EUVD-2026-38244

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host...

CVE-2026-28381

The CVE affects the Grafana Snowflake data source: GET/PUT commands can enable a user with access to read/write files between the local Grafana server and the connected Snowflake host, potentially impacting confidentiality and integrity (per metrics: HIGH/ HIGH). Root cause and exact vulnerable c...

CVE-2026-28381 Local File Read/Write to Potential Privilege Escalation via Snowflake GET/PUT

The Snowflake datasource allows for GET/PUT commands, which can allow any user with access to run queries against the data source to read/write files between the local grafana server and the connected Snowflake host...

Astra Linux – Vulnerability in libdbi-perl

A issue was discovered in the DBI module through version 1.643 for Perl. DBD::File drivers can open files from folders other than those specifically specified via the fdir attribute in the data source name DSN. NOTE: This issue exists due to an incomplete fix for CVE-2014-10401...

CVE-2026-11752

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local...

CVE-2026-11752

Armeria-xds versions 1.38.0–1.39.0 contain a vulnerability in DataSourceStream where control-plane-supplied filenames and environment_variable fields from SDS secrets are resolved without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control plane (or an attacker...

Armeria: External Control of File Name or Path in xDS SDS DataSource

External Control of File Name or Path in xDS SDS DataSource Summary DataSourceStream in the :xds module resolves control-plane-supplied filename and environmentvariable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control...

EUVD-2026-37580

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...

CVE-2026-2675

RTI Connext Professional (Security Plugins) is affected by CVE-2026-2675: Missing Authentication for a Critical Function. Affected Connext Professional versions include 5.3.* before 5.3., 6.0. before 6.0., 6.1. before 6.1.*, 7.0.0 before 7.3.1.3, and 7.4.0 before 7.7.0. The CVSS 4.0 base score is...

EUVD-2026-37771

Missing Authentication for Critical Function vulnerability in RTI Connext Professional Security Plugins allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3...

CVE-2026-32966

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...

CVE-2026-32966 Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure

DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...

EUVD-2026-32588

Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL...

GHSA-3GP5-Q4JW-3V94 Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL

Summary Budibase stores external REST datasource credentials server-side and documents that database credentials are applied server-side and are not exposed in the UI. The REST datasource implementation redacts stored Basic/Bearer/OAuth2 auth secrets before returning datasource data to clients...

GHSA-6964-PP88-6WP9 Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step

Summary The executeQuery automation step in Budibase accepts a queryId from automation step inputs and passes it directly to the query execution controller without additional validation. When combined with a REST datasource configured to target internal infrastructure, this creates a server-side...

Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code

Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence AI coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report crafted usi...

CVE-2026-43685

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature. This issue is fixed in FileMaker Cloud 2.22.0.5...

CVE-2026-5848

A vulnerability was found in jeecgboot JimuReport up to 2.3.0. The affected element is the function DriverManager.getConnection of the file /drag/onlDragDataSource/testConnection of the component Data Source Handler. Performing a manipulation of the argument dbUrl results in code injection. The...

CVE-2025-11159

Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator...

CVE-2026-48152

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which...