103 matches found
CVE-2026-44247
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially...
GHSA-49PM-43HF-6XFQ IPAM controller service account granted unnecessary full access to Secrets
Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...
CVE-2026-44247
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially...
EUVD-2026-32666
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially...
CVE-2026-44247 Volcano: Webhook server vulnerable to OOM due to unbounded HTTP request body size
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially...
CVE-2026-44247 Volcano: Webhook server vulnerable to OOM due to unbounded HTTP request body size
Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluster pod that can reach the webhook endpoint may send an arbitrarily large request body, potentially...
CVE-2026-3279 Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgradejqueryversion function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...
PT-2026-43545
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgrade jquery version function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...
Volcano 安全漏洞
Volcano is a batch processing system built using Kubernetes, developed by Volcano OpenSource. Vulnerabilities exist in versions of Volcano before v1.14.2, v1.13.3, and v1.12.4. These vulnerabilities stem from the Webhook server’s lack of a limit on the size of the HTTP request bodies. Pods that...
Insertion of Sensitive Information Into Sent Data
Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the TESTCONNECTION workflow for a Database Service. An attacker can obtain sensitive credentials and authentication tokens by triggering the workflow and inspecting the HTTP response...
CVE-2026-5361
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the updategallerydata function and improper output escaping in the galleryinit function. The...
CVE-2026-5361 Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the updategallerydata function and improper output escaping in the galleryinit function. The...
WordPress Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More plugin <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability
Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Envira Photo Gallery versions = 1.12.4...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling excessively large HTTP request bodies. A malicious pod on the same cluster can exhaust system memory and trigger an OOM condition. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling excessively large HTTP request bodies. A malicious pod on the same cluster can exhaust system memory and trigger an OOM condition. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when handling excessively large HTTP request bodies. A malicious pod on the same cluster can exhaust system memory and trigger an OOM condition. Remediation Upgrade...
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the webhook process. An attacker can exhaust system memory by sending oversized POST payloads before signature validation. This is only exploitable if Stripe webhooks are enabled a...
CVE-2026-40481
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...
CVE-2026-40481
In monetr, versions 1.12.3 and earlier expose a denial-of-service risk where the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. An unauthenticated remote attacker can send oversized POST payloads to trigger uncontrolled memory gr...
CVE-2026-40481 monetr: Unauthenticated Stripe webhook reads attacker-sized request bodies before signature validation
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST payloads to cause uncontrolled...