Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threats Tagged 'packagist'

View all threats tagged with 'packagist'. Filter and sort to focus on specific types of threats.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.
Active filters (1):Tag: packagist

Threats Tagged 'packagist'

Click on any threat for detailed analysis and mitigation recommendations

MantisBT: SQL Injection via history_order Configuration Value (CVE-2026-47142)CVE-2026-47142
0

MantisBT versions 2.28.3 and earlier contain a SQL injection vulnerability in core/history_api.php. The vulnerability arises because the history_order configuration value is used directly in a SQL ORDER BY clause without sanitization or validation. An administrator can set this value via the web UI or REST API, enabling injection that triggers when any user views a bug with history entries. This can lead to sensitive data exposure and, with certain MySQL privileges, remote code execution.

Join the discussion
MantisBT: SOAP API Authentication Bypass with Privilege Escalation to Administrator (CVE-2026-47156)CVE-2026-47156
0

MantisBT versions 2.28.3 and earlier contain a critical authentication bypass vulnerability in the SOAP API's mci_check_login() function. This flaw allows any user who knows any valid cookie_string and a target username to authenticate as that user, including administrators, without knowing their password. The vulnerability is exploitable with zero prior access on default installations because self-registration is enabled by default. The REST API and Web UI are not affected. Exploitation grants full administrator access to the SOAP API, enabling read/write access to all issues, data exfiltration, and destructive operations across projects.

Join the discussion
MantisBT: Remote Code Execution via eval() Class Hoisting in adm_config_set.php (CVE-2026-49273)CVE-2026-49273
0

MantisBT versions 1.3.0 up to 2.28.3 contain a remote code execution vulnerability in the admin Manage Configuration feature (adm_config_set.php). The vulnerability arises because the configuration value is evaluated via PHP's eval() with a return prefix, but PHP hoists class declarations even past return statements. An attacker with administrator access to the web UI can define a class that hijacks autoloaded classes, leading to arbitrary code execution as the web server user. The REST API is not affected. A patch fixing this issue is available in version 2.28.4.

Join the discussion
MantisBT: REST API unauthorized Issue status change (CVE-2026-49280)CVE-2026-49280
0

MantisBT versions from 2.8.0 up to but not including 2.28.4 contain a vulnerability where a user with the update bug threshold permission (UPDATER by default) can change an issue's status via the REST and SOAP APIs, even if the configuration requires a higher permission level (DEVELOPER by default) to set status. This leads to unauthorized changes in the issue workflow.

Join the discussion
Koel: Authenticated Blind SSRF via Subsonic Podcast Channel Creation (CVE-2026-54492)CVE-2026-54492
0

Koel version prior to 9.7.0 contains an authenticated blind Server-Side Request Forgery (SSRF) vulnerability in its Subsonic-compatible podcast channel creation route. Unlike the main podcast subscription API, which uses SafeUrl validation to block private/internal URLs, the Subsonic route lacks this protection, allowing authenticated users to supply private URLs that Koel fetches server-side during podcast parsing. This enables SSRF to internal network destinations accessible from the Koel server. The vulnerability was confirmed in version 9.6.0 and allows internal HTTP requests to loopback, Docker bridge, and RFC1918 addresses. No public exploit is known, and the impact is limited to SSRF-based internal request execution without confirmed data exfiltration.

Join the discussion
Koel: Authenticated Full-Read SSRF via Subsonic Internet Radio Stations (CVE-2026-54493)CVE-2026-54493
0

Koel version 9.6.0 contains an authenticated Server-Side Request Forgery (SSRF) vulnerability via its Subsonic-compatible internet radio station endpoints. Unlike the regular web API, these endpoints do not validate radio station URLs, allowing an authenticated user to create or update a radio station with a private/internal URL. When the station is streamed, Koel fetches the URL server-side and returns the full HTTP response body to the user, enabling full-read SSRF. This vulnerability affects versions prior to 9.7.0.

Join the discussion
Koel has SSRF through Authenticated Subsonic podcast feed URLs
0

Koel before version 9.7.0 contains a Server-Side Request Forgery (SSRF) vulnerability in its Subsonic API podcast feed URL handling. Authenticated users can supply internal or loopback URLs as podcast feed sources, causing the Koel backend to make unauthorized requests to internal network services. Additionally, redirect handling in podcast streaming does not re-validate final URLs after redirects, allowing SSRF via redirect chains. This can expose internal HTTP endpoints to blind SSRF attacks. The vulnerability arises from insufficient validation of feed URLs before server-side fetching and incomplete redirect validation.

Join the discussion
Koel: Incomplete fix for CVE-2026-47260 — systemic SSRF in podcast & radio fetch paths (CVE-2026-54491)CVE-2026-54491
0

Koel versions prior to 9.7.1 contain an incomplete fix for CVE-2026-47260, resulting in systemic server-side request forgery (SSRF) vulnerabilities in podcast and radio fetch paths. The initial URL safety check is bypassed by HTTP 302 redirects to internal addresses on most fetch paths, except one. Additionally, DNS rebinding attacks can bypass host validation due to separate DNS resolution at validation and connection time. Authenticated non-admin users can exploit this to make the Koel server issue requests to internal or cloud metadata endpoints, potentially exposing sensitive internal resources such as cloud instance metadata and IAM credentials.

Join the discussion
Koel: Server-Side Request Forgery (SSRF) in radio station creation due to missing validation bail (CVE-2026-50552)CVE-2026-50552
0

Koel version 9.5.0 contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation API endpoint due to missing validation bail in URL validation rules. This allows any authenticated user to coerce the server into making HTTP HEAD/GET requests to arbitrary internal hosts. The vulnerability is blind SSRF, meaning the response body is not returned, but distinct validation error messages enable internal network reachability detection. The flaw arises because the SafeUrl validation rule rejects private/reserved addresses but does not stop further validation, allowing the HasAudioContentType rule to issue requests to these URLs without additional checks. This can lead to internal host discovery and potential side effects from internal endpoints.

Join the discussion
Koel: Full-read SSRF via podcast enclosure URL: isPublicHost() filter_var guard does not reject NAT64 (64:ff9b::/96) or 6to4 (2002::/16) IPv6-transition wrappers of internal IPv4 (CVE-2026-54494)CVE-2026-54494
0

Koel versions prior to 9.7.1 contain a server-side request forgery (SSRF) vulnerability due to improper IP address validation in the isPublicHost() function. The function fails to recognize IPv6 transition addresses (NAT64 and 6to4) that embed private IPv4 addresses, allowing attackers to bypass the public IP check. An attacker can craft a podcast RSS feed with an enclosure URL resolving to such an IPv6 address, causing Koel to fetch internal network resources or cloud metadata endpoints and return the response to the attacker. This leads to full-read SSRF with disclosure of internal service data.

Join the discussion

Showing 1 to 10 of 89 results

Filters:Tag: packagist
Page 1 of 9
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses