Published advisories

TOCTOU DNS rebinding bypasses all SSRF URL validation paths

TOCTOU DNS rebinding bypasses all SSRF URL validation paths

Postiz stored XSS in public preview page

Postiz stored XSS in public preview page

HTML/JS injection and open redirect via OAuth callback meta-refresh

The OAuth callback embedded an attacker-controlled `?r=` redirect parameter into a `<meta http-equiv="refresh">` tag without validation, allowing JavaScript execution and arbitrary redirects in the application origin after authentication.

Cross-guild privilege escalation via mass assignment on resource create

The tag and category create endpoints spread `req.body` after the guild relation in Prisma input. A body containing `guild.connect.id` overrides the trusted scope, letting an admin of guild A create resources owned by guild B.

Missing input validation function on guild customization endpoint

The guild customization PATCH endpoint called a `validateCustomization()` function that was never defined, causing the route to throw `ReferenceError`. The intended input validation (avatar/banner data URI checks, length limits) was therefore absent.

Authentication cookie missing `Secure` flag

The JWT authentication cookie was set with `secure: false`, allowing it to be transmitted over plaintext HTTP and intercepted by a network-positioned attacker.

OAuth state cookie missing `Secure` and `Path` attributes

The OAuth `state` cookie used for CSRF protection on the login flow lacked `Secure`, `Path`, and `Max-Age`, weakening the CSRF guarantee on plaintext-HTTP hops.

Service API tokens never expire

JWTs minted by `/api/users/@me/key` (service tokens granting admin-equivalent access via `service: true`) had no `expiresAt`, and the auth middleware silently passed `undefined < Date.now()`. Service tokens were valid forever.

`INVALIDATE_TOKENS` global revocation broken for OAuth user tokens

OAuth-issued JWTs were signed without a `createdAt` field, so the operator-facing `INVALIDATE_TOKENS` revocation switch silently no-op'd for all user tokens — only service tokens were affected.

Mustache HTML escaping disabled globally for the entire process

The transcript command set `Mustache.escape = text => text` at module level, disabling HTML escaping for every Mustache template in the process. Latent XSS risk if any other template is added or if the transcript is ever rendered as HTML.

No security headers, rate limiting, or CORS policy on the HTTP layer

The Fastify HTTP server registered no `helmet`, no rate limiter, and no CORS policy, leaving the dashboard and admin API exposed to clickjacking, MIME-sniffing, brute-force, and missing-CSP risks.

HTML injection in import progress stream (admin self-XSS via crafted ZIP)

The data-import endpoint streamed HTML progress lines and embedded raw error messages from the unzipper / JSON parser. A malicious ZIP could surface attacker-controlled HTML/JS into the importing admin's browser.

Embed image and thumbnail URLs not validated on panel creation

The panel creation endpoint passed `data.image` and `data.thumbnail` straight into Discord embed builders without validating the URL scheme, accepting `data:`, `attachment:`, or arbitrary protocols.

DISABLE_ENCRYPTION env var silently disables data encryption

Setting `DISABLE_ENCRYPTION=true` made all ticket messages and feedback comments stored in plaintext, with no log warning and no production guardrail. An operator who flipped this for a one-off task and forgot would silently leak all sensitive data going forward.

`ENCRYPTION_KEY` reused for JWT signing — cross-purpose key reuse

The same secret signed JWTs and encrypted at-rest data via Cryptr. Compromise of either purpose exposed the other; rotation required dual-impact downtime.

Export rate-limit time check uses `getDate()` (day-of-month) instead of `Date.now()`

The per-guild export lock's stale-detection compared an epoch-millisecond timestamp against `new Date().getDate()` (1–31). The branch was always false; if the cleanup paths ever failed, a guild could not export again until process restart.

Body trim hook iterates `for…in` instead of own keys

The pre-handler that trims string fields on `req.body` used `for…in`, walking the prototype chain. Brittle to any upstream prototype-pollution and not strictly correct.

NULL dereference on tag DELETE for missing or invalid tag id

The tag delete handler used short-circuit evaluation for the lookup, then accessed `original.guildId` unconditionally — yielding 500 on already-deleted tags or non-numeric ids.

Settings PATCH allowed wide field assignment (mass-assignment within admin scope)

The settings PATCH endpoint accepted the entire body, only stripping `id` and `createdAt`. Any other Guild model field — including bot identity fields covered by the dedicated customization endpoint — could be set without that endpoint's validation.

Unauthenticated transcript redirect leaks ticket existence

The `/transcript/:ticketId` route had no authentication and queried the DB to redirect to the admin transcript URL — distinguishing 404 from 302, which leaks ticket-existence information to anonymous attackers.

Weak default fallback secrets allow JWT and CSRF token forgery in cobc-events

cobc-events <1.0.1 fell back to hard-coded development secrets when JWT_SECRET / SESSION_SECRET were unset, allowing forgery of session JWTs and CSRF HMAC tokens.

Non-constant-time CSRF token comparison and lax hex parsing in cobc-events

The CSRF middleware in cobc-events <1.0.1 compared the cookie nonce with `!==` before the timing-safe HMAC check and accepted malformed hex input, leaking timing data and weakening token verification.

Permissive CORS configuration allows credentialed cross-origin requests in cobc-events

cobc-events <1.0.1 enabled CORS with the default `cors()` configuration, accepting any `Origin`. Combined with the JWT cookie, this allowed cross-origin sites to issue authenticated requests against the API.

Missing HSTS and incomplete CSP directives in cobc-events

cobc-events <1.0.1 did not set Strict-Transport-Security and was missing key Content-Security-Policy directives (`frame-ancestors`, `object-src`, `base-uri`, `form-action`), enabling downgrade and clickjacking attacks.

IDOR on /api/loa/user/:userId and /api/strikes/user/:userId in cobc-events

Endpoints returning another user's LoA/strikes only required `view_own_*` permission and did not enforce that the caller owned the path parameter, allowing any authenticated host to read other users' history.

Permissive file upload filter accepts SVG enabling stored XSS in cobc-events

The multer fileFilter in cobc-events <1.0.1 used the regex `^(image|video|application/pdf)`, which matches `image/svg+xml` and any `video/*` MIME type. SVG uploads enable stored XSS when later served from the application origin.

Discord bot /config and /setchannel commands lacked authorization in cobc-events

The `/config` and `/setchannel` slash commands in cobc-events <1.0.1 had no permission check, letting any guild member toggle logging features or reroute strike/event/LoA log channels.

Unbounded pagination limits enable resource exhaustion in cobc-events

Several REST endpoints accepted a client-controlled `limit` query parameter with no upper bound, allowing authenticated users to request arbitrarily large result sets and exhaust database / memory.

Strike status filter accepted arbitrary strings in cobc-events

`/api/strikes` previously accepted any comma-separated string in `?status=` and forwarded it to the service layer without validation against the StrikeStatus enum.

Cache invalidation used blocking Redis KEYS command in cobc-events

`CacheService.invalidatePattern` called `redis.keys(pattern)`, which blocks the Redis instance. On large keyspaces this could stall the entire Redis server and create a denial-of-service condition.

Stored XSS via manual HTML escaping in events log-outcome view in cobc-events

The `log-outcome.ejs` template used the unescaped `<%-` output tag with hand-rolled HTML escaping that did not cover all XSS vectors, allowing stored XSS via `event.notes`.

Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev

Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Server-Side Request Forgery via Redirect Bypass in /api/public/stream

Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS

Unrestricted File Upload via MIME Type Spoofing Leads to Stored XSS

SSRF via Webhook Creation Endpoint Missing URL Safety Validation

SSRF via Webhook Creation Endpoint Missing URL Safety Validation

SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

SSRF in upload-from-url endpoint allows fetching internal resources and cloud metadata

Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

Unauthenticated Full-Read SSRF via /public/stream Endpoint with Trivially Bypassable Extension Check

High-Severity SSRF in Postiz App

High-Severity SSRF in Postiz App

Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)

Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader (CWE-918)

Header mutation in middleware facilitates SSRF

Header mutation in middleware facilitates SSRF