTP/3 connections. More details in the CVE-2025-68121.

A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.

A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.

Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., –dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.

Potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact. Requires local execution of the packaging script on attacker-controlled skill contents.

Local ACP sessions may become less responsive when very large prompts are submitted Larger-than-expected model usage/cost when oversized text is forwarded No privilege escalation and no direct remote attack path in the default ACP model

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as a false positive.

This advisory has been marked as False Positive and has been removed.

An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk and then triggering a resize, a user may convince Nova's Flat image backend to call qemu-img without a format restriction, resulting in an unsafe image resize operation that could destroy data on the host system. Only compute nodes using the Flat image …

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.

A specially crafted URL with an '@' sign but empty user info and no hostname, when parsed with url-parse, url-parse will return the incorrect href. In particular, parse("http://@/127.0.0.1") Will return: { slashes: true, protocol: 'http:', hash: '', query: '', pathname: '/127.0.0.1', auth: '', host: '', port: '', hostname: '', password: '', username: '', origin: 'null', href: 'http:///127.0.0.1' } If the 'hostname' or 'origin' attributes of the output from url-parse are …

Before version 1.7.0, utls did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a utls ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a utls client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along …