EUVD-2026-32931

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the SERVICEACCOUNTTOKEN placeholder Canal/Flannel-Calico deployments, the installer substitutes the live Kubernetes ServiceAccount bearer token before logging,...

CVE-2026-28374

A flaw was found in Grafana. An authenticated editor user could exploit this vulnerability to delete any annotation, even those for which they lack read permissions. This unauthorized action compromises the integrity of data by allowing deletion of information beyond their intended access scope...

Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations

Summary Kata Containers ships with a default configuration that allows pod creators to inject arbitrary command-line arguments into the virtiofsd process through the io.katacontainers.config.hypervisor.virtiofsextraargs pod annotation. By injecting -o source=/ along with --no-announce-submounts a...

Important: Red Hat Security Advisory: Red Hat OpenShift GitOps v1.20.4 security update

Important: Red Hat OpenShift GitOps v1.20.4 security update An update is now available for Red Hat OpenShift GitOps. Bug Fixes and Enhancements: GITOPS-8784 Service-CA annotation removed from argocd-server Service during v1.12.3 - v1.12.4 upgrade path, persists in later versions GITOPS-9549...

CyberMaskQA: A Privacy-Aware Benchmark for Evaluating Large Language Models in Cybersecurity Question Answering

Large language models LLMs are increasingly applied to cybersecurity question answering QA for critical tasks such as incident response and vulnerability analysis. However, real-world operational contexts, including system logs and network configurations, inherently contain sensitive identifiers,...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: tick/nohz: unexport init-annotated ticknohzfullsetup EXPORTSYMBOL and init is a bad combination because the .init.text section is freed up after initialization. Hence, modules cannot use symbols annotated init. Access to a freed...

Astra Linux - уязвимость в docker.io-app

Docker Compose relies on the path information embedded in remote OCI Compose artifacts. When a layer includes the annotations com.dockercompose.extends or com.dockercompose.envfile, Compose incorporates the value provided by the attacker from com.dockercompose.file/com.dockercompose.envfile into...

Mantis Bug Tracker 信息泄露漏洞

Mantis Bug Tracker MantisBT is an open-source bug tracker developed by Mantis Bug Tracker. Versions of Mantis Bug Tracker prior to 2.28.1 contained a vulnerability related to information leakage. This vulnerability stemmed from allowing incorrect annotators to access the revised pages of...

Kong Ingress Controller for Kubernetes (KIC): Cross-namespace TLS Secret Exfiltration in Gateways with GatewayClass missing `konghq.com/gatewayclass-unmanaged: 'true'` annotation

Summary A vulnerability in the Kong Ingress Controller KIC allows for the unauthorized exfiltration of TLS certificates and private keys across Kubernetes namespace boundaries. In "managed" mode where the GatewayClass lacks an unmanaged annotation, the Gateway TLS translator skips critical status...

GHSA-RG3G-4RW9-GQRP Argo CD: Kubernetes Secret Extraction via ArgoCD ServerSideDiff via sensitive annotations

Summary The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it...

GHSA-XM96-GFJX-JCRC ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation

Summary The pullArtifact methods in Registry and OCILayout use the org.opencontainers.image.title annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this annotation t...

ORAS Java: Path traversal in pullArtifact via attacker-controlled org.opencontainers.image.title annotation

Summary The pullArtifact methods in Registry and OCILayout use the org.opencontainers.image.title annotation from a pulled manifest as a filename, resolving it against the caller supplied output directory without normalization or a containment check. A manifest publisher can set this annotation t...

MAL-2026-3933 Malicious code in @antv/g-plugin-annotation (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

PT-2026-41971

Summary The original fix for GHSA-3v3m-wc6v-x4x3 is incomplete. argocd app diff --server-side-diff can still expose Kubernetes Secret values embedded in the kubectl.kubernetes.io/last-applied-configuration annotation. The prior fix masks top-level Secret data in ServerSideDiff responses, but it...

jsondiffpatch 跨站脚本漏洞

jsondiffpatch is a software developed by Benjamín Eidelman, designed for differentiating and patching JavaScript object functions. Versions of jsondiffpatch prior to 0.7.6 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper cleaning of JSON values and property...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

SUSE CVE-2026-28374

Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2026-44369

CVAT is an open source interactive video and image annotation tool for computer vision. From 2.5.0 to 2.63.0, an attacker who is able to create or edit an annotation guide on a task is able to add malicious JavaScript code, which will then run in the browser of anyone who opens this annotation...

CVE-2026-44369

CVAT (open source annotation tool) is affected by CVE-2026-44369: from versions 2.5.0 through 2.63.0, an attacker who can create or edit an annotation guide on a task can inject malicious JavaScript that runs in the browser of anyone viewing that guide. The injected code can perform arbitrary req...