11798 matches found
CVE-2026-41684
Summary of CVE-2026-41684 (Incus): An authenticated user who can import instance backups may crash the Incus daemon during restore when a crafted backup archive includes a valid inline backup/index.yaml but a malformed legacy backup.yaml that omits the container section. The vulnerability arises ...
CVE-2026-41684
Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo trusts the inline backup/index.yaml config when present and only falls back to parsing the legacy backup/container/backup.yaml file if result.Config == nil. As a result, an archive can carry a valid...
org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=8.0.0-RC1 <=8.0.0-RC4), org.apereo.cas:cas-server-webapp-init-config-server (>=8.0.0-RC1 <=8.0.0-RC4) +2 more potentially affected by CVE-2026-41002 via org.springframework.cloud:spring-cloud-config-server (>=5.0.0 <=5.0.2)
org.springframework.cloud:spring-cloud-config-server MAVEN version =5.0.0, =8.0.0-RC1, =8.0.0-RC1, =5.0.0, =5.0.0, =5.0.1 Source cves: CVE-2026-41002 Source advisory: OSV:GHSA-86WQ-234Q-R6WG...
com.alibaba.cloud:spring-cloud-starter-alibaba-nacos-config-server (=2021.0.1.0), com.bpfaas:bps-config-server-novault-spring-cloud-starter (=3.2.2) +9 more potentially affected by CVE-2026-40982 via org.springframework.cloud:spring-cloud-config-server (>=3.1.0 <=3.1.10)
org.springframework.cloud:spring-cloud-config-server MAVEN version =3.1.0, =2.1.4, =0.1, =6.5.0, =6.5.0, =2.0.1, =3.1.0, =2.1.0, =2.1.1 Source cves: CVE-2026-40982 Source advisory: OSV:GHSA-6G23-24MC-HX6X...
io.github.ilyaslabs.foodstack:configserver (=0.0.1), io.github.ilyaslabs:spring-boot-microservice-config-server (=1.0.0) +7 more potentially affected by CVE-2026-41004 via org.springframework.cloud:spring-cloud-config-server (>=4.3.0 <=4.3.2)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.3.0, =1.0.1, =7.3.0, =7.3.0, =26.01.01, =2.3.0, =4.3.0, =3.3.0, =3.3.2 Source cves: CVE-2026-41004 Source advisory: OSV:GHSA-J6HH-H3CF-C2HF...
Spring Cloud Config Server Susceptible To TOCTOU Attack
The base directory spring.cloud.config.server.git.basedir used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use TOCTOU attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterpris...
io.mosip.kernel:kernel-config-server (>=1.2.1-rc1 <=1.3.1-rc.1), org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=7.0.0 <=7.1.6.2) +5 more potentially affected by CVE-2026-41004 via org.springframework.cloud:spring-cloud-config-server (>=4.1.0 <=4.1.7)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.1.0, =1.2.1-rc1, =7.0.0, =7.0.0, =4.1.0, =3.1.0, =3.1.6 Source cves: CVE-2026-41004 Source advisory: OSV:GHSA-J6HH-H3CF-C2HF...
com.brihaspathee.artemis:config-server (>=0.0.1 <=1.0.2), com.brihaspathee.sapphire:config-server (>=1.0.0 <=1.0.7) +6 more potentially affected by CVE-2026-40982 via org.springframework.cloud:spring-cloud-config-server (>=4.2.0 <=4.2.4)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.2.0, =0.0.1, =1.0.0, =3.0.9, =0.1.41-Beta, =7.2.0, =7.2.0, =4.2.0, =3.2.0, =3.2.3 Source cves: CVE-2026-40982 Source advisory: OSV:GHSA-6G23-24MC-HX6X...
io.mosip.kernel:kernel-config-server (>=1.2.1-rc1 <=1.3.1-rc.1), org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=7.0.0 <=7.1.6.2) +5 more potentially affected by CVE-2026-41002 via org.springframework.cloud:spring-cloud-config-server (>=4.1.0 <=4.1.7)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.1.0, =1.2.1-rc1, =7.0.0, =7.0.0, =4.1.0, =3.1.0, =3.1.6 Source cves: CVE-2026-41002 Source advisory: OSV:GHSA-86WQ-234Q-R6WG...
Spring Cloud Config vulnerable to Path Traversal
Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from...
Spring Cloud Config Server Logged Sensitive Information
When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterprise Support Only. Spring Cloud Config 4.1.x: affected from 4.1.0 throu...
GHSA-2MH5-3CW6-HRRQ Spring Cloud Config has an Authorization Bypass Through User-Controlled Key
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...
com.alibaba.cloud:spring-cloud-starter-alibaba-nacos-config-server (=2021.0.1.0), com.bpfaas:bps-config-server-novault-spring-cloud-starter (=3.2.2) +9 more potentially affected by CVE-2026-41004 via org.springframework.cloud:spring-cloud-config-server (>=3.1.0 <=3.1.10)
org.springframework.cloud:spring-cloud-config-server MAVEN version =3.1.0, =2.1.4, =0.1, =6.5.0, =6.5.0, =2.0.1, =3.1.0, =2.1.0, =2.1.1 Source cves: CVE-2026-41004 Source advisory: OSV:GHSA-J6HH-H3CF-C2HF...
io.github.ilyaslabs.foodstack:configserver (=0.0.1), io.github.ilyaslabs:spring-boot-microservice-config-server (=1.0.0) +7 more potentially affected by CVE-2026-41002 via org.springframework.cloud:spring-cloud-config-server (>=4.3.0 <=4.3.2)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.3.0, =1.0.1, =7.3.0, =7.3.0, =26.01.01, =2.3.0, =4.3.0, =3.3.0, =3.3.2 Source cves: CVE-2026-41002 Source advisory: OSV:GHSA-86WQ-234Q-R6WG...
GHSA-6G23-24MC-HX6X Spring Cloud Config vulnerable to Path Traversal
Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from...
com.brihaspathee.artemis:config-server (>=0.0.1 <=1.0.2), com.brihaspathee.sapphire:config-server (>=1.0.0 <=1.0.7) +6 more potentially affected by CVE-2026-41004 via org.springframework.cloud:spring-cloud-config-server (>=4.2.0 <=4.2.4)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.2.0, =0.0.1, =1.0.0, =3.0.9, =0.1.41-Beta, =7.2.0, =7.2.0, =4.2.0, =3.2.0, =3.2.3 Source cves: CVE-2026-41004 Source advisory: OSV:GHSA-J6HH-H3CF-C2HF...
com.brihaspathee.artemis:config-server (>=0.0.1 <=1.0.2), com.brihaspathee.sapphire:config-server (>=1.0.0 <=1.0.7) +6 more potentially affected by CVE-2026-41002 via org.springframework.cloud:spring-cloud-config-server (>=4.2.0 <=4.2.4)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.2.0, =0.0.1, =1.0.0, =3.0.9, =0.1.41-Beta, =7.2.0, =7.2.0, =4.2.0, =3.2.0, =3.2.3 Source cves: CVE-2026-41002 Source advisory: OSV:GHSA-86WQ-234Q-R6WG...
io.mosip.kernel:kernel-config-server (>=1.2.1-rc1 <=1.3.1-rc.1), org.apereo.cas:cas-server-support-configuration-cloud-amqp (>=7.0.0 <=7.1.6.2) +5 more potentially affected by CVE-2026-40982 via org.springframework.cloud:spring-cloud-config-server (>=4.1.0 <=4.1.7)
org.springframework.cloud:spring-cloud-config-server MAVEN version =4.1.0, =1.2.1-rc1, =7.0.0, =7.0.0, =4.1.0, =3.1.0, =3.1.6 Source cves: CVE-2026-40982 Source advisory: OSV:GHSA-6G23-24MC-HX6X...
Spring Cloud Config has an Authorization Bypass Through User-Controlled Key
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater...
GHSA-J6HH-H3CF-C2HF Spring Cloud Config Server Logged Sensitive Information
When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 inclusive; upgrade to 3.1.14 or greater Enterprise Support Only. Spring Cloud Config 4.1.x: affected from 4.1.0 throu...