Lucene search
K

5 matches found

CVE
CVE
added 4 days ago23 views

CVE-2026-55884

Tilt HUD server in github.com/tilt-dev/tilt is affected in versions 0.20.8–0.37.3 where the HUD HTTP server registers handlers on a gorilla/mux router without authentication. When bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined Tiltfile resources, ...

9.2CVSS6.2AI score0.00397EPSS
Exploits0References4
OSV
OSV
added 4 days ago3 views

CVE-2026-55884 Tilt: Missing authentication on the network-exposed Tilt HUD server

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can...

9.2CVSS6.2AI score0.00397EPSS
Exploits0References6
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server in github.com/tilt-dev/tilt

Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server in github.com/tilt-dev/tilt...

8.3CVSS5.9AI score0.00384EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/06/19 1:58 p.m.11 views

Tilt: Missing authentication on the network-exposed Tilt HUD server

Summary The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state...

9.2CVSS6AI score0.00397EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/19 1:52 p.m.9 views

GHSA-P749-9W62-W533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

8.3CVSS6AI score0.00384EPSS
Exploits0References4
Rows per page
Query Builder