EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected comman...

Ivanti Cloud Services Appliance - Path Traversal

Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality. id: CVE-2024-8963 info: name: Ivanti Cloud Services Appliance - Path Traversal author: johnk3r severity: critical description: | Path Traversal in the Ivanti CSA befo...

Spring Cloud Gateway Server Webflux - Broken Access Control

Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure. id: CVE-2025-41243 info: name:...

Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

Spring Cloud Netflix Hystrix Dashboard <2.2.10 - Remote Code Execution

Spring Cloud Netflix Hystrix Dashboard prior to version 2.2.10 is susceptible to remote code execution. Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view...

Pascom CPS Server-Side Request Forgery

Pascom versions before 7.20 packaged with Cloud Phone System contain a known server-side request forgery vulnerability. id: CVE-2021-45967 info: name: Pascom CPS Server-Side Request Forgery author: dwisiswant0 severity: critical description: Pascom versions before 7.20 packaged with Cloud Phone...

n8n >= 0.123.0 and < 1.121.3 - Remote Code Execution

n8n versions = 0.123.0 and = 0.123.0 and = 0.123.0 and 1.121.3 contain a critical authenticated remote code execution vulnerability via arbitrary file write. An authenticated user can exploit the Git node to overwrite critical files and execute untrusted code on the n8n server, potentially leadin...

VMWare Cloud Foundation NSX-V - XML External Entity (XXE)

VMware Cloud Foundation NSX-V contains an XML External Entity XXE vulnerability. On VCF 3.x instances with NSX-V deployed, this may allow a user to exploit this issue leading to a denial-of-service condition or unintended information disclosure. id: CVE-2022-31678 info: name: VMWare Cloud...

Spring Cloud Config Server - Path Traversal

Spring Cloud 3.1.x 3.1.13, 4.1.x 4.1.9, 4.2.x 4.2.3, 4.3.x 4.3.2, and 5.0.x 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request. i...

MagicMirror <= 2.35.0 - Server-Side Request Forgery

An unauthenticated Server-Side Request Forgery SSRF vulnerability in the /cors endpoint allows any remote attacker to force the MagicMirror² server to perform arbitrary HTTP requests to internal networks, cloud metadata services, and localhost services. The endpoint also expands environment...

GHSA-Q4H4-GMJ2-QVW2 vulnerabilities

Vulnerabilities for packages: trivy-operator-fips, crossplane-provider-aws-dynamodb-fips, crossplane-provider-aws-wafv2-fips, crossplane-provider-aws-autoscaling-fips, databricks-cli-fips, fscrypt, crossplane-provider-azure-relay, crossplane-provider-aws-organizations,...

GHSA-45GG-VH54-H5M9 vulnerabilities

Vulnerabilities for packages: trivy-operator-fips, argocd-image-updater, fscrypt, frankenphp-8.4, knative-serving, opentofu, tekton-pipelines, flux-source-controller-fips, zarf-fips, nerdctl, docker-machine-driver-harvester, trivy, calico-fips, terraform, knative-kafka-broker-fips, trivy-operator...

GHSA-X527-X647-Q7GG vulnerabilities

Vulnerabilities for packages: cilium, fscrypt, cert-manager, containerd, external-dns, kubernetes, istio, mattermost, trivy, telegraf, prometheus, zarf, vitess, gitlab-kas, prometheus-operator, rancher-agent, zot, flux, helm, argocd-image-updater, kyverno, minio, osv-scanner, kubescape, loki,...

GHSA-W879-237Q-WC7R vulnerabilities

Vulnerabilities for packages: cilium, buildah, tkn, terragrunt, melange, prometheus, act, zarf, eksctl, gitlab-kas, steampipe, zot, pulumi-kubernetes-operator, pulumi, kyverno, osv-scanner, ksops, witness, gh, k9s, kaf, opentelemetry-collector, nuclei, kubernetes-dashboard, scorecard, dagger,...

GHSA-JPPX-RXG9-JMRX vulnerabilities

Vulnerabilities for packages: cilium, fscrypt, cert-manager, containerd, external-dns, buildah, kubernetes, istio, mattermost, podman, telegraf, prometheus, vitess, docker-cli-buildx, gitlab-kas, prometheus-operator, rancher-agent, zot, flux, helm, kyverno, minio, loki, cilium-cli, teleport, kaf,...

GHSA-F5WC-C3C7-36MC vulnerabilities

Vulnerabilities for packages: cilium, buildah, terragrunt, melange, prometheus, act, zarf, gitlab-kas, zot, pulumi-kubernetes-operator, pulumi, kyverno, osv-scanner, witness, k9s, kaf, opentelemetry-collector, nuclei, kubernetes-dashboard, scorecard, dagger, openbao, fscrypt, gptscript,...

GHSA-89GR-R52H-F8RX vulnerabilities

Vulnerabilities for packages: cilium, buildah, tkn, terragrunt, melange, prometheus, act, zarf, eksctl, gitlab-kas, steampipe, zot, pulumi-kubernetes-operator, pulumi, kyverno, osv-scanner, ksops, witness, gh, k9s, kaf, opentelemetry-collector, nuclei, kubernetes-dashboard, scorecard, dagger,...

EUVD-2026-37512

pydantic-ai: SSRF blocklist bypass via IPv4-compatible, SIIT/IVI, and local NAT64 IPv6 addresses incomplete fix of CVE-2026-46678...

Ingress-Nginx Controller - Remote Code Execution

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. Note...

EUVD-2026-39805

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with the cancreateimages entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a...