Exploit for CVE-2025-0133

CVE-2025-0133 Palo Alto PAN-OS reflected XSS in the GlobalPro...

SUSE CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty...

CVE-2026-24748

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty...

Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Impact A bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of...

GHSA-W5WV-WVRP-V5M5 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Impact A bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty Bearer token value, regardless of validity. This vulnerability did allow for exfiltration of...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the GetConfig and RefreshResource API endpoints. An attacker can access sensitive configuration data or trigger excessive reconciliations by sending requests with any non-empty Bearer token in the Authorizati...

CVE-2026-24748 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty...

CVE-2026-24748 Kargo's `GetConfig()` and `RefreshResource()` API endpoints allow unauthenticated access

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the GetConfig API endpoint. This allowed unauthenticated users to access this endpoint by specifying an Authorization header with any non-empty...

PT-2026-5025

Name of the Vulnerable Software and Affected Versions Kargo versions prior to 1.8.7 Kargo versions prior to 1.7.7 Kargo versions prior to 1.6.3 Description Kargo is a tool for managing and automating the promotion of software artifacts. A flaw in authentication checks on the GetConfig API endpoin...

U.S. Dept Of Defense: Reflected XSS via user parameter on getconfig.esp endpoint

The getconfig.esp endpoint was found to reflect unsanitized user input provided in the user parameter directly into the HTML response, resulting in a Reflected Cross-Site Scripting XSS vulnerability. The affected product was Fortinet SSL VPN FortiOS version 3.0.1-10...

U.S. Dept Of Defense: Reflected XSS via user Parameter on getconfig.esp Endpoint

A reflected Cross-Site Scripting XSS vulnerability was discovered in the /ssl-vpn/getconfig.esp endpoint, where user input in the 'user' parameter was not properly sanitized and allowed the injection of arbitrary JavaScript. This could have enabled remote attackers to execute malicious scripts in...

CVE-2022-47035

Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint...