Lucene search
K

965 matches found

SUSE CVE
SUSE CVE
added 2026/04/17 12:4 p.m.7 views

SUSE CVE-2026-6383

A flaw was found in KubeVirt's Role-Based Access Control RBAC evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources,...

5.4CVSS5.7AI score0.0015EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.9 views

PT-2026-34843

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.17.2 Description A flaw in the ConfigMap context loader allows for cross-namespace privilege escalation. The configMap.namespace field lacks validation, enabling a namespace administrator to read ConfigMaps from any...

7.7CVSS5.8AI score0.00266EPSS
Exploits2References8
NVD
NVD
added 2026/04/15 7:16 p.m.5 views

CVE-2026-6383

A flaw was found in KubeVirt's Role-Based Access Control RBAC evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources,...

5.4CVSS0.0015EPSS
Exploits0References2
Veracode
Veracode
added 2026/04/15 6:19 a.m.10 views

Improper Authentication And Authorization

kubevirt.io/kubevirt is vulnerable to improper authentication and authorization. The vulnerability is due to improper validation of the Common Name CN field in client TLS certificates during mTLS authentication, which allows an attacker to bypass RBAC controls by impersonating the Kubernetes API...

4.7CVSS6.8AI score0.00139EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.6 views

PT-2026-32404

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...

6.5CVSS6AI score0.00685EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.4 views

PT-2026-32433

Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...

7.7CVSS5.8AI score0.003EPSS
Exploits0References3
NVD
NVD
added 2026/04/09 10:16 a.m.6 views

CVE-2026-34538

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...

6.5CVSS0.00685EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:9 a.m.2 views

CVE-2026-34538

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...

6.5CVSS6AI score0.00685EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/09 9:9 a.m.3 views

CVE-2026-34538 Apache Airflow: Authorization bypass in DagRun wait endpoint (XCom exposure)

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...

6AI score0.00685EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.7 views

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Versions of Apache Airflow from 3.0.0 to 3.1.8 contain...

6.5CVSS5.8AI score0.00685EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/08 7:15 p.m.5 views

EUVD-2026-20481

CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files...

6.7CVSS5.9AI score0.00471EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/08 4:38 p.m.22 views

CVE-2026-4498 Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope

Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...

7.7CVSS0.003EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/04/06 5:33 p.m.271 views

Exploit for CVE-2026-33186

CVE-2026-33186 gRPC-Go RBAC Authorization Policy Bypass via M...

9.1CVSS6AI score0.01557EPSS
Exploits1
Cvelist
Cvelist
added 2026/04/01 9:30 p.m.21 views

CVE-2026-34570 CI4MS: Account Deletion Module Full Persistent Unauthorized Access for All‑Roles via Improper Session Invalidation (Logic Flaw)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

8.8CVSS0.00502EPSS
Exploits1References2
Amazon
Amazon
added 2026/04/01 12:0 a.m.7 views

Important: ecs-service-connect-agent

Issue Overview: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead o...

8.2CVSS5.9AI score0.00388EPSS
Exploits4
Tenable Nessus
Tenable Nessus
added 2026/04/01 12:0 a.m.4 views

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2026-100 (ALASECS-2026-100)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.13.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-100 advisory. Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and...

8.2CVSS6AI score0.00388EPSS
Exploits4References12
Tenable Nessus
Tenable Nessus
added 2026/04/01 12:0 a.m.3 views

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2026-1532)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1532 advisory. Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it...

8.2CVSS5.9AI score0.00388EPSS
Exploits4References12
GithubExploit
GithubExploit
added 2026/03/28 12:45 p.m.144 views

hays-london-azure-platform-2-poc

Hays London Azure Platform Engineer POC — AKS Operations & Pla...

6AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 2:57 p.m.5 views

CVE-2026-26308

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead of validating eac...

8.2CVSS5.8AI score0.00293EPSS
Exploits1References1
OSV
OSV
added 2026/03/26 2:16 p.m.7 views

DEBIAN-CVE-2026-33343

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, an authenticated user with RBAC restricted permissions on key ranges can use nested transactions to bypass all key-level authorization. This allows any authenticated user with...

6.5CVSS5.4AI score0.0021EPSS
Exploits0References1
Rows per page
Query Builder