337 matches found
DEBIAN-CVE-2026-44903
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
CVE-2026-44903
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
UBUNTU-CVE-2026-44903
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
CVE-2026-44903
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
CVE-2026-44903
CVE-2026-44903 affects Prometheus servers with the legacy web UI enabled. From 2.49.0 up to before 3.5.3 and 3.11.3, histogram heatmap axis tick labels aren’t escaped when inserting metric label values into HTML, allowing an attacker who can inject crafted metrics to run JavaScript in the browser...
CVE-2026-44903 Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI
Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI enabled via the command-line flag --enable-feature=old-ui, the histogram heatmap chart view does not escape le label values when inserting them...
CLEANSTART-2026-OR40192 Security fixes for CVE-2026-24051, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-39882, CVE-2026-39883, CVE-2026-42499 applied in versions: 3.5.1-r0, 3.5.1-r1, 3.5.3-r0
Multiple security vulnerabilities affect the prometheus package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-34600
CVE-2026-34600 affects Joplin (note-taking app). Versions
CVE-2026-34600 Joplin Server delta API returns note content after share access is revoked
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
CVE-2026-34600
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
CVE-2026-34600 Joplin Server delta API returns note content after share access is revoked
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
GHSA-27F5-XJRR-Q9FF Malware in @opensearch-project/opensearch
Overview The OpenSearch Project has sustained a security incident involving an external actor gaining force-push permissions within the project's CI infrastructure to embed malicious packages into four release versions of @opensearch-project/opensearch. Users are instructed to immediately take...
PT-2026-42023
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior...
SUSE CVE-2026-42151
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the clientsecret field in the Azure AD remote write OAuth configuration storage/remote/azuread was typed as string instead of Secret. Prometheus redacts fields of type Secret when serving...
PT-2026-38079
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a sma...
GHSA-8RM2-7QQF-34QM Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
Impact The remote read endpoint /api/v1/read does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust...
EUVD-2026-27089
Prometheus Azure AD remote write OAuth client secret exposed via config API...
CVE-2026-2948
The vulnerability CVE-2026-2948 affects the Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress (versions ≤ 3.5.3). It permits Server-Side Request Forgery via the import_images() function, exploitable by authenticated users with contributor-level access or higher. T...
CVE-2026-2868
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-2868 Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for...