4203 matches found
EUVD-2026-31268
Externally Controlled Reference to a Resource in Another Sphere, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the...
CVE-2026-45760 Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
Externally Controlled Reference to a Resource in Another Sphere, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the...
CVE-2026-45760 Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
Externally Controlled Reference to a Resource in Another Sphere, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the...
CVE-2026-45760
Apache Camel K (CVE-2026-45760) contains a cross-namespace build execution vulnerability: authorized users in a Kubernetes namespace can create a Build resource that controls Pod generation in a target namespace, including the operator namespace, via externally controlled resource references and ...
CVE-2026-44068
Incomplete sanitization of extended attribute EA path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names...
CVE-2026-44068 EA path traversal via incomplete sanitization
Incomplete sanitization of extended attribute EA path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names...
MAL-2026-4489 Malicious code in auth0-templates-scripts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...
Malicious code in auth0-templates-scripts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0f40b778be080e2a14dd0097ab772565cc570f5fd471f10e883f259be2db6 Package name 'auth0-templates-scripts' impersonates the Auth0 Okta brand without affiliation. The author field is the placeholder 'OpenSource...
Malicious code in n8n-nodes-pentest-rce (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5 On npm install, the package's postinstall script runs a shell pipeline that reads the Kubernetes service-account token from...
PT-2026-42459
Name of the Vulnerable Software and Affected Versions Apache Camel K versions 2.0.0 through 2.8.0 Apache Camel K versions 2.9.0 through 2.9.1 Apache Camel K versions 2.10.0 Description Authorized users in a Kubernetes namespace can create a Build resource to control Pod generation in a namespace ...
PT-2026-42589
Summary The Fission router registers an internal-style route — /fission-function/ and /fission-function// — for every Function object, independent of whether any HTTPTrigger exists for that function. The route was mounted on the same listener as user-defined HTTPTriggers svc/router, port 8888, so...
PT-2026-42606
Summary Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted namespace-wide get on secrets and configmaps it needs that to load function code, env vars, and config. The runtime pod's automounted token was reachable from...
PT-2026-42688
Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description In pkg/builder/builder.go, the software passes the Environment.spec.builder.command variable directly into the exec.Command function after a strings.Fields split without validating the executable pa...
Netatalk 路径遍历漏洞
Netatalk is an open-source software developed by Netatalk. It provides AFP file server functionality for Classic Mac OS and macOS on Unix-like operating systems. Versions 2.1.0 to 4.4.2 of Netatalk contained a path traversal vulnerability. This vulnerability stemmed from incomplete cleanup of...
PT-2026-42605
Summary Before the round-1 security sweep, pkg/builder/builder.go passed Environment.spec.builder.command directly into exec.Command... after a strings.Fields split, with no validation of the executable path or its arguments. A user who could create or update Environment CRDs in a namespace...
PT-2026-42687
Name of the Vulnerable Software and Affected Versions Fission versions prior to 1.23.0 Description Runtime pods were configured with the fission-fetcher ServiceAccount, which possesses namespace-wide get permissions for secrets and configmaps. Because the service account token was automounted and...
MAL-2026-4525 Malicious code in claude-internal-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 24a94a290c15f2b6cdaf351590455cd597bb2881f7bbcf1609fbfbd8031e491f Package name impersonates an internal Anthropic 'claude-' namespace and the description field self-identifies as 'Alex Birsan Style'...
Malicious code in @vivaux/telemetry (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0a848407f225f6d34a9d48d9619b517c80e007c2a12c20a341e48cb7f907f81 @vivaux/[email protected] ships an empty index.js and exists only to pull in an off-registry dependency. package.json declares "ltidisafe":...
MAL-2026-4463 Malicious code in @vivaux/telemetry (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0a848407f225f6d34a9d48d9619b517c80e007c2a12c20a341e48cb7f907f81 @vivaux/[email protected] ships an empty index.js and exists only to pull in an off-registry dependency. package.json declares "ltidisafe":...
Malicious code in cb-wallet-http (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8d704c0a6a48da0e2fef8eddcd1f98e7d380c3e19f22753f3df51d9893f60ce Package name mimics Coinbase's internal cb-wallet- namespace to capture dependency-confusion resolutions. On npm install postinstall.js and on...