9352 matches found
CVE-2026-56264
CVE-2026-56264 affects Crawl4AI prior to 0.8.7. The Docker API server’s /execute_js endpoint accepts and executes arbitrary JavaScript in the server’s browser context with --disable-web-security enabled, enabling an attacker to run arbitrary JS and, given relaxed browser security, perform server-...
CVE-2026-56264 Crawl4AI - Arbitrary JavaScript Execution via /execute_js Endpoint
Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /executejs endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary...
CVE-2026-58446 Presenton < 0.8.8-beta - Authentication Bypass of Session Auth via Unprotected MCP Endpoint
Presenton before 0.8.8-beta bundles an MCP server that, on server/Docker deployments configured with session authentication AUTHUSERNAME/AUTHPASSWORD, is reachable unauthenticated at /mcp because the nginx front-end does not apply the authrequest gate to that path and the MCP server auto-mints a...
SUSE-SU-2026:22456-1 Security update for docker
This update for docker fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265782. - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass...
SUSE-SU-2026:2692-1 Security update for docker
This update for docker fixes the following issues - CVE-2026-33814: golang.org/x/net/http2: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1265782. - CVE-2026-39821: golang.org/x/net/idna: failure to reject ASCII-only Punycode-encoded labels allows for validation bypass...
Malicious code in log-taker1 (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer 2800 lines directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults MetaMask, Phantom, Solflare,...
PYSEC-2026-319 Crawl4AI: AST Sandbox Escape via gi_frame.f_back Chain - Pre-Auth RCE in Docker API
Summary The safeevalexpression function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes giframe, fback, fbuiltins do NOT start with underscore, enabling a complete sandbox escape to achieve...
PYSEC-2026-346 gramps-webapi: Zip Slip Path Traversal in Media Archive Import
Summary A path traversal vulnerability Zip Slip exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the...
OPENSUSE-SU-2026:11144-1 docker-29.4.0_ce-40.1 on GA media
These are all security issues fixed in the docker-29.4.0ce-40.1 package on the GA media of openSUSE Tumbleweed...
CVE-2026-58053
Gitea actrunner with the Docker backend through act 0.262.0 passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-op...
CVE-2026-58053 Gitea act_runner - Container Hardening Bypass via Workflow Container Options
Gitea actrunner with the Docker backend through act 0.262.0 passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-op...
EUVD-2026-39973
Gitea actrunner with the Docker backend through act 0.262.0 passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-op...
CVE-2026-58053
Gitea act_runner (Docker backend) up to act 0.262.0 is vulnerable: the workflow.container.options are merged into the Docker job container HostConfig, and if privileged is set to false, only the Privileged flag is disabled while options such as --pid=host, --cap-add, and --security-opt remain. A ...
CVE-2026-58053
Gitea actrunner with the Docker backend through act 0.262.0 passes a workflow's container.options string to the Docker job container's HostConfig and, when configured with privileged: false, forces only the Privileged flag off while merging options such as --pid=host, --cap-add, and --security-op...
[SECURITY] Fedora 43 Update: moby-engine-29.6.0-1.fc43
Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance a nd everything in between =E2=80=94 and...
[SECURITY] Fedora 44 Update: moby-engine-29.6.0-1.fc44
Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance a nd everything in between =E2=80=94 and...
[SECURITY] Fedora 44 Update: docker-buildx-0.35.0-1.fc44
Docker CLI plugin for extended build capabilities with BuildKit...
[SECURITY] Fedora 44 Update: docker-buildkit-0.31.0-1.fc44
Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit...
[SECURITY] Fedora 43 Update: docker-buildx-0.35.0-1.fc43
Docker CLI plugin for extended build capabilities with BuildKit...
[SECURITY] Fedora 43 Update: docker-buildkit-0.31.0-1.fc43
Concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit...