A list of publicly described vulnerabilities found and published by our team, with CVSS score, a short explanation and a direct GitHub link.
This vulnerability affects Traefik deployments with HTTP/3 enabled and router-specific TLSOptions used as an mTLS boundary.
An unauthenticated client could complete QUIC/TLS without a client certificate and still reach a backend the operator expected to be mTLS-protected.
Score
7.8/10
HighThis issue affects the GET/HEAD path in `rclone rcd --rc-serve` when the RC listener was reachable without global HTTP authentication.
A request could force backend creation from an inline remote, leading to local file read or command execution as the rclone process user depending on version.
Score
9.8/10
CriticalThis vulnerability concerns SAML SP login-state binding in SimpleSAMLphp deployments with multiple IdPs.
A response from a different trusted IdP could be accepted for state created for the expected IdP when `InResponseTo` binding was not cryptographically carried by the signed assertion.
Score
7.1/10
HighThis issue affects HTTP-Artifact validation in the SimpleSAMLphp SAML2 and SAML2 Legacy libraries.
An ArtifactResponse obtained from one IdP could validate an embedded SAML Response claiming another issuer, creating an authentication-bypass risk in multi-IdP deployments.
Score
8.7/10
HighThis vulnerability affects ProxySQL's MCP `run_sql_readonly` tool, which was intended to enforce read-only SQL queries.
Validation checked the full string with a weak blacklist but executed the original SQL on a MySQL multi-statement connection, allowing a second state-changing statement.
Score
7.5/10
HighThis issue affects ProxySQL MySQL and PostgreSQL frontend first-packet handling before authentication.
A remote client could declare an oversized packet length, causing a heap out-of-bounds write before later protocol validation could reject the connection.
Score
9.8/10
CriticalThis vulnerability affects Traefik wildcard router TLSOptions on the regular HTTPS/HTTP2 path.
A client could use a permissive SNI during the TLS handshake and then send a Host value targeting the wildcard mTLS-protected backend, reaching it without the required client certificate.
Score
7.8/10
HighThis vulnerability affects the file-based CAS ticket store in `simplesamlphp-module-casserver`.
Attacker-controlled ticket identifiers were used as filesystem path components, allowing traversal outside the ticket directory and, under specific conditions, file read, unserialization or deletion.
Score
8.6/10
High