58510 matches found
CVE-2026-42875
External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvider with type ConfigMap could resolve CA material from another namespace when caProvider.namespace w...
CVE-2026-20238
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through srchFilter configurations on custom roles. The app contains an authorize.conf configuration file with a srchFilter entry that...
CVE-2026-44633
Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can...
CVE-2026-8979
The Mennekes Amtron series firmware versions ≤ 5.22.3 is vulnerable to an authentication bypass. An unauthenticated remote attacker can change the password of the user account via a crafted POST request to the /operator/operator endpoint...
CVE-2026-35674
OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scop...
Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic
Summary managementServer.CreateSchematic internal/backend/grpc/schematics.go passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf"/version/%s/overlays/official", talosVersion path template. url.URL.JoinPath...
CVE-2026-40898 vulnerabilities
Vulnerabilities for packages: dkron, opentelemetry-operator, k3s, frp, traefik, kargo, kyverno-policy-reporter-ui, q, k8sgateway, kubo, spegel, teleport, kubernetes-dns-node-cache, prometheus-blackbox-exporter, kyverno-policy-reporter, kube-metrics-adapter, ipfs-cluster...
BIT-AIRFLOW-2026-49267 Apache Airflow: No certificate validation on SMTP STARTTLS connections
Apache Airflow's EmailOperator and the underlying airflow.utils.email helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used email smtpstarttls=True without email smtpssl. An attacker positioned between the worker and the configured SMTP...
PT-2026-46988
Summary managementServer.CreateSchematic internal/backend/grpc/schematics.go passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf"/version/%s/overlays/official", talosVersion path template. url.URL.JoinPath...
CVE-2026-42876 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-WV26-88M5-6H59 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-FQ7H-9X26-6J22 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-42875 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-10860 MISP CRUDComponent delete validation bypass via operator precedence error
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as $validationError === null && POST || DELETE, meaning a DELETE request...
CVE-2026-10860
In CVE-2026-10860, a logic error in the MISP CRUD component delete handler bypasses validation due to missing parentheses in the delete condition, allowing a DELETE request to proceed even when the delete validation callback rejects the operation. An authenticated attacker with access to an affec...
CVE-2026-10860 MISP CRUDComponent delete validation bypass via operator precedence error
A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as $validationError === null && POST || DELETE, meaning a DELETE request...
CVE-2026-42875 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-WV26-88M5-6H59 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
CVE-2026-42876 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...
GHSA-FQ7H-9X26-6J22 vulnerabilities
Vulnerabilities for packages: external-secrets-operator...