Improper Network Access Control

github.com/ctfer-io/fullchain is vulnerable to improper network access control. The vulnerability is due to a misconfigured inter-namespace NetworkPolicy, which allows a malicious actor to pivot from a compromised application to Pods outside the original namespace...

SUSE CVE-2026-32720

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals i.e. logs, metrics and distributed traces. Prior to 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a component to any other namespace. This breaks the...

CVE-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

CVE-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

GO-2026-4715 Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace in github.com/ctfer-io/fullchain

Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace in github.com/ctfer-io/fullchain...

GO-2026-4714 Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace in github.com/ctfer-io/romeo/environment/deploy

Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace in github.com/ctfer-io/romeo/environment/deploy. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Impact Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments...

EUVD-2026-16503

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic...

CVE-2026-32768

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-32768 Chall-Manager's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-32769 Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Fullchain is an umbrella project for deploying a ready-to-use CTF platform. In versions prior to 0.1.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. The flawed inter-ns NetworkPolicy breaks the...

CVE-2026-32737 Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.1, due to a mis-written NetworkPolicy, a malicious actor can pivot from the "hardened" namespace to any Pod...

Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Impact Due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Patch Removing the inter-ns...

GHSA-HXM7-9Q36-C77F Fullchain's Invalid NetworkPolicy enables a malicious actor to pivot into another namespace

Impact Due to a mis-written NetworkPolicy, a malicious actor can pivot from a subverted application to any Pod out of the origin namespace. This breaks the security-by-default property expected as part of the deployment program, leading to a potential lateral movement. Patch Removing the inter-ns...

PT-2026-25851

Name of the Vulnerable Software and Affected Versions Romeo versions prior to 0.2.1 Description Romeo is a tool designed to measure code coverage for Go applications within GitHub Actions. A misconfigured NetworkPolicy allows a malicious actor to move from the "hardened" namespace to any other Po...

EUVD-2018-2949

Malware in sbrugna...

EUVD-2021-26894

Malware in sbrugna...

CVE-2023-39347 Cilium NetworkPolicy bypass via pod labels

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels...

CVE-2023-39347 Cilium NetworkPolicy bypass via pod labels

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. An attacker with the ability to update pod labels can cause Cilium to apply incorrect network policies. This issue arises due to the fact that on pod update, Cilium incorrectly uses user-provided pod labels...

CVE-2021-3586

A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as wel...