Lucene search
K

541 matches found

OSV
OSV
added 5 days ago2 views

OPENSUSE-SU-2026:11190-1 python313-dulwich-1.2.7-1.1 on GA media

These are all security issues fixed in the python313-dulwich-1.2.7-1.1 package on the GA media of openSUSE Tumbleweed...

9.8CVSS7.2AI score0.03394EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.12 views

CVE-2026-35479

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...

6.6CVSS5.6AI score0.00216EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:16 p.m.10 views

CVE-2026-42881

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS6AI score0.00151EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.10 views

CVE-2026-35476

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

7.2CVSS5.5AI score0.00145EPSS
Exploits0References1
NVD
NVD
added 2026/05/14 3:16 p.m.21 views

CVE-2026-42881

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS0.00151EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/14 3:5 p.m.45 views

CVE-2026-42881 STIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS0.00151EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/14 3:5 p.m.11 views

CVE-2026-42881

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS6.2AI score0.00151EPSS
Exploits0References3Affected Software1
EUVD
EUVD
added 2026/05/14 3:5 p.m.13 views

EUVD-2026-30305

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS6.2AI score0.00151EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.16 views

PT-2026-40946

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

8.4CVSS6.2AI score0.00151EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.9 views

STIGQter 路径遍历漏洞

STIGQter is a compliance checklist generation and reporting tool developed by Jon Hood. Versions of STIGQter from 0.1.2 to 1.2.7 contained a path traversal vulnerability. This vulnerability occurred when processing malicious.stigqter files, allowing attackers to execute local code during the user...

8.4CVSS6AI score0.00151EPSS
Exploits0References1
NVD
NVD
added 2026/05/09 8:16 p.m.17 views

CVE-2026-42576

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

6.5CVSS0.00252EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/09 7:26 p.m.57 views

CVE-2026-42576 apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

6.5CVSS0.00252EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/09 7:26 p.m.10 views

EUVD-2026-28934

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

6.5CVSS5.7AI score0.00252EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/09 7:26 p.m.8 views

CVE-2026-42576

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

6.5CVSS5.7AI score0.00252EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/05/09 7:26 p.m.19 views

CVE-2026-42576

CVE-2026-42576 affects chainguard/apko. Before v1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without key-type checks. If a repository JWKS endpoint returns a non-RSA key (e.g., EC), an unchecked type assertion panics, crashing apko ...

6.5CVSS5.7AI score0.00252EPSS
Exploits0References3
CVE
CVE
added 2026/05/09 7:26 p.m.16 views

CVE-2026-42575

CVE-2026-42575 affects chainguard/apko: before v1.2.7, apko verifies APKINDEX.signed index but does not compare individually downloaded .apk checksums to the index checksum. The ChecksumString() is parsed but never cross-checked with the downloaded package’s control hash in getPackageImpl(), allo...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/09 7:26 p.m.39 views

CVE-2026-42575 apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

7.5CVSS0.00159EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/09 7:26 p.m.8 views

CVE-2026-42575 apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/09 7:26 p.m.11 views

EUVD-2026-28933

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/09 12:0 a.m.9 views

apko 代码问题漏洞

Apko is an open-source OCI image builder based on APK. Versions of Apko prior to 1.2.7 had code vulnerabilities. These vulnerabilities stemmed from DiscoverKeys’ unconditional assertion of JWKS key types as rsa.PublicKey without checking the key type. This could lead to panic and crashes due to...

6.5CVSS5.9AI score0.00252EPSS
Exploits0References1
Rows per page
Query Builder