CVE-2026-41948

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencod...

CLEANSTART-2026-CU71831 Security fixes for CVE-2015-8080, CVE-2019-10192, CVE-2019-10193, CVE-2020-14147, CVE-2021-32625, CVE-2021-32626, CVE-2021-32627, CVE-2021-32628, CVE-2021-32672, CVE-2021-32675, CVE-2021-32687, CVE-2021-32762, CVE-2021-41099, CVE-2022-24736, CVE-2022-24834, CVE-2022-35977, CVE-2022-3647, CVE-2023-36824, CVE-2023-41053, CVE-2023-41056, CVE-2023-45145, CVE-2024-31227, CVE-2024-31228, CVE-2024-31449, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49844 applied in versions: 5.0.4-r0, 5.0.8-r0, 6.0.3-r0, 6.2.0-r0, 6.2.4-r0, 6.2.5-r0, 6.2.6-r0, 6.2.7-r0, 7.0.12-r0, 7.0.4-r0, 7.0.5-r0, 7.0.6-r0, 7.0.8-r0, 7.2.1-r0, 7.2.2-r0, 7.2.4-r0, 7.2.5-r1, 8.2.2-r0

Multiple security vulnerabilities affect the redis package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-MJ60235 Security fixes for CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2026-29181, CVE-2026-33186, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501, ghsa-6v2p-p543-phr9, ghsa-6xv5-86q9-7xr8, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-q754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-mh2q-q3fh-2475, ghsa-mh63-6h87-95cp, ghsa-p77j-4mvh-x3m3, ghsa-qxp5-gwg8-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 0.12.0-r0, 0.12.0-r1, 0.9.0-r0

Multiple security vulnerabilities affect the modelmesh-runtime-adapter package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-GB36430 Security fixes for CVE-2025-61726, CVE-2025-61728, CVE-2025-61730, CVE-2025-68119, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-29181, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, ghsa-mh2q-q3fh-2475 applied in versions: 1.18.5-r0, 1.19.3-r0

Multiple security vulnerabilities affect the cilium package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-RN56220 Security fixes for CVE-2015-3254, CVE-2018-10237, CVE-2018-11798, CVE-2018-1320, CVE-2018-20200, CVE-2019-0205, CVE-2020-8908, CVE-2021-0341, CVE-2021-41973, CVE-2022-1471, CVE-2022-24823, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, CVE-2022-41881, CVE-2023-2976, CVE-2023-34462, CVE-2023-44487, CVE-2023-46120, CVE-2024-13009, CVE-2024-29025, CVE-2024-40094, CVE-2024-47535, CVE-2024-6763, CVE-2024-7254, CVE-2025-11143, CVE-2025-25193, CVE-2025-46392, CVE-2025-48734, CVE-2025-48924, CVE-2025-53864, CVE-2025-55163, CVE-2025-58056, CVE-2025-58057, CVE-2025-59419, CVE-2025-67735, CVE-2026-1225, CVE-2026-21452, CVE-2026-27315, CVE-2026-32588, CVE-2026-33870, CVE-2026-33871, CVE-2026-41409, CVE-2026-41417, CVE-2026-41635, CVE-2026-42578, CVE-2026-42579, CVE-2026-42580, CVE-2026-42581, CVE-2026-42583, CVE-2026-42584, CVE-2026-42585, CVE-2026-42586, CVE-2026-42587, CVE-2026-42778, CVE-2026-42779, CVE-2026-44248, ghsa-269q-hmxg-m83q, ghsa-389x-839f-4rhx, ghsa-38f8-5428-x5cv, ghsa-3cqm-mf7h-prrj, ghsa-3p8m-j85q-pgmj, ghsa-45q3-82m4-75jr, ghsa-4gg5-vx3j-xwc7, ghsa-57rv-r2g8-2cj3, ghsa-5jpm-x58v-624v, ghsa-5mg8-w23w-74h3, ghsa-6mjq-h674-j845, ghsa-72hv-8253-57qq, ghsa-735f-pc8j-v9w8, ghsa-7g45-4rm6-3mm3, ghsa-8297-v2rf-2p32, ghsa-84h7-rjj3-6jx4, ghsa-995c-6rp3-4m4x, ghsa-cm33-6792-r9fm, ghsa-cw39-r4h6-8j3x, ghsa-f2wh-grmh-r6jm, ghsa-f6hv-jmp6-3vwv, ghsa-fghv-69vj-qj49, ghsa-fh34-c629-p8xj, ghsa-fx2c-96vj-985v, ghsa-g5ww-5jh7-63cx, ghsa-h4h5-3hr4-j3g2, ghsa-h9mq-f6q5-6c8m, ghsa-j288-q9x7-2f5v, ghsa-jfg9-48mv-9qgx, ghsa-jq43-27x9-3v86, ghsa-m4cv-j2px-7723, ghsa-mj4r-2hfc-f8p6, ghsa-mjmj-j48q-9wg2, ghsa-mm8h-8587-p46h, ghsa-mvr2-9pj6-7w5j, ghsa-prj3-ccx8-p6x4, ghsa-pvp8-3xj6-8c6x, ghsa-pwqr-wmgm-9rr8, ghsa-qffm-gf3j-6mvg, ghsa-qh8g-58pp-2wxh, ghsa-qqpg-mvqg-649v, ghsa-rgrr-p7gp-5xj7, ghsa-rj7p-rfgp-852x, ghsa-v8h7-rr48-vmmv, ghsa-vf5j-865m-mq7c, ghsa-vx85-mj8c-4qm6, ghsa-w33c-445m-f8w7, ghsa-w9fj-cfpg-grvv, ghsa-wjpw-4j6x-6rwh, ghsa-wjxj-f8rg-99wx, ghsa-wxr5-93ph-8wr9, ghsa-xpw8-rcwv-8f8p, ghsa-xq3w-v528-46rv, ghsa-xwmg-2g98-w7v9, ghsa-xxqh-mfjm-7mv9 applied in versions: 2.0.44-r4, 2.0.44-r5, 2.0.44-r6

Multiple security vulnerabilities affect the stargate package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-LN66182 Security fixes for CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68119, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-34743, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499 applied in versions: 1.79.0-r0, 1.79.0-r2, 1.79.0-r3, 1.79.0-r4, 1.79.0-r5

Multiple security vulnerabilities affect the prometheus-redis-exporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-VU08393 Security fixes for CVE-2025-0913, CVE-2025-4673, CVE-2025-47907, CVE-2025-47911, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-58190, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-61732, CVE-2025-68121, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33810, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501 applied in versions: 2.6.1-r0, 2.6.1-r1, 2.6.1-r7, 2.6.1-r8, 2.6.1-r9

Multiple security vulnerabilities affect the opensearch-k8s-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-SY44974 Security fixes for CVE-2015-20107, CVE-2015-2104, CVE-2019-16056, CVE-2019-16935, CVE-2019-20907, CVE-2019-5010, CVE-2020-14422, CVE-2020-8492, CVE-2021-23336, CVE-2021-29921, CVE-2021-3177, CVE-2022-45061, CVE-2023-27043, CVE-2024-6232, CVE-2024-6923, CVE-2025-59375, CVE-2026-3219, CVE-2026-6357 applied in versions: 3.10.5-r0, 3.11.1-r0, 3.11.5-r0, 3.12.12-r0, 3.12.13-r0, 3.12.3-r2, 3.12.6-r0, 3.6.8-r1, 3.7.5-r0, 3.8.2-r0, 3.8.4-r0, 3.8.5-r0, 3.8.7-r2, 3.8.8-r0, 3.9.4-r0, 3.9.5-r0

Multiple security vulnerabilities affect the python3 package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-SP91806 Security fixes for CVE-2015-2104, CVE-2023-27043, CVE-2024-12254, CVE-2024-12718, CVE-2024-12798, CVE-2024-12801, CVE-2024-27137, CVE-2024-6232, CVE-2024-6923, CVE-2024-9287, CVE-2025-0938, CVE-2025-23015, CVE-2025-4138, CVE-2025-4330, CVE-2025-4516, CVE-2025-4517, CVE-2025-58057, CVE-2026-1225, CVE-2026-42583, ghsa-25qh-j22f-pwp8, ghsa-3p8m-j85q-pgmj, ghsa-5mg8-w23w-74h3, ghsa-6v67-2wr5-gvf4, ghsa-72hv-8253-57qq, ghsa-7g45-4rm6-3mm3, ghsa-mj4r-2hfc-f8p6, ghsa-pr98-23f8-jwxv, ghsa-qqpg-mvqg-649v applied in versions: 4.0.17-r1, 4.1.9-r0, 5.0.6-r1, 5.0.6-r2

Multiple security vulnerabilities affect the cassandra-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CLEANSTART-2026-MI82983 Security fixes for CVE-2025-47911, CVE-2025-58190, CVE-2026-25679, CVE-2026-27139, CVE-2026-27142, CVE-2026-27143, CVE-2026-27144, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33811, CVE-2026-33814, CVE-2026-39817, CVE-2026-39819, CVE-2026-39820, CVE-2026-39823, CVE-2026-39825, CVE-2026-39826, CVE-2026-39836, CVE-2026-42499, CVE-2026-42501 applied in versions: 1.8.6-r0, 1.8.6-r1, 1.9.0-r0

Multiple security vulnerabilities affect the karpenter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

Edupage Information Disclosure

Both authenticated and publicly accessible anonymous guest accounts on Edupage portal allow an attacker to capture the complete list of user IDs, names students, parents, and teachers, and the associated banking details IBAN codes...

Filter Expression Injection

Spring AI is vulnerable to Filter Expression Injection. The vulnerability is due to insufficient sanitization of document IDs in MilvusVectorStoredoDeleteList, where attacker-controlled IDs are incorporated into Milvus filter expressions, allowing injection of malicious query conditions that can...

SQL Injection

Focalboard is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of category IDs before they are incorporated into dynamic SQL statements, which allows an attacker to inject malicious SQL that is later executed and used to extract sensitive data from the database...

CVE-2026-45248

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain...

CVE-2026-45398

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, validatecollectionaccess checks the user-memory- and file- collection name prefixes but does not check knowledge base collections, which use raw UUIDs as collection names. Any...

EUVD-2026-30606

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

CVE-2026-45671

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

GHSA-5HHF-XMFX-4VVR epa4all-client: TLS Certificate Validation Disabled in Production

Impact An attacker on the network path between the ePA service and the Konnektor can present any TLS certificate self-signed, expired, wrong CN and intercept all SOAP traffic. This includes patient identifiers KVNR, SMC-B card operations authentication, signing, document content, and credential...

CVE-2026-42155

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based...

CVE-2026-42155 Magento LTS: Weak API Session ID — Predictable MD5 of Time-Derived Inputs

Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API session ID is generated using an outdated, time-based...