GHSA-5FXQ-QCF3-244W Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

Portainer has an endpoint security bypass via Swarm service create/update

Summary Portainer enforces seven EndpointSecuritySettings restrictions that administrators configure to restrict the container configurations non-admin users can launch: privileged mode, host PID namespace, device mapping, capabilities, sysctls, security-opt Seccomp / AppArmor, and bind mounts. T...

Missing Authorization

Overview github.com/portainer/portainer/api/http/proxy/factory/docker is a management UI which allows to manage different Docker environments. Affected versions of this package are vulnerable to Missing Authorization in the enforcement of endpoint security restrictions for non-admin users on Dock...

CVE-2026-44511

Katalyst Koi (Rails admin framework) had a session-cookie handling flaw: before versions 4.20.0 and 5.6.0, admin session cookies were not invalidated at logout, allowing an attacker with a valid cookie to access admin functionality after logout until expiration or rotation. Affected versions incl...

EUVD-2026-30329

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

CVE-2026-44511

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

CVE-2026-44511 Katalyst Koi: Session cookies can be replayed after user logout

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

CVE-2026-44511 Katalyst Koi: Session cookies can be replayed after user logout

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show...

CVE-2026-20182

Cisco Catalyst SD-WAN Controller (vSmart) and SD-WAN Manager (vManage) are affected by CVE-2026-20182, a critical authentication bypass in the DTLS vdaemon challenge flow. The issue permits a remote, unauthenticated attacker to masquerade as a trusted peer by sending a CHALLENGE_ACK with device t...

CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show...

EUVD-2026-30324

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show...

Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability...

The Dark Side of Efficiency: When Network Controllers Become "God Mode" for Attackers

Imagine you build a massive corporate campus with every security control money can buy. Blast resistant doors. Biometric scanners. Guards at every entrance. Maybe something similar to the infamous Death Star. On paper, it looks fantastic. Then, somewhere along the way, somebody decides the...

CVE-2026-41935

Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init repeatedly invokes permission on error handlers, causing infinite recursion until PHP memory limits are exhausted. Attackers can send sustained requests to forbidden admin...

CVE-2026-42457

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...

CVE-2026-41933

Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files. Attackers can access directories such as admin asset path...

CVE-2026-21730

Verba is affected by a Stored Cross-Site Scripting XSS vulnerability within its login logging mechanism. When an unauthenticated remote attacker attempts to log in using an incorrect username and password combination, the supplied username value is recorded in the application logs. Due to lack of...

Exploit for CVE-2026-6145

CVE-2026-6145 — User Registration & Membership for WordPress:...

CVE-2026-42457 vCluster Platform: Stored XSS can lead to privilege escalation

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to 4.4.3, 4.5.5, 4.6.2, 4.7.1, and 4.8.0, there is a Stored XSS attack vulnerability via the name field of a templateRef. This can lead to the execution of arbitrary external...