CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

EUVD-2025-6495

Malicious code in bioql PyPI...

EUVD-2024-1816

Malicious code in bioql PyPI...

EUVD-2024-1492

Malicious code in bioql PyPI...

Regular Expression Denial Of Service

uptime-kuma is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regex processing due to catastrophic backtracking triggered by crafted input during notification creation via the web service...

CVE-2024-56331

Uptime Kuma is an open source, self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of...

Kuma 安全漏洞

Kuma is a modern Envoy-based service grid open-sourced by Kuma. It can be run on Kubernetes and VMs with single or multiple zones capacity on each cloud. A security vulnerability exists in Kuma v2.7.0 and prior versions that stems from the presence of insecure privileges that allow an attacker to...