SUSE CVE-2026-40923

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

EUVD-2026-25163

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from authorization bypasses in Discord’s slash commands and autocompleted paths, which failed to enforce...

PT-2026-34803

Name of the Vulnerable Software and Affected Versions melange versions 0.32.0 through 0.43.3 Description An attacker capable of influencing a configuration file, such as in build-as-a-service or pull-request-driven CI scenarios, can manipulate the pipeline.uses variable to include absolute paths ...

CVE-2026-35348

The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The implementation enforces UTF-8 encoding and utilizes expect, causing an immediate crash when encountering valid but non-UTF-8 paths. This diverg...

CVE-2026-35338

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbol...

CVE-2026-35338 uutils coreutils chmod Path Traversal Bypass of --preserve-root

A vulnerability in the chmod utility of uutils coreutils allows users to bypass the --preserve-root safety mechanism. The implementation only validates if the target path is literally / and does not canonicalize the path. An attacker or accidental user can use path variants such as /../ or symbol...

Iperius Backup 缓冲区错误漏洞

Iperius Backup is a backup tool developed by the Italian company Iperius Backup. Version 5.8.1 of Iperius Backup contains a buffer overflow vulnerability. This vulnerability stems from an issue with the structured exception handling mechanism, which can lead to a local buffer overflow. As a resul...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from multiple sysfs command paths accessing contextsarr0 without verifying the contexts-nr, potentially...

Linux Distros Unpatched Vulnerability : CVE-2026-35348

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The sort utility in uutils coreutils is vulnerable to a process panic when using the --files0-from option with inputs containing non-UTF-8 filenames. The...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013724)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013724 advisory. In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: fix memory leak in dvbusbadapterinit Syzbot reports a memory leak in...

CVE-2026-41059 OAuth2 Proxy has an Authentication Bypass via Fragment Confusion in skip_auth_routes and skip_auth_regex

OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 have a configuration-dependent authentication bypass. Deployments are affected when all of the following are true: Use of skipauthroutes or the legacy skipauthregex; use of patterns...

CVE-2026-41064 AVideo has an incomplete fix for CVE-2026-33502 (Command Injection)

WWBN AVideo is an open source video platform. In versions up to and including 29.0, an incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Commit...

CVE-2026-40923

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

CVE-2026-40923 Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

CVE-2026-40923

CVE-2026-40923 affects Tekton Pipelines. Before v1.11.1, a validation bypass in the VolumeMount path restriction lets mounting volumes under restricted /tekton/ paths by exploiting .. path traversal components. The check relies on strings.HasPrefix instead of filepath.Clean, allowing inputs like ...

CVE-2026-40923

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

CVE-2026-40923 Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, a validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal pat...

CVE-2026-40938

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...

Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Summary The git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation that it does not begin with a - character. Because git parses flags from mixed positional arguments, an attacker can inject arbitrary git fetch flags such as --upload-pack...