4203 matches found
Improper Cleanup Of Namespace Data
OpenBao is vulnerable to improper cleanup of namespace data.The vulnerability is due to incomplete cleanup when retries occur after an initial namespace deletion failure, which allows an attacker to potentially retain access to outstanding leases or leave residual storage entries that should have...
Path Traversal
lakeFS is vulnerable to Path Traversal. The vulnerability is due to insufficient path validation in verifyRelPath within pkg/block/local/adapter.go, where strings.HasPrefix is used to validate storage paths without enforcing path boundaries. This allows authenticated users to use path traversal...
Improper Network Access Control
github.com/ctfer-io/fullchain is vulnerable to improper network access control. The vulnerability is due to a misconfigured inter-namespace NetworkPolicy, which allows a malicious actor to pivot from a compromised application to Pods outside the original namespace...
SUSE CVE-2026-42186
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
EUVD-2026-30488
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...
CVE-2026-44430
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification POST /v0/auth/http, POST /v0.1/auth/http uses safeDialContext internal/api/handlers/v0/auth/http.go:67-110 to refuse dialling...
CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...
CVE-2026-45781 MCP Registry: OCI ownership validation fails open on upstream rate limits, allowing attacker-controlled package claims
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry returns HTTP 429, letting any authenticated publisher bind their io.github./ namespace to OCI images the...
CVE-2026-45781
The CVE-2026-45781 issue affects the MCP Registry: before 1.7.9, OCI ownership validation can skip the label-match check when upstream OCI registry responses are HTTP 429. This allows an authenticated publisher to bind their io.github./* namespace to OCI images they do not control because the lab...
Open WebUI: Low-privilege authenticated users can enumerate and stop global background tasks, causing system-wide chat disruption
Summary Any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST /api/tasks/stop/taskid methods. This allows a casual user to disrupt system-wide chat usage by continuously canceling...
MAL-2026-3749 Malicious code in @webapp-next/store (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbad3803cdda40845fe2aa64e0963b9293f9ee523b3f9205a354da2ae1e317bf package.json declares "preinstall": "node index.js", which runs automatically on npm install. index.js collects os.hostname, os.platform, os.arch,...
CVE-2026-42186
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
CVE-2026-42457 vCluster Platform: Stored XSS can lead to privilege escalation
vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...
CVE-2026-42457
Affected software: vCluster Platform. Component/issue: Stored XSS via the name field of a templateRef (root cause: stored XSS in templateRef name). Impact: could lead to arbitrary script execution in the platform’s browser context and, in the worst case, privilege escalation by creating a new Glo...
CVE-2026-42186 OpenBao's Namespace Deletion May Not Delete Data Properly
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
CVE-2026-42186 OpenBao's Namespace Deletion May Not Delete Data Properly
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
EUVD-2026-30298
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
CVE-2026-42186
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
CVE-2026-42186
OpenBao is an open source identity-based secrets management system. Prior to 2.5.3, when OpenBao's initial namespace deletion fails, subsequent retries fail to properly remove all data before marking the namespace as deleted. This can affect any outstanding leases as well as potentially leaving...
CVE-2026-42186
OpenBao vulnerability CVE-2026-42186 affects the OpenBao identity-based secrets manager where, before v2.5.3, if the initial namespace deletion fails, subsequent retries do not fully remove data before marking the namespace deleted. This can leave outstanding leases and unrelated storage entries....