This page collects WhisperX intelligence signals tagged #Vulnerability Disclosure. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security contact channel for the Woodpecker CI project is broken. A security researcher attempting to follow the project's official responsible disclosure policy found that emails to `[email protected]` are being rejected by the mail server with a "Refused by local policy. No SPAM please!" error. Th...
A significant financial infrastructure project is operating without a formal security policy or a defined process for responsible vulnerability disclosure, creating a potential blind spot for critical security risks. The absence of these foundational documents means there is no established, secure channel for external ...
A critical oversight in Lernza's official security documentation is blocking private vulnerability reporting. The project's SECURITY.md file instructs researchers to "email the maintainers directly" but fails to provide any contact email address. This creates a direct path to public exposure of security flaws, as exter...
The SoroTask platform currently operates without a formal vulnerability disclosure policy, creating a critical gap in its security posture. An open issue on the project's GitHub repository explicitly calls for the establishment of a structured process for security researchers and users to report security flaws. The abs...
The AxonOps go-audit library, a security-critical tool designed for regulated environments, currently operates without a formal vulnerability disclosure policy. This significant gap leaves security researchers with no documented, responsible channel to report potential security flaws, creating a blind spot for users wh...
A critical security governance gap has been flagged within Knowyu, with a high-severity ISO finding (H-5) demanding the immediate creation of a formal vulnerability disclosure policy. The absence of this foundational security framework leaves the organization exposed, lacking a clear, legal, and safe channel for extern...
Daytona has formally integrated a vulnerability disclosure program (VDP) into its core security documentation, establishing a structured channel for external researchers to report security flaws. The program, detailed in a newly updated public `SECURITY.md` file, offers monetary rewards ranging from $100 to $1,000 for ...
A GitHub repository for the British Columbia government's forestry client API has publicly documented a fix for a vulnerability identified as CVE-2026-33871. The issue, logged in the official 'bcgov/nr-forest-client-api' repository, shows a direct link between a code change and a specific, future-dated Common Vulnerabi...
A security researcher has publicly flagged a critical gap in a project's security infrastructure on GitHub, revealing that the absence of a designated Security Advisory page is blocking the responsible disclosure of identified vulnerabilities. This public callout on the project's issue tracker is not a routine bug repo...
NVIDIA has quietly updated the security reporting instructions for its NemoClaw project, removing guidance to use GitHub's built-in private vulnerability reporting feature. The official `SECURITY.md` file now explicitly states that the 'Report a vulnerability' button is not available on the repository's Security tab, a...
A critical SQL injection vulnerability has been publicly disclosed in PHPGurukul's Daily Expense Tracking System, version 1.1. The flaw resides in the `/register.php` file, where the 'email' parameter is not sanitized before being used in database queries. This allows attackers to inject malicious SQL code directly, po...
GitHub is running an open-source security initiative that directly incentivizes vulnerability hunters. The platform is publicly soliciting security issues—found via AI or manual methods—with a promise to immediately apply a "hard tag" to any pull request (PR) that submits a valid finding. This approach signals a push t...
For months, the developers of Quittr, an anti-pornography app designed to help users stop masturbating, ignored repeated warnings from multiple independent security researchers about a critical security vulnerability. The app's creators only moved to fix the flaw weeks after 404 Media initiated multiple inquiries for c...
A direct public query on GitHub has exposed a potential security oversight in NVIDIA's flagship NeMo AI framework. A user has openly asked for an official channel to submit vulnerability reports for repositories under the `NVIDIA-NeMo` organization, highlighting the absence of a clear, dedicated security contact or bug...
A critical Server-Side Request Forgery (SSRF) vulnerability in the widely-used axios HTTP client library has been publicly disclosed, forcing a major security update across countless software projects. The flaw, tracked as CVE-2024-39338, resides in axios version 1.7.2 and allows an attacker to manipulate requests for ...
The Assembly Automation Hub's YML Helper repository has formally adopted a strict, mandatory vulnerability disclosure policy, codifying its security stance for the first time. This move introduces a clear, structured channel for reporting security flaws, shifting from an implicit, ad-hoc approach to a documented and en...
A newly disclosed vulnerability in Apache Tomcat allows attackers to bypass critical security constraints, potentially gaining unauthorized access to protected server resources. The flaw, tracked as CVE-2025-49125 (GHSA-wc4r-xq3c-5cf3), is an authentication bypass issue that stems from how the software handles PreResou...
A GitHub issue intended for a security bounty submission for a purported future CVE-2026-27825 has been posted in an incomplete and unvalidated state. The template, which appears to be for a Nuclei vulnerability scanner, contains only boilerplate text and placeholder CVE identifiers (CVE-2020-XXX), with none of the req...
A critical SQL injection vulnerability has been publicly disclosed in ChurchCRM version 4.4.5, exposing the church management software's database to potential compromise. The flaw resides in the `/churchcrm/WhyCameEditor.php` endpoint, specifically within the `PersonID` parameter. The vulnerability is exploitable by an...
A team of academic security researchers has issued a responsible disclosure notice, identifying potential vulnerabilities in a repository as part of a systematic security study. The researchers, from a redacted university, are analyzing AI agent tool interface security and have examined 138 tool server implementations ...