External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Summary The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated...

GHSA-R2PG-R6H7-CRF3 External Secrets Operator has DNS-based secret exfiltration via getHostByName in External Secrets v2 template engine

Summary The v2 template engine in runtime/template/v2/template.go imports Sprig’s TxtFuncMap and removes env and expandenv, but leaves getHostByName available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or update templated...

EUVD-2026-21953

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31426

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31426 ACPI: EC: clean up handlers on probe failure in acpi_ec_setup()

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

CVE-2026-31426

Summary: CVE-2026-31426 concerns the Linux kernel ACPI EC handling. When ec_install_handlers() defers probing on reduced‑hardware platforms, the error path could leave a dangling EC space handler context if acpi_ec_setup() propagates the error, leading to use‑after‑free when AML accesses an OpReg...

CVE-2026-31426

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

PT-2026-32511

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.11.0 Craft Commerce versions prior to 5.6.0 Description The actionPay function in the 'PaymentsController' discloses order data to unauthenticated users. This occurs when an order number is provided and the...

CVE-2026-31426

In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: clean up handlers on probe failure in acpiecsetup When ecinstallhandlers returns -EPROBEDEFER on reduced-hardware platforms, it has already started the EC and installed the address space handler with the struct acpiec...

EUVD-2026-21684

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105 perfree go-fastdfs-web doInstall InstallController.java improper authorization

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105 perfree go-fastdfs-web doInstall InstallController.java improper authorization

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

CVE-2026-6105

A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...

GHSA-HR2V-4R36-88HR vulnerabilities

Vulnerabilities for packages: helm-mapkubeapis, k8ssandra-client, zarf, headlamp, k9s, kots, eksctl, cluster-api-helm-controller, helm-set-status, linkerd2, consul-k8s, flux, helm-operator, kube-arangodb, flux-source-controller, teleport, chartmuseum, trivy, nova, trivy-operator, chart-testing,...

CVE-2026-35206 vulnerabilities

Vulnerabilities for packages: helm-mapkubeapis, k8ssandra-client, zarf, headlamp, k9s, kots, eksctl, cluster-api-helm-controller, helm-set-status, linkerd2, consul-k8s, flux, helm-operator, kube-arangodb, flux-source-controller, teleport, chartmuseum, trivy, nova, trivy-operator, chart-testing,...

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: stakater-reloader, flux-helm-controller, flux-notification-controller, grafana-operator, aws-load-balancer-controller, fluxcd-kustomize-mutating-webhook, newrelic-k8s-metadata-injection, omnibump, dataplaneapi, sftpgo-plugin-eventsearch, mountpoint-s3-csi-driver,...

CVE-2026-32281 vulnerabilities

Vulnerabilities for packages: opentofu, sftpgo-plugin-eventstore, act, gitsign, croc, nerdctl, crossplane-provider-azure-sql, polaris, envconsul, coredns, docker-cli-buildx, git-sync, terraform-provider-aws, net-kourier, http-echo, ingress-nginx-controller, keda, wave, clickhouse-operator,...

CVE-2026-32283 vulnerabilities

Vulnerabilities for packages: opentofu, sftpgo-plugin-eventstore, act, gitsign, croc, nerdctl, crossplane-provider-azure-sql, polaris, envconsul, coredns, docker-cli-buildx, git-sync, terraform-provider-aws, net-kourier, http-echo, ingress-nginx-controller, keda, wave, clickhouse-operator,...

GHSA-JRG3-GFJW-HM96 vulnerabilities

Vulnerabilities for packages: opentofu, sftpgo-plugin-eventstore, act, gitsign, croc, nerdctl, crossplane-provider-azure-sql, polaris, envconsul, coredns, docker-cli-buildx, git-sync, terraform-provider-aws, net-kourier, http-echo, ingress-nginx-controller, keda, wave, clickhouse-operator,...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: kubernetes-event-exporter, opentofu, gcsfuse, sftpgo-plugin-eventstore, dask-gateway, kubernetes-dashboard-api, rclone, terraform-docs, kubescape-operator, terraform-provider-azapi, kube-state-metrics, gitsign, prometheus-pushgateway, seaweedfs, cue, tofu-controller,...