Prasann Nuwal

3 exploits Active since Oct 2025
CVE-2026-30117 WRITEUP CRITICAL WRITEUP
scalar/astro 0.1.13 - Arbitrary File Upload and Remote Code Execution via Scalar Proxy scalar_url Parameter
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file.
CVSS 9.8
CVE-2026-30118 WRITEUP CRITICAL WRITEUP
scalar/astro 0.1.13 - Server-Side Request Forgery via Scalar Proxy scalar_url Parameter
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentication cookies and headers exposure and possible privilege escalation.
CVSS 9.8
CVE-2025-57564 WRITEUP HIGH WRITEUP
CubeAPM nightly-2025-08-01-1 - Code Injection
CubeAPM nightly-2025-08-01-1 allow unauthenticated attackers to inject arbitrary log entries into production systems via the /api/logs/insert/elasticsearch/_bulk endpoint. This endpoint accepts bulk log data without requiring authentication or input validation, allowing remote attackers to perform unauthorized log injection. Exploitation may lead to false log entries, log poisoning, alert obfuscation, and potential performance degradation of the observability pipeline. The issue is present in the core CubeAPM platform and is not limited to specific deployment configurations.
CVSS 8.2