#vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS. This issue affects Obfuscate: from 0.0.0 before 2.0.1.

### Impact Users using the [`github-token` input](https://github.com/canonical/get-workflow-version-action/blob/a5d53b08d254a157ea441c9819ea5002ffc12edc/action.yaml#L10) are impacted. If the `get-workflow-version-action` step fails, the exception output may include the GITHUB_TOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the token may be truncated—causing part of the GITHUB_TOKEN to be displayed in plaintext in the GitHub Actions logs. Anyone with read access to the GitHub repository can view GitHub Actions logs. For public repositories, anyone can view the GitHub Actions logs. The opportunity to exploit this vulnerability is limited—the GITHUB_TOKEN is automatically revoked when the job completes. However, there is an opportunity for an attack in the time between the GITHUB_TOKEN being displayed in the logs and the completion of the job. Normally this is less than a second, but it may...

## Summary In the process of remediating [CVE-2025-29927](https://github.com/advisories/GHSA-f82v-jwr5-mffw), we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers. Learn more [here](https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O). ## Credit Thank you to Jinseo Kim [kjsman](https://hackerone.com/kjsman?type=user) and [ryotak](https://hackerone.com/ryotak?type=user) for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component.

### Impact Since [v2.0.25](https://github.com/miniflux/v2/releases/tag/2.0.25), Miniflux will automatically [proxy](https://miniflux.app/docs/configuration.html#proxy-images) images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is [returned](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76) unescaped without the expected Content Security Policy [header](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90) added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. ...

### Impact An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the `METRICS_COLLECTOR` [configuration option](https://miniflux.app/docs/configuration.html#metrics-collector) is enabled and `METRICS_ALLOWED_NETWORKS` is set to `127.0.0.1/8` (the default). ### Patches PR #1745 fixes the problem. Available in Miniflux >= 2.0.43. ### Workarounds Set `METRICS_COLLECTOR` to `false` (default) or run Miniflux behind a trusted reverse-proxy. ### References - https://miniflux.app/docs/configuration.html#metrics-collector - https://miniflux.app/docs/configuration.html#metrics-allowed-networks

Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.

Jenkins Simple Queue Plugin 1.4.6 and earlier does not require POST requests for multiple HTTP endpoints, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to change and reset the build queue order. Simple Queue Plugin 1.4.7 requires POST requests for the affected HTTP endpoints. Administrators can enable equivalent HTTP endpoints without CSRF protection via the global configuration.

Jenkins monitor-remote-job Plugin 1.0 stores passwords unencrypted in job `config.xml` files on the Jenkins controller as part of its configuration. These passwords can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Jenkins 2.503 and earlier, LTS 2.492.2 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Computer/Create permission but without Computer/Extended Read permission to copy an agent, gaining access to its configuration. Jenkins 2.504, LTS 2.492.3 requires Computer/Extended Read permission to copy an agent.