22 matches found
CVE-2026-46680 vulnerabilities
Vulnerabilities for packages: kargo, buildkitd, kubescape-operator, rancher-agent, trivy-operator, tw, cluster-api-helm-controller, zarf, helm-operator, neuvector-scanner, opa-envoy, trivy, grype, rancher-helm, skaffold, docker, kots, xeol, osv-scanner, helm-mapkubeapis, spegel, rancher, k8sgpt,...
CVE-2026-46680 vulnerabilities
Vulnerabilities for packages: rancher-helm, packer-fips, buildkitd, eks-node-monitoring-agent-fips, wolfictl, ctop, kaniko-fips, helm-exporter, helm-fips, helm-mapkubeapis, kubescape, trivy-operator, grype-fips, eks-node-monitoring-agent, grype-db, helm, envoy-gateway, spegel, xeol, steampipe,...
GHSA-PC3F-X583-G7J2 vulnerabilities
Vulnerabilities for packages: kargo, vcluster, rancher-agent, jitsucom-bulker, trivy-operator, emissary, velero, cloudnative-pg, percona-server-mongodb-operator, verticadb-operator, zarf, cilium-cli, istio, infinispan-operator, postgres-operator, trivy, dynamic-localpv-provisioner, skaffold, kots...
CVE-2026-35469 vulnerabilities
Vulnerabilities for packages: kargo, vcluster, rancher-agent, jitsucom-bulker, trivy-operator, emissary, velero, cloudnative-pg, percona-server-mongodb-operator, verticadb-operator, zarf, cilium-cli, istio, infinispan-operator, postgres-operator, trivy, dynamic-localpv-provisioner, skaffold, kots...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: flux, trivy-operator, cert-manager-cmctl, tw, cluster-api-helm-controller, zarf, helm-operator, flux-source-controller, cilium-cli, istio, trivy, consul-k8s, pluto, kots, cerbos, helm-mapkubeapis, chartmuseum, teleport, tigera-operator, envoy-gateway, k8ssandra-clien...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: flux, trivy-operator, cert-manager-cmctl, tw, cluster-api-helm-controller, zarf, helm-operator, flux-source-controller, cilium-cli, istio, trivy, consul-k8s, pluto, kots, cerbos, helm-mapkubeapis, chartmuseum, teleport, tigera-operator, envoy-gateway, k8ssandra-clien...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: flux-source-controller, kubescape-server, cert-manager-cmctl, chartmuseum, pluto, tw, zarf, tigera-operator, headlamp-fips, rancher-fleet-fips, teleport, k9s, helm-diff, k8ssandra-client, chartmuseum-fips, cerbos-fips, flux, helm-push, helm-operator, headlamp,...
GHSA-HFVC-G4FC-PQHX vulnerabilities
Vulnerabilities for packages: vcluster, cloudflared, rancher-agent, restic, velero, flux-kustomize-controller, falcosidekick, witness, cloud-provider-gcp-cloud-controller-manager, terragrunt, splunk-otel-collector, cluster-autoscaler, kots, prometheus-adapter, xeol, cerbos,...
GHSA-HFVC-G4FC-PQHX vulnerabilities
Vulnerabilities for packages: rke2-runtime-fips, k8s-agents-operator, openbao-fips, kubernetes-csi-external-resizer-fips, buildkitd, cass-operator, kaniko-fips, velero, livekit-server-fips, cloudflared, kubernetes-fips, gitlab-operator-fips, cass-operator-fips,...
CVE-2026-39883 vulnerabilities
Vulnerabilities for packages: rke2-runtime-fips, k8s-agents-operator, openbao-fips, kubernetes-csi-external-resizer-fips, buildkitd, cass-operator, kaniko-fips, velero, livekit-server-fips, cloudflared, kubernetes-fips, gitlab-operator-fips, cass-operator-fips,...
📄 Headlamp 0.38.0 Unauthenticated Cached Credentials Access
Proof of concept exploit for a flaw in Headlamp Kubernetes dashboard versions 0.38.0 and below that allows unauthenticated users to access sensitive Helm release data, including secrets, tokens, and passwords, due to improper server-side caching...
📄 Headlamp 0.38.0 Credential Reuse
A security issue was discovered in the in-cluster version of Headlamp where unauthenticated users may be able to reuse cached credentials to access Helm functionality through the Headlamp UI. Kubernetes clusters are only affected if Headlamp is installed, is configured with config.enableHelm: tru...
PT-2025-52206
Name of the Vulnerable Software and Affected Versions Headlamp versions prior to 0.39.0 Description A configuration issue with config.enableHelm: true in the Headlamp user interface for Kubernetes cluster management leads to information disclosure through caching when processing the...
EUVD-2025-21025
Malicious code in bioql PyPI...
CVE-2025-53542
Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...
CVE-2025-53542
Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...
CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign
Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...
CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign
Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...
CVE-2025-53542 Kubernetes Headlamp Allows Arbitrary Command Injection in macOS Process headlamp@codeSign
Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync function with unsanitized input derived...
CVE-2025-53542
CVE-2025-53542 affects Headlamp, an extensible Kubernetes web UI. The vulnerability is a command injection in the macOS packaging workflow (codeSign.js) caused by using Node.js execSync() with unsanitized environment-derived input (teamID, entitlementsPath, config.app) passed to the shell without...