Date 2026-06-20. Lane: huntr.com paid AI/ML (cash, submit-via-huntr-first). Method: first_patched-verifier on the freshest CVE-rich AI/ML OSS. Fleet: LiteLLM (walk) + Flowise (HUNTR CANDIDATE).
Published MIME-spoof upload fix (CVE-2026-30821) added validateMimeTypeAndExtensionMatch. Verified at LATEST v3.1.2: it is CONSISTENCY-ONLY - asserts filename-extension == mapMimeTypeToExt(declared Content-Type), NEVER reads file bytes (the advisory's "magic byte verification" claim is false). So an HONESTLY-declared active-content file (payload.html + Content-Type: text/html) passes, and text/html/svg/js remain allowlisted. The unauth POST /api/v1/prediction/:id upload applies only this validator (no fullFileUpload gate), and the unauth GET /api/v1/get-upload-file serves the file Content-Disposition: inline with NO Content-Type and NO nosniff -> browser sniffs -> unauth stored XSS.
X-Content-Type-Options: nosniff? Content-Disposition: attachment vs inline? Missing all three + a sniffable body = the upload allowlist gap becomes stored XSS. Audit upload + serve as a PAIR.attachments requires fullFileUpload config but prediction does not. The least-gated unauth route is the real attack surface; enumerate all callers of the shared validator and pick the one with the weakest pre-conditions (same shape as the Directus FilesService-vs-TUS and Gitea per-handler asymmetries).CVE-2026-49468 Host-header route-confusion: the 1.84.0 fix moved get_request_route() and ALL 13 security-decision sites to the ASGI scope path (not request.url). Comprehensive, present at LATEST v1.89.2. Lesson: when the root cause is "security keyed off attacker-influenced X," the COMPLETE fix replaces X everywhere; grep every consumer of X before assuming incomplete - a well-done fix (LiteLLM) covers all siblings, a per-handler fix (Flowise) does not. The set-difference tells them apart cheaply.