CVE-2026-3514

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allo...

CVE-2026-3514

In version 3.6.19 of prefecthq/prefect, an authentication bypass vulnerability exists due to the improper handling of URL path exemptions for health check probes. Specifically, the authentication middleware exempts any URL path ending with 'health' or 'ready' from authentication checks. This allo...

GO-2026-4924 Juju has a resource poisoning vulnerability in github.com/juju/juju

Juju has a resource poisoning vulnerability in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest ...

CVE-2025-68153

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju...

CVE-2025-68153 Juju: Resource poisoning

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju...

GO-2026-4769 Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju

Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass due to improper authorization in the secret-set process. An attacker can gain unauthorized access to and modify Kubernetes secrets by exploiting insufficient access controls, allowing them to read or alter secret...

Juju has unauthorized update of out-of-scope Vault secrets

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within...

GHSA-89X7-5M5M-MCMM Juju has unauthorized update of out-of-scope Vault secrets

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within...

Incorrect Ownership Assignment

Overview Affected versions of this package are vulnerable to Incorrect Ownership Assignment in the secrets management process. An attacker can gain unauthorized access to sensitive information by exploiting a race condition between the generation of a secret ID and the creation of the secret's...

GHSA-GFGR-6HRJ-85WW Juju affected by timing ownership claim attack on new external back-end secrets

A race condition in the secrets management subsystem of Juju versions 3.0.0 through 3.6.18 allows an authenticated unit agent to claim ownership of a newly initialized secret. Between generating a Juju Secret ID and creating the secret's first revision, an attacker authenticated as another unit...

PT-2026-26056

An authorization bypass vulnerability in the Vault secrets back-end implementation of Juju versions 3.1.6 through 3.6.18 allows an authenticated unit agent to perform unauthorized updates to secret revisions. With sufficient information, an attacker can poison any existing secret revision within...

CVE-2025-32249

Cross-Site Request Forgery CSRF vulnerability in Designinvento DirectoryPress directorypress allows Cross Site Request Forgery.This issue affects DirectoryPress: from n/a through = 3.6.22...

CVE-2025-32249

CVE-2025-32249 is a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress DirectoryPress plugin, affecting versions up to 3.6.19 (per multiple sources). The CVE entry notes a CSRF issue; the NVD entry lists a CVSS v3.1 base score of 5.4 (Medium) with network attack vector, low integrit...

WordPress plugin DirectoryPress 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site reques...

CVE-2024-49633

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.19...

CVE-2024-49633

CVE-2024-49633 affects the WordPress plugin DirectoryPress (vulnerable: ≤ 3.6.19) with a Reflected XSS caused by improper neutralization of input during web page generation. Wordfence reports this vulnerability in the DirectoryPress entry and notes it has been patched in 3.6.19 ; no exploit detai...

WordPress plugin DirectoryPress 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site...

WordPress DirectoryPress plugin <= 3.6.19 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Dimas Maulana Patchstack Alliance in WordPress Plugin DirectoryPress versions = 3.6.19...

MongoDB 3.6 < 3.6.19, 4.0 < 4.0.20, 4.2 < 4.2.9 DoS Vulnerability - Linux

MongoDB is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mongodb:mongodb"; if...