This page collects WhisperX intelligence signals tagged #security-vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical vulnerability has been identified in a smart contract's payout function, where the idempotency guard is written *after* token transfers are executed. This flaw violates the fundamental Checks-Effects-Interactions (CEI) pattern, creating a direct path for double payments and fund loss. Specifically, in the `d...
A critical security vulnerability in OpenAI's command-line interface (CLI) tool, specifically within its onboarding module, exposed systems to local attacks. The flaw resided in six functions that created temporary files using predictable names based on `Date.now()` and `Math.random().toString(36)`. This predictability...
A significant security vulnerability has been identified in the `verifyMcpEndpointStdio` function within the codebase. This function, responsible for probing stdio-based Model Context Protocol (MCP) endpoints, lacks three critical security analysis passes that are standard in other probe paths, creating a dangerous inc...
A critical SQL injection pattern has been identified in the public `update_status` function within a Rust database module. The vulnerability stems from the direct interpolation of a `field: &str` parameter into an SQL string, creating a textbook injection pathway. While current callers use hardcoded literals, the funct...
A critical architectural vulnerability has been identified within the application's security posture: the complete absence of a global or blueprint-level middleware to enforce anti-caching headers. This systemic gap means that every new endpoint is automatically born vulnerable, placing the onus on individual developer...
A critical security vulnerability has been identified in a kernel's cryptographic random number generator (RNG). The system's fallback mechanism, designed to operate when the primary hardware RDRAND instruction is unavailable, is deterministic and predictable, rendering all cryptographic operations insecure. This flaw,...
A critical security vulnerability has been identified in the `role-gate.ps1` script, where the mechanism fails to protect against attacker-controlled mutation of pane labels or titles. This flaw creates a direct path for privilege escalation. If an agent with initial access can modify the title of its own pane, it coul...
A critical security fix for a nonce-reuse vulnerability in a WebSocket encryption system has been left incomplete, leaving production code paths exposed. The vulnerability, which could compromise the security of real-time communications, was identified during a review of a previous pull request. While the cryptographic...
A critical security vulnerability in the widely used pac4j-jwt library allows attackers to forge authentication tokens and bypass signature verification entirely. Designated CVE-2026-29000, the flaw resides in the JwtAuthenticator component when processing encrypted JWTs. An attacker in possession of the server's RSA p...
A critical bypass in the DOMPurify sanitization library allows malicious JavaScript to slip through security checks, posing a direct threat to web applications relying on it for user input sanitization. The vulnerability, tracked as GHSA-cjmm-f4jc-qw8r, stems from a flaw in how the library handles custom attribute vali...
A critical security vulnerability in the AWS SDK for Go's S3 client library has triggered an urgent, mandatory update for all dependent projects. The GitHub security advisory GHSA-xmrv-pmrh-hhx2, linked to the AWS/aws-sdk-go-v2 repository, necessitates an immediate upgrade from version 1.69.0 to the patched version 1.9...
A critical security vulnerability in the widely-used `elliptic` cryptography library allows an attacker to extract a private key simply by observing a signature generated from malformed input. The flaw, tracked as GHSA-vjh7-7g9h-fjfh, is present in versions before 6.6.1 and stems from the library's design to accept hex...
A high-severity security vulnerability has been identified within the popular testing framework Cypress. The issue stems from a transitive dependency: version 3.3.1 of Cypress includes version 1.2.0 of the `minimist` package, which carries two high-severity vulnerabilities with a security score ranging from 7.0 to 8.9....
A critical vulnerability in the ubiquitous `jq` command-line JSON processor allows attackers to crash the tool and potentially probe memory, exposing any system that evaluates untrusted jq filters. The flaw, designated CVE-2026-39956, stems from a missing type check in the `_strindices` builtin function. In release bui...
A critical security flaw has been flagged in the widely used `follow-redirects` npm package, posing a medium-severity risk of leaking sensitive authorization headers. The vulnerability triggers when the package automatically follows HTTP redirects to a different host, inadvertently exposing authentication tokens and cr...
A critical security vulnerability in the popular Hono.js web framework allows attackers to corrupt HTML output and potentially inject unintended code. The flaw, tracked as GHSA-458j-xx4x-4375, resides in the framework's JSX/dom component. It stems from improper handling of JSX attribute names during server-side renderi...
A critical security vulnerability in the popular Go-Git library exposes HTTP authentication credentials to potential theft. The flaw, tracked as GHSA-3xc5-wrhm-f963, allows credentials to leak to unintended hosts during standard repository operations. This creates a direct pathway for attackers to capture sensitive acc...
A critical security regression has been identified in a project's dependency management, leaving systems using `npm install` exposed to a known HTML injection vulnerability. Despite a previous fix that correctly updated the pnpm override to require `hono@>=4.12.14`, the `package-lock.json` file was never regenerated. T...
A critical security vulnerability has been identified in transfer operations across multiple modules of a smart contract system. The flaw stems from state updates occurring after external calls, a pattern that creates exploitable conditions for reentrancy attacks. Security researchers flagged the issue with critical pr...
A critical reentrancy vulnerability has been identified in transfer operations, with state updates occurring after external calls across multiple modules. The flaw follows a classic pattern where contracts execute external calls before updating internal state, creating an exploitation window that allows malicious actor...