Tag
Langroid Tool Invocation Bypass via Unverified User Messages (CVE-2026-54771)
1 TTPA high-severity vulnerability, CVE-2026-54771, in Langroid applications allows untrusted users to directly invoke internal tools via raw JSON payloads, even when these tools are configured not to be used by the LLM, enabling malicious actors to bypass security controls and execute sensitive operations like file read/write, database queries, or access to internal orchestration tools.
Non-Constant-Time HMAC Comparison in Pay Gem Paddle Billing Webhook Signature Verifier
3 TTPsA timing side-channel vulnerability in the `Pay` gem's Paddle Billing webhook signature verification component (`Pay::Webhooks::PaddleBillingController#valid_signature?` <= v11.6.1) allows an unauthenticated attacker to recover the HMAC signing secret by observing response time variations in `String#==` comparisons, enabling the forgery of arbitrary webhook events and leading to business logic abuses such as unauthorized feature provisioning or fraudulent refunds.