CVE-2026-42191 OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP OpenTelemetry Protocol exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath when OTELDOTNETEXPERIMENTALOTLPRETRY=disk was set but...

CVE-2026-42191

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP OpenTelemetry Protocol exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryProtocol silently fell back to Path.GetTempPath when OTELDOTNETEXPERIMENTALOTLPRETRY=disk was set but...

CVE-2026-42191

OpenTelemetry.Exporter.OpenTelemetryProtocol (OTLP exporter) Vulnerability: from 1.8.0 through 1.15.2, when OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk is used without OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH, the retry storage root is resolved with Path.GetTempPath(). The exporter st...

Security Bulletin: MongoDB Enterprised Advanced affected by: Denial of Service Caused by Improper JSON Parser (WS-2026-0003)

Summary There is a vulnerability in jackson-core-2.15.0.jar, jackson-core-2.18.3.jar, jackson-core-2.19.2.jar, jackson-core-2.19.4.jar used in MongoDB Enterprised Advanced for IBM, involving WS-2026-0003. The vulnerability has been addressed. Vulnerability Details ID:WS-2026-0003 DESCRIPTION: The...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

CVE-2026-41310

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spa...

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Exporter.Zipkin is a Zipkin Exporter for OpenTelemetry .NET. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to unbounded growth of the remote endpoint cache derived from span attributes. An attacker can cause...

PT-2026-35933

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Exporter.Zipkin versions prior to 1.15.3 Description The remote endpoint cache in the Zipkin exporter accepts unbounded key growth derived from span attributes. In high-cardinality scenarios—situations where there is a large numb...

EUVD-2026-25269

OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers...

Memory Allocation with Excessive Size Value

Overview OpenTelemetry.Api is a package that application developers and library authors use to instrument their application/library. Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the processing of propagation headers such as baggage, B3, and...

CVE-2026-40894

OpenTelemetry dotnet vulnerable versions: OpenTelemetry.Api 0.5.0-beta.2–1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1–1.15.2 contain code paths for baggage, B3 and Jaeger processing that can allocate excessive memory when parsing propagation headers, potentially leading to a DoS. The iss...

PT-2026-34720

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Api versions 0.5.0-beta.2 through 1.15.2 OpenTelemetry.Extensions.Propagators versions 1.3.1 through 1.15.2 Description Implementation details of the baggage, B3, and Jaeger processing code in the OpenTelemetry.Api and...

CVE-2026-32146 Improper Path Validation in Git Dependency Handling Allows Arbitrary File System Modification

Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement ...

Important: Red Hat Security Advisory: Red Hat OpenShift Pipelines Release 1.15.3

The 1.15.3 GA release of Red Hat OpenShift Pipelines Operator.. For more details see product documentation. The 1.15.3 release of Red Hat OpenShift Pipelines Operator...

BIT-KYVERNO-2026-23881 Kyverno Denial of Service via Context Variable Amplification in Policy Engine

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially...

SUSE CVE-2026-23881

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially...

CVE-2026-23881

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the context variable evaluation process. An attacker with policy creation privileges can exhaust system memory and disrupt service availability with policies that exponentially...

CVE-2026-23881

CVE-2026-23881 affects Kyverno policy engine prior to versions 1.16.3 and 1.15.3, which exhibit unbounded memory consumption that can cause denial of service when policies with context variables are crafted by users with policy-creation privileges. The issue is resolved in 1.16.3 and 1.15.3 by a ...

CVE-2026-23881 Kyverno Denial of Service via Context Variable Amplification in Policy Engine

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially...