728 matches found
MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on...
MinIO Browser API - Server-Side Request Forgery
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version...
MinIO Operator Console Authentication Bypass
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. id: CVE-2021-41266 info: name: MinIO Operator...
MinIO Cluster Deployment - Information Disclosure
MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD. An attacker can potentially obtain sensitive...
CVE-2026-15378 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:)
A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...
CVE-2026-15378
A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...
CVE-2026-54352
Budibase is an open-source low-code platform. Prior to 3.39.9, POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, open...
CVE-2026-54352 Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload
Budibase is an open-source low-code platform. Prior to 3.39.9, POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, open...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: knative-kafka-broker, telegraf, containerd, external-dns, keda-fips, kyverno-fips, argocd-image-updater-fips, spire-server, commercial-grafana, osv-scanner, external-secrets-operator-fips, cert-manager, backup-restore-operator, zarf, gitlab-rails-ce-fips, gitea-fips,...
GHSA-X527-X647-Q7GG vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, kine, flux, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf, gitlab-kas, loki, prometheus,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: flux-operator, trivy-operator, istio, gomplate, docker-machine-driver-harvester, eksctl, chisel, apko, step, nfpm, kubernetes, flux-kustomize-controller, nuclei, grype, gitea, cloud-provider-aws, falcoctl, kubernetes-dashboard, skaffold, cert-manager,...
GHSA-JPPX-RXG9-JMRX vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, istio, containerd, vitess, kine, flux, external-dns, nerdctl, rancher, spire-server, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, buildah, gitlab-kas, kaf, loki, prometheus, helm, kots, cloud-provider-aws, teleport, rancher-agent,...
GHSA-F5WC-C3C7-36MC vulnerabilities
Vulnerabilities for packages: trivy-operator, istio, gomplate, docker-machine-driver-harvester, apko, step, nfpm, kubernetes, nuclei, grype, gitea, cloud-provider-aws, kubernetes-dashboard, skaffold, cert-manager, pulumi-kubernetes-operator, zot, kyverno, cilium, pulumi-language-yaml, flux,...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, docker-machine-driver-harvester, flux, kine, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf,...
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Summary POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting...
ROOT-APP-GOBINARY-CVE-2026-40344 CVE-2026-40344 in rootio-github.com/minio/minio - Patched by Root
Root has patched CVE-2026-40344 in the rootio-github.com/minio/minio package for Root:Go. Multiple fixed versions available...
ROOT-APP-GOBINARY-CVE-2026-41145 CVE-2026-41145 in rootio-github.com/minio/minio - Patched by Root
Root has patched CVE-2026-41145 in the rootio-github.com/minio/minio package for Root:Go. Multiple fixed versions available...
MinIO RELEASE.2022-07-24T01-54-52Z < RELEASE.2026-04-14T21-32-45Z Path Traversal (CVE-2026-42600)
The version of MinIO installed on the remote host is RELEASE.2022-07-24T01-54-52Z or later but prior to RELEASE.2026-04-14T21-32-45Z. It is, therefore, affected by a path traversal vulnerability: - A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a...
PenguinMod-BackendApi 输入验证错误漏洞
PenguinMod-BackendApi is a backend API service developed under the open source of PenguinMod, supporting storage using MongoDB and MinIO. Prior to version 1.0.0 of PenguinMod-BackendApi, there was a vulnerability related to input validation errors. This vulnerability stemmed from NoSQL injection ...
GHSA-HV4R-MVR4-25VW vulnerabilities
Vulnerabilities for packages: minio...