58554 matches found
CVE-2026-22683
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683 Windmill < 1.615.0 Operator Role Missing Authorization Checks RCE
Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...
CVE-2026-22683
CVE-2026-22683 affects Windmill versions 1.56.0–1.614.0, where missing authorization checks on the Operator role allow prohibited entity creation and modification via the backend API. Operators can create/update scripts, flows, apps, and raw_apps, and can execute scripts via the jobs API, enablin...
Security Bulletin: IBM App Connect Enterprise Certified Container operator is vulnerable to denial of service (CVE-2026-25518)
Summary Golang module cert-manager/cert-manager is used by IBM App Connect Enterprise Certified Container for interacting with the Kubernetes cluster cert-manager. IBM App Connect Enterprise Certified Container operator is vulnerable to denial of service. This bulletin provides patch information ...
Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality (CVE-2025-64718)
Summary Node.js module js-yaml is used by IBM App Connect Enterprise Certified Container for parsing YAML data. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in...
CLEANSTART-2026-HX94762 attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing
Multiple security vulnerabilities affect the prometheus-operator package. An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing. See references for individual vulnerability details...
Windmill 安全漏洞
Windmill is a low-code development platform open-source by Windmill Labs, Inc. Versions of Windmill from 1.56.0 to 1.614.0 contain security vulnerabilities. These vulnerabilities stem from lack of authorization, which may allow users with the Operator role to perform prohibited entity creation an...
PT-2026-30913
Name of the Vulnerable Software and Affected Versions Windmill versions 1.56.0 through 1.614.0 Description Windmill versions 1.56.0 through 1.614.0 have a missing authorization vulnerability. Users with the Operator role can perform prohibited entity creation and modification actions via the...
CVE-2026-34217
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CVE-2026-34217
CVE-2026-34217 (SandboxJS) affects @nyariv/sandboxjs
CVE-2026-34217 SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CVE-2026-34217 SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to...
CLEANSTART-2026-SQ68600 Security fixes for CVE-2023-45288, CVE-2024-24786, CVE-2024-45338, CVE-2025-22868, CVE-2025-22869, CVE-2025-22872, CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-58181, CVE-2025-58190, CVE-2025-65637, ghsa-4f99-4q7p-p3gh, ghsa-4v7x-pqxf-cx7m, ghsa-6v2p-p543-phr9, ghsa-8r3f-844c-mc37, ghsa-f6x5-jh6r-wrfv, ghsa-hcg3-q754-cr77, ghsa-j5w8-q4qc-rx2x, ghsa-qxp5-gwg8-xv66, ghsa-v778-237x-gjrc, ghsa-vvgc-356p-c3xw applied in versions: 1.18.2-r0
Multiple security vulnerabilities affect the kube-fluentd-operator package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-WI06218 Security fixes for CVE-2026-25679, CVE-2026-27139, CVE-2026-27142 applied in versions: 1.15.1-r0
Multiple security vulnerabilities affect the postgres-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
CLEANSTART-2026-KT25851 Security fixes for CVE-2025-61727, CVE-2025-61729, CVE-2025-61732, CVE-2025-68121, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 0.87.0-r0, 0.87.0-r1, 0.88.0-r1
Multiple security vulnerabilities affect the prometheus-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
CVE-2026-34717
OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3...
GHSA-HG73-4W7G-Q96W SandboxJS: Sandbox Escape via Prop Object Leak in New Handler
Description A scope modification vulnerability exists in @nyariv/sandboxjs version 0.8.35 and below. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an...
SandboxJS: Sandbox Escape via Prop Object Leak in New Handler
Description A scope modification vulnerability exists in @nyariv/sandboxjs version 0.8.35 and below. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an...
GHSA-G374-MGGX-P6XC OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
Summary Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode Current Maintainer Triage - Normalized severity: high - Assessment: v2026.3.28 still misses trusted-proxy scope clearing for non-Control-UI clients, so self-declared operator scopes can survive on a...