Lucene search
K

965 matches found

Github Security Blog
Github Security Blog
added 2026/05/04 8:1 p.m.8 views

Argo Affected by SSO RBAC Delegation Nil Pointer Dereference DoS (gatekeeper.go)

Summary A nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a namespace-level RBAC rule but not an SSO-namespace rule, when SSODELEGATERBACTONAMESPACE=true. Details When getServiceAccountclaims, ssoNamespace...

6.5CVSS5.9AI score0.00377EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/04 12:0 a.m.10 views

PT-2026-37171

Name of the Vulnerable Software and Affected Versions Argo Workflows versions 4.0.0 through 4.0.4 Description A nil pointer dereference in the rbacAuthorization function within server/auth/gatekeeper.go can lead to a denial of service for SSO users. This occurs when SSO DELEGATE RBAC TO NAMESPACE...

6.5CVSS5.8AI score0.00377EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2026/05/01 12:0 a.m.23 views

PT-2026-38402

Name of the Vulnerable Software and Affected Versions etcd versions prior to 3.4.44 etcd versions prior to 3.5.30 etcd versions prior to 3.6.11 Description etcd is a distributed key-value store for distributed system data. A flaw allows authenticated users without sufficient read or lease-related...

4.3CVSS5.8AI score0.00225EPSS
Exploits0References16
Citrix
Citrix
added 2026/04/28 12:0 p.m.12 views

XenServer Security Update for Multiple Issues

Severity: High Description of Problem Several issues have been identified that affect XenServer 8.4. These are: An issue that may, in some circumstances, allow a malicious privileged user in a guest VM to compromise the host. This issue has the following identifier: CVE-2026-23558 An issue that m...

9.4CVSS5.4AI score0.00191EPSS
Exploits0
OSV
OSV
added 2026/04/28 8:39 a.m.4 views

BIT-AIRFLOW-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...

4.3CVSS5.3AI score0.00352EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/28 1:35 a.m.8 views

SUSE CVE-2026-41068

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability - the...

7.7CVSS5.4AI score0.00266EPSS
Exploits2References3
Packet Storm News
Packet Storm News
added 2026/04/28 12:0 a.m.7 views

From CRUD to Autonomous Agents: Formal Validation and Zero-Trust Security for Semantic Gateways in AI-Native Enterprise Systems

Enterprise software engineering is shifting away from deterministic CRUD/REST architectures toward AI-native systems where large language models act as cognitive orchestrators. This transition introduces a critical security tension: probabilistic LLMs weaken classical mechanisms for validation,...

5.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/04/24 3:32 p.m.9 views

Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/04/24 3:19 p.m.12 views

EUVD-2026-25280

Contour has Lua code injection via Cookie Path Rewrite Policy...

8.1CVSS5.3AI score0.00481EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/04/24 3:19 p.m.14 views

Contour has Lua code injection via Cookie Path Rewrite Policy

Impact Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in the following fields that results in arbitrary code execution in the Envoy proxy: -...

8.1CVSS6.3AI score0.00481EPSS
Exploits0References11Affected Software1
NVD
NVD
added 2026/04/24 1:16 p.m.11 views

CVE-2026-38743

The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...

4.3CVSS0.00352EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/24 3:14 a.m.16 views

CVE-2026-41068 Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...

7.7CVSS8.6AI score0.00516EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/04/24 3:14 a.m.3 views

CVE-2026-41068

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...

9.9CVSS7.5AI score0.00516EPSS
Exploits2References3Affected Software1
EUVD
EUVD
added 2026/04/24 3:14 a.m.6 views

EUVD-2026-25382

Kyverno is a policy engine designed for cloud native platform engineering teams. The patch for CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's apiCall context by validating the URLPath field. However, the ConfigMap context loader has the identical vulnerability — the...

9.9CVSS7.5AI score0.00516EPSS
Exploits2References2
Vulnrichment
Vulnrichment
added 2026/04/23 6:44 p.m.4 views

CVE-2026-41246 Contour: Lua code injection via Cookie Path Rewrite Policy

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

8.1CVSS6.3AI score0.00481EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/20 12:32 p.m.5 views

EUVD-2026-23837

A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifangbackendaccount/logic/admin/Lrbacadmin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The...

5.1CVSS4.1AI score0.00253EPSS
Exploits0References5
NVD
NVD
added 2026/04/20 12:16 p.m.4 views

CVE-2026-6633

A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifangbackendaccount/logic/admin/Lrbacadmin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The...

5.1CVSS0.00253EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/20 11:15 a.m.39 views

CVE-2026-6633 Yifang CMS Extended Management L_rbac_admin.php store cross site scripting

A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifangbackendaccount/logic/admin/Lrbacadmin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The...

5.1CVSS0.00253EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/20 11:15 a.m.4 views

CVE-2026-6633 Yifang CMS Extended Management L_rbac_admin.php store cross site scripting

A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifangbackendaccount/logic/admin/Lrbacadmin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The...

5.1CVSS4.1AI score0.00253EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized volumeHandle and mounttargetip fields. An attacker can inject unauthorized mount options by supplying specially crafted values to these fields when creating a PersistentVolume, resulting in...

7.7CVSS5.9AI score0.00424EPSS
Exploits0References2
Rows per page
Query Builder