113 matches found
EUVD-2026-41842
Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...
CVE-2026-49086 Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour
Improper Input Validation, Unintended Proxy or Intermediary 'Confused Deputy' vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer DaprPubSubConsumer copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the...
Malicious code in @mastra/google-cloud-pubsub (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f1bd3f8519d6016a066d4268dae0e9c0d20ca87350cc759832b6053128a5b8d8 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6024 Malicious code in @mastra/google-cloud-pubsub (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f1bd3f8519d6016a066d4268dae0e9c0d20ca87350cc759832b6053128a5b8d8 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
GHSA-MRHX-6PW9-Q5FH PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Summary The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the...
PhoenixStorybook has cross-session PubSub topic injection via URL parameter
Summary The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the...
Klever-Go KVM: Unauthenticated remote node crash (nil-pointer DoS) in klever-go P2P transaction interceptor (txVersionChecker nil RawData) - potential chain halt
Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil check. A protobuf Transaction whose embedded RawData...
PT-2026-48345
Summary Every transaction gossiped on the klever-go P2P network is decoded and validated synchronously inside the libp2p pubsub topic-validator callback. The validator txVersionChecker.CheckTxVersion dereferences tx.RawData.Version with no nil check. A protobuf Transaction whose embedded RawData...
CVE-2026-47068
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...
CVE-2026-47068
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...
CVE-2026-47068
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...
CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook
Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenixstorybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handleparams/3 in lib/phoenixstorybook/live/story/componentiframelive.ex read...
CVE-2026-47068
The vulnerability is an Authorization Bypass in phoenix_storybook: Elixir.PhoenixStorybook.Story.ComponentIframeLive reads topic from params and broadcasts the iframe process PID on that PubSub topic without verifying session ownership, enabling cross-session topic injection. An attacker can load...
EEF-CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook
Summary Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix\storybook allows cross-session PubSub topic injection via a URL query parameter. 'Elixir.PhoenixStorybook.Story.ComponentIframeLive':handle\params/3 in...
PhoenixStorybook 安全漏洞
PhoenixStorybook is an open-source component display and interaction debugging UI tool developed by Phenix Digital. Versions of PhoenixStorybook from 0.4.0 to 1.1.0 contained security vulnerabilities. These vulnerabilities stemmed from bypassing authorization using user-controlled keys. Attackers...
PT-2026-42177
Name of the Vulnerable Software and Affected Versions phoenix storybook versions 0.4.0 through 1.0.x Description An authorization bypass occurs due to user-controlled keys, allowing cross-session PubSub topic injection via a URL query parameter. The function handle params/3 in...
ch.sbb:spring-cloud-stream-binder-solace (>=8.0.0 <=9.0.2), cn.herodotus.dante:dante-authentication-autoconfigure (>=4.0.0.0-M2 <=4.0.0.0-M3) +157 more potentially affected by CVE-2026-40990 via org.springframework.cloud:spring-cloud-function-context (>=5.0.0-M1 <=5.0.1)
org.springframework.cloud:spring-cloud-function-context MAVEN version =5.0.0-M1, =8.0.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =1.0.0, =1.0.0, =2.0.0-RC1, =8.0.4 and more S...
ch.sbb:spring-cloud-stream-binder-solace (>=8.0.0 <=9.0.2), cn.herodotus.dante:dante-authentication-autoconfigure (>=4.0.0.0-M2 <=4.0.0.0-M3) +157 more potentially affected by CVE-2026-40989 via org.springframework.cloud:spring-cloud-function-context (>=5.0.0-M1 <=5.0.1)
org.springframework.cloud:spring-cloud-function-context MAVEN version =5.0.0-M1, =8.0.0, =4.0.0.0-M2, =4.0.0.0-M2, =4.0.0.0-M2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =6.0.0-beta.2, =1.0.0, =1.0.0, =2.0.0-RC1, =8.0.4 and more S...
org.apache.camel.kafkaconnector:camel-google-pubsub-kafka-connector (>=0.1.0 <=0.11.5), org.apache.camel.kafkaconnector:camel-google-pubsub-sink-kafka-connector (>=1.0.0 <=4.14.5) +13 more potentially affected by CVE-2026-40453 via org.apache.camel:camel-google-pubsub (>=3.0.0-M1 <=4.14.5)
org.apache.camel:camel-google-pubsub MAVEN version =3.0.0-M1, =0.1.0, =1.0.0, =1.0.0, =3.19.0, =4.10.2, =0.9.0, =4.10.3, =4.10.3, =1.0.0, =1.0.0, =1.0.0, =1.5.0, =3.0.0, =3.0.0-M1, =3.0.0-RC3 - org.qubership.integration.platform:qip-e...
Improper Handling of Case Sensitivity
Overview Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to a flaw in the default filtering mechanism HeaderFilterStrategy that only blocks headers starting with specific prefixes. An attacker can execute arbitrary code and write files by injecting...