zeropath.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | IBM webMethods Integration CVE-2025-36072: Deserialization RCEDeser | Writeup of CVE-2025-36072, an unsafe deserialization vulnerability (CWE-502) in IBM webMethods Integration Server. Exploitable by authenticated users with service execution privileges, this flaw allows attackers to submit crafted serialized object graphs to trigger arbitrary code execution. Affected versions include 10.11, 10.15, and 11.1, requiring the latest core fixes to mitigate the risk. |
| 2026-04-19 2026 | OAuth2-Proxy Authentication Bypass (CVE-2025-54576)AuthN | Writeup detailing CVE-2025-54576, an authentication bypass vulnerability in OAuth2-Proxy versions 7.10.0 and below. The flaw lies in the `skip_auth_routes` configuration, where regex patterns intended for paths were incorrectly applied to the entire request URI, including query parameters. This allowed attackers to craft URLs with malicious query strings to bypass authentication. The fix, implemented in version 7.11.0, restricts pattern matching to only the request path. |
| 2026-04-19 2026 | OAuth SSO WordPress Plugin JWT Bypass (CVE-2025-9485)AuthN | Writeup of CVE-2025-9485, a JWT bypass vulnerability in miniOrange's OAuth Single Sign On – SSO (OAuth Client) WordPress plugin. Versions up to and including 6.26.12 improperly verify JWT signatures, allowing attackers to forge tokens and gain administrator access by manipulating the `sub` claim. This flaw, classified as CWE-347, affects thousands of sites using the plugin for integration with providers like Azure AD and Google Workspace. |
| 2026-04-09 2026 | GitLab CVE-2025-6454: SSRF via Webhook Custom HeadersSSRF | Writeup of CVE-2025-6454, a high-severity SSRF vulnerability in GitLab CE/EE versions 16.11 through 18.3.2. Attackers with authenticated access can exploit custom webhook headers to force the GitLab server to send requests to internal network resources, bypassing perimeter security. This vulnerability, categorized as CWE-918, allows for potential lateral movement and exposure of sensitive services. |
| 2026-04-09 2026 | Azure OpenAI CVE-2025-53767 SSRF Privilege EscalationSSRF | Writeup of CVE-2025-53767 detailing a critical Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure OpenAI services. This flaw, classified under CWE-918, allows attackers to craft requests that bypass network controls, potentially leading to privilege escalation by accessing sensitive internal endpoints like the Azure Instance Metadata Service. While specific affected versions are undisclosed, the complexity of Azure's environment has led to past SSRF issues in other cloud services. |