Vulnerabilities are handled in GitLab through GitLab Inc.

GitLab Inc. has addressed several vulnerabilities in GitLab Community Edition CE and Enterprise Edition EE in various versions, particularly in releases from version 8.3 to 18.11.3. These vulnerabilities concern various components and functions within GitLab, including Jira integration, container...

Exploit for CVE-2026-35517

CVE-2026-35517 - Pi-hole FTLDNS Remote Code Execution via Newl...

CVE-2026-35517 Pi-hole FTL affected by Remote Code Execution (RCE) via dns.upstreams Newline Injection

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...

CVE-2026-35517

Pi-hole FTL (FTLDNS) contains a Remote Code Execution flaw from 6.0 up to before 6.6 in the upstream DNS servers configuration (dns.upstreams). An authenticated attacker can inject arbitrary dnsmasq directives via newline characters, leading to command execution on the host. The issue is fixed in...

CVE-2026-35517

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...

EUVD-2026-19684

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the upstream DNS servers configuration parameter dns.upstreams. This vulnerability allows a...

PT-2026-30865

Name of the Vulnerable Software and Affected Versions FTLDNS pihole-FTL versions 6.0 through 6.5 Description The Pi-hole FTL engine contains a Remote Code Execution RCE issue in the upstream DNS servers configuration parameter dns.upstreams. An authenticated attacker can inject arbitrary dnsmasq...

SUSE CVE-2026-1642

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security TLS servers. An attacker with a man-in-the-middle MITM position on the upstream server side-along with conditions beyond the attacker's control-may be able to inject plain text data in...

Unbound DNS Resolver < 1.21.1 DoS Vulnerability

Unbound DNS Resolver is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Security update for caddy (moderate)

openSUSE Security Update: Security update for caddy Announcement ID: openSUSE-SU-2022:10007-1 Rating: moderate References: 1200279 Cross-References: CVE-2022-297182 Affected Products: openSUSE Backports SLE-15-SP4 An update that fixes one vulnerability is now available. Description: This update f...

OPENSUSE-SU-2022:10007-1 Security update for caddy

This update for caddy fixes the following issues: Update to version 2.5.1: Fixed regression in Unix socket admin endpoints. Fixed regression in caddy trust commands. Hash-based load balancing policies iphash, urihash, header, and cookie use an improved highest-random-weight HRW algorithm for...

Incorrect handling of H2 GOAWAY + SETTINGS frames

Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. Impact This can lead to a DoS in the presence of untrusted upstream servers. Patches 0.15.1 contains an upgraded envoy binary with this vulnerability patched...

Design/Logic Flaw

Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if an H/2 GOAWAY and SETTINGS frame are received in the same IO event. This can lead to a DoS in the presence of untrusted upstream servers. 0.15.1 contains an upgraded envoy binary...

CVE-2021-36371

Emissary-Ingress formerly Ambassador API Gateway through 1.13.9 allows attackers to bypass client certificate requirements i.e., mTLS certrequired on backend upstreams when more than one TLSContext is defined and at least one configuration exists that does not require client certificate...

CVE-2021-36371

CVE-2021-36371 is reported for Emissary-Ingress (formerly Ambassador API Gateway). The vulnerability allows bypassing client certificate requirements (mTLS cert_required) on backend upstreams when more than one TLSContext exists and any configuration does not require client cert authentication. T...