GHSA-3m86-c9x3-vwm9: Graylog vulnerable to privilege escalation through API tokens

GHSA-3q26-f695-pp76: @cyanheads/git-mcp-server vulnerable to command injection in several tools

GHSA-6r2x-8pq8-9489: Electron vulnerable to Heap Buffer Overflow in NativeImage

GHSA-v8fr-vxmw-6mf6: Mattermost Incorrect Authorization vulnerability

GHSA-wgvp-jj4w-88hf: Mattermost Incorrect Authorization vulnerability

CakePHP 3.4 prior to 3.4.14, 3.5 prior to 3.5.17, and 3.6 prior to 3.6.4 contains a cross-site-scripting (XSS) vulnerability in the development only `missing route` and `duplicate named route` error pages.

**Package**

composer cakephp/cakephp (Composer)

**Affected versions**

\>= 3.4.0, < 3.4.14

\>= 3.5.0, < 3.5.17

\>= 3.6.0, < 3.6.4

**Patched versions**

3.4.14

3.5.17

3.6.4

Headline

GHSA-xwhj-pqcg-8rcr: CakePHP vulnerable to Cross-site Scripting in some development error pages

ghsa: Latest News