DLL side-loading vulnerability in Sony Music Center for PC Ver. 2.7.2 (Latest version)

Bug reported by Suphawith Phusanbai was disclosed at March 31, 2026, 2:06 pm   |   Uncontrolled Search Path Element

SSRF Filter Bypass via Unblocked NAT64 Local-Use IPv6 Prefix (64:ff9b:1::/48)

Bug reported by tipsen was disclosed at March 31, 2026, 2:31 am   |   Server-Side Request Forgery (SSRF)

A vulnerability was discovered in the `ssrf_filter` library version 1.3.0. The library failed to block the NAT64 local-use IPv6 prefix `64:ff9b:1::/48`, allowing such addresses to be treated as public. This enabled SSRF requests through `/fetch` to targets encoded under that prefix when routable in the deployment environment.

Path Traversal in writeFile via Unsafe Prefix Containment Check Allows Out-of-Directory Writes

Bug reported by tipsen was disclosed at March 31, 2026, 2:04 am   |   Path Traversal

A path traversal vulnerability was discovered in the `protodump` tool. The vulnerability allowed an attacker to influence the output filename construction and bypass the containment check, enabling writes outside the intended output directory. The vulnerability was caused by the use of descriptor-controlled paths in the output filename construction, along with an unsafe lexical prefix check for directory containment. This issue has been identified in the `protodump` tool.