41 matches found
CVE-2026-48545
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a...
EUVD-2026-32547
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a...
CVE-2026-48545 Gradio < 6.15.0 Cookie Injection via Shared Proxy Client
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a...
Gradio 安全漏洞
Gradio is an open-source Python library developed by Google. It provides a user-friendly web interface for demonstrating machine learning models. Prior to version 6.15.0, Gradio had a security vulnerability. This vulnerability stemmed from the use of shared module-level HTTP clients, which allowe...
BIT-KIBANA-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
BIT-ELK-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
PT-2026-32407
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
PT-2026-32431
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
Kibana 8.x < 8.19.14 / 9.0.x < 9.2.8 / 9.3.x < 9.3.3 Multiple Vulnerabilities (ESA-2026-21 / ESA-2026-24 / ESA-2026-25 / ESA-2026-26)
The version of Kibana installed on the remote host is prior to 8.19.14, 9.2.8, or 9.3.3. It is, therefore, affected by multiple vulnerabilities as referenced in the ESA-2026-21, ESA-2026-24, ESA-2026-25, and ESA-2026-26 advisories. - An incorrect authorization vulnerability in Kibana Fleet allows...
CVE-2026-33460
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
EUVD-2026-20523
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460 Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoin...
CVE-2026-33460
CVE-2026-33460 affects Kibana Fleet: an Incorrect Authorization (CWE-863) flaw allows cross-space information disclosure via a Privilege Abuse path. A user with Fleet agent management privileges in one Kibana space can query Fleet Server policy details from other spaces through an internal enroll...
Kibana 8.19.14, 9.2.8, 9.3.3 Security Update (ESA-2026-25)
Incorrect Authorization in Kibana Fleet Leading to Information Disclosure Incorrect Authorization CWE-863 in Kibana can lead to cross-space information disclosure via Privilege Abuse CAPEC-122. A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy...
Elastic Kibana 安全漏洞
Elastic Kibana is a data visualization dashboard software provided by the Elastic company. There is a security vulnerability in Elastic Kibana, which stems from improper authorization and could lead to cross-space information leakage...
PT-2026-31333
Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description An incorrect authorization issue in Kibana can lead to cross-space information disclosure through privilege abuse. A user with Fleet agent management privileges in one Kibana space can retriev...
CVE-2026-35489
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/id/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create. Invalid amount...
CVE-2026-35489 Tandoor Recipes — `amount`/`unit` bypass serializer in `food/{id}/shopping/`
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the POST /api/food/id/shopping/ endpoint reads amount and unit directly from request.data and passes them without validation to ShoppingListEntry.objects.create. Invalid amount...