CVE-2026-32285 vulnerabilities

Vulnerabilities for packages: rclone, goreleaser, eksctl, opentelemetry-collector-contrib, dgraph, dagger, nfpm, maru, k8sgpt, lazygit, k3s, terraform-mcp-server, grafana-alloy, datadog-agent, redpanda, gitlab-runner, grafana, weaviate, prometheus, tempo, minio, witness, loki, teleport, ollama,...

CVE-2026-32287 vulnerabilities

Vulnerabilities for packages: crossplane-provider-family-azure, crossplane-provider-aws-ec2, crossplane-provider-aws-lambda, crossplane-provider-aws-memorydb, crossplane-provider-aws-cloudwatchlogs, crossplane-provider-aws-sns, crossplane-provider-azure-storage,...

Elastic OTel Java 1.10.0 Security Update (ESA-2026-22 / GHSA-xw7x-h9fj-p2c7)

Dependency on Vulnerable Third-Party Component in Elastic OTel Java Leading to Remote Code Execution Dependency on Vulnerable Third-Party Component CWE-1395 exists in Elastic OTel Java via a dependency on OpenTelemetry Java instrumentation library. This vulnerability could allow an attacker to...

CVE-2026-33532 vulnerabilities

Vulnerabilities for packages: vitess, kibana, saf, prism, gemini-cli, opensearch-dashboards-fips, lerna, langfuse-fips, opentelemetry-auto-instrumentations-node, opensearch-dashboards, redisinsight, langfuse, tileserver-gl-fips, wazuh-dashboard, tileserver-gl, argo-workflows...

GHSA-48C2-RRV3-QJMP vulnerabilities

Vulnerabilities for packages: vitess, kibana, saf, prism, gemini-cli, opensearch-dashboards-fips, lerna, langfuse-fips, opentelemetry-auto-instrumentations-node, opensearch-dashboards, redisinsight, langfuse, tileserver-gl-fips, wazuh-dashboard, tileserver-gl, argo-workflows...

CVE-2026-33701 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and...

ROS-20260327-73-0014

Vulnerability in opentelemetry-collector-contrib related to incorrect resource initialization. Exploitation of the vulnerability may allow an attacker to cause a denial of service...

OpenTelemetry Instrumentation for Java 代码问题漏洞

OpenTelemetry Instrumentation for Java is an open-source Java proxy JAR developed by OpenTelemetry. There were code-related vulnerabilities in versions of OpenTelemetry Instrumentation for Java prior to 2.26.1. These vulnerabilities stemmed from the fact that custom endpoints registered by RMI...

ROS-20260327-73-0013

Vulnerability in opentelemetry-collector-contrib related to unrestricted resource allocation. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the RMI integration. An attacker can execute arbitrary code with the privileges of the user running the instrumented JVM by sending specially crafted serialized data to a network-exposed JMX or RMI...

com.sap.hcp.cf.logging:sample-app-spring-boot (>=3.8.5 <=4.1.0), dev.vality:shared-resources (>=4.0.0-alpha1 <=4.0.0-alpha4) +1 more potentially affected by CVE-2026-33701 via io.opentelemetry.javaagent:opentelemetry-javaagent (>=2.15.0 <=2.23.0)

io.opentelemetry.javaagent:opentelemetry-javaagent MAVEN version =2.15.0, =3.8.5, =4.0.0-alpha1, =2.5.12, =2.6.4-hadoop3 Source cves: CVE-2026-33701 Source advisory: SNYK:JAVA-IOOPENTELEMETRYJAVAAGENT-15857172...

io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-lettuce-5.0 (=0.14.0), io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent-lettuce-5.1 (=0.14.0) +3 more potentially affected by CVE-2026-33701 via io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent (=0.14.0)

io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent MAVEN version =0.14.0 is affected by a known vulnerability. The following packages have a transitive dependency on io.opentelemetry.javaagent.instrumentation:opentelemetry-javaagent and may be impacted: -...

OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

com.sap.hcp.cf.logging:sample-app-spring-boot (>=3.8.0 <=4.1.0), com.weibo:rill-flow-service (>=0.1.3 <=0.1.18) +159 more potentially affected by CVE-2026-33701 via io.opentelemetry.javaagent:opentelemetry-javaagent (>=0.12.1 <=2.23.0)

io.opentelemetry.javaagent:opentelemetry-javaagent MAVEN version =0.12.1, =3.8.0, =0.1.3, =4.0.0-alpha1, =1.9.0, =0.0.10, =0.2.1, =0.6.2, =0.6.2, =0.80.0, =0.80.0, =0.19.0, =2.5.0, =1.9.0, =1.9.0, =2.3.0 and more Source cves: CVE-2026-33701 Source advisory: OSV:GHSA-XW7X-H9FJ-P2C7...

GHSA-XW7X-H9FJ-P2C7 OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. Al...

SUSE-SU-2026:1008-1 Security update for Prometheus

This update for Prometheus fixes the following issues: golang-github-prometheus-alertmanager, golang-github-prometheus-nodeexporter: - Internal changes to fix build issues with no impact for customers golang-github-prometheus-prometheus: - Security issues fixed: CVE-2026-27606: Fixed arbitrary fi...

This Week in Spring - March 24th, 2026

Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...

MiracleLinux 9 : opentelemetry-collector-0.144.0-1.el9_7 (AXSA:2026-330:02)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-330:02 advisory. golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726 crypto/tls: Unexpected session resumption in crypto/tls...

GHSA-F7CQ-GVH6-QR25 Monitoring is vulnerable to Archive Slip due to missing checks in sanitization

The sanitizeArchivePath function in pkg/extract/extract.go lines 248–254 is vulnerable to a path traversal bypass due to a missing trailing path separator in the strings.HasPrefix check. A crafted tar archive can write files outside the intended destination directory when using the extractor CLI...

AlmaLinux 9 : opentelemetry-collector (ALSA-2026:4177)

The remote AlmaLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2026:4177 advisory. golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726 crypto/tls: Unexpected session resumption in crypto/tls...