Fedora 43 : docker-buildkit (2026-36769a9e58)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-36769a9e58 advisory. - Update to release v0.30.0 - Resolves CVE-2026-39984: rhbz2458929 - Upstream new features and fixes Tenable has extracted the preceding description block...

Fedora 45 : docker-buildkit (2026-7ac27ae1d0)

The remote Fedora 45 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-7ac27ae1d0 advisory. Automatic update for docker-buildkit-0.30.0-1.fc45. Changelog Wed May 13 2026 Bradley G Smith - 0.30.0-1 - Update to release v0.30.0 - Resolves CVE-2026-3998...

Step CA affected by an index out of bounds panic in TPM attestation EKU validation

Summary An attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key AK certificate with an empty Extended Key Usage EKU extension during TPM device attestation. Details When processing a device-attest-01 ACME challenge using TPM attestation, Step CA...

CLEANSTART-2026-JJ09127 Security fixes for CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61729, CVE-2026-33186 applied in versions: 0.28.7-r1, 0.29.0-r0, 0.30.0-r0

Multiple security vulnerabilities affect the step-cli package. These issues are resolved in later releases. See references for individual vulnerability details...

Linux Distros Unpatched Vulnerability : CVE-2026-30836

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication through the certificate issuance via SCEP UpdateReq MessageType=18. Note: Limited Disclosure — Full Details Pending. Full details of this vulnerability will be published smallstep/certificates security advisory o...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication through the certificate issuance via SCEP UpdateReq MessageType=18. Note: Limited Disclosure — Full Details Pending. Full details of this vulnerability will be published smallstep/certificates security advisory o...

UBUNTU-CVE-2026-30836

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)

Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0...

CVE-2026-27627 Karakeep's Reddit plugin content bypasses DOMPurify sanitization, enabling stored XSS

Karakeep is a elf-hostable bookmark-everything app. In version 0.30.0, when the Reddit metascraper plugin returns readableContentHtml, the HTML parsing subprocess uses it directly without running it through DOMPurify. Every other content source in the crawler goes through Readability + DOMPurify,...

karakeep 跨站脚本漏洞

Karakeep is an open-source bookmarking app developed by Karakeep App. Version 0.30.0 of Karakeep contains a cross-site scripting vulnerability. This vulnerability arises from the Reddit meta-fetching plugin not using DOMPurify to clean HTML content, allowing malicious HTML to be executed in users...

GHSA-3CX6-J9J4-54MP Decidim's private data exports can lead to data leaks

Impact Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by 13571 and affects Decidim versions 0.30.0 or newer currently 2025-09-23. This issue was discovered by running the following spec several times...

PT-2026-5944

Name of the Vulnerable Software and Affected Versions Decidim versions 0.30.0 through 0.30.3 Decidim versions 0.31.0.rc1 through 0.31.0.rc2 Description Decidim, a participatory democracy framework, is affected by an issue where private data exports can lead to data leaks. This occurs due to UUID...

Decidim's private data exports can lead to data leaks

Impact Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by 13571 and affects Decidim versions 0.30.0 or newer currently 2025-09-23. This issue was discovered by running the following spec several times...

Decidim's private data exports can lead to data leaks

Impact Private data exports can lead to data leaks in cases where the UUID generation causes collisions for the generated UUIDs. The bug was introduced by 13571 and affects Decidim versions 0.30.0 or newer currently 2025-09-23. This issue was discovered by running the following spec several times...

CVE-2026-21428

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...

CVE-2026-21428

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...

CVE-2026-21428 cpp-httplib has CRLF injection in http headers

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...

CVE-2026-21428 cpp-httplib has CRLF injection in http headers

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to version 0.30.0, the writeheaders function does not check for CR & LF characters in user supplied headers, allowing untrusted header value to escape header lines. This vulnerability allows attackers to add...