CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

CVE-2026-39957 Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

EUVD-2026-20954

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

GHSA-HFVC-G4FC-PQHX vulnerabilities

Vulnerabilities for packages: opentofu, gcsfuse, kubescape-operator, kyverno-policy-reporter, kube-state-metrics, seaweedfs, grype, gomplate, sftpgo, node-feature-discovery, verticadb-operator, crossplane-provider-gcp, descheduler, kubernetes-csi-external-health-monitor, grafana-image-renderer,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: opentofu, gcsfuse, kubescape-operator, kyverno-policy-reporter, kube-state-metrics, seaweedfs, grype, gomplate, sftpgo, node-feature-discovery, verticadb-operator, crossplane-provider-gcp, descheduler, kubernetes-csi-external-health-monitor, grafana-image-renderer,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: crossplane-provider-azure-notificationhubs, trivy, knative-net-istio-fips, datadog-agent, restic-fips, caddy, commercial-chainloop-backend, crossplane-provider-azure-managedidentity, fulcio, opa, elastic-agent, google-osconfig-agent, kube-state-metrics,...

GHSA-HFVC-G4FC-PQHX vulnerabilities

Vulnerabilities for packages: crossplane-provider-azure-notificationhubs, trivy, knative-net-istio-fips, datadog-agent, restic-fips, caddy, commercial-chainloop-backend, crossplane-provider-azure-managedidentity, fulcio, opa, elastic-agent, google-osconfig-agent, kube-state-metrics,...

EUVD-2024-17238

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on t...

CVE-2024-1490

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on t...

CVE-2024-1490

CVE-2024-1490 affects WAGO PLCs via the web-based management interface (WBM) OpenVPN configuration. An authenticated remote attacker with high privileges can exploit the WBM to cause OpenVPN to execute arbitrary shell commands if user-defined scripts are allowed, enabling remote command execution...

Contemporary Controls BASC 20T

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls. 2. RECOMMENDED PRACTICES CISA recommends users...

PT-2026-31735

Name of the Vulnerable Software and Affected Versions Flux notification-controller versions prior to 1.8.3 Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. The gcr Receiver type does not validate the email claim of...

WAGO PLC 代码注入漏洞

WAGO PLC is a programmable logic controller developed by the German company WAGO. WAGO PLC has a code injection vulnerability, which stems from improper OpenVPN configuration. This vulnerability may lead to the execution of arbitrary commands...

notification-controller 数据伪造问题漏洞

Notification-Controller is a GitOps notification controller open source in the Flux project. Versions of Notification-Controller prior to 1.8.3 had a data manipulation vulnerability. This vulnerability stemmed from the lack of verification of the email claim for Google OIDC tokens, which could...

CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

kcp's cache server is accessible without authentication or authorization checks

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...

CVE-2026-39394

CI4MS vulnerable to CRLF injection in .env via unvalidated host parameter in Install::index(). Before 0.31.4.0, host is read without validation and appended to .env through updateEnvSettings() using preg_replace(), allowing newline characters to inject arbitrary key=value lines (e.g., app.baseURL...