CVE-2026-5241

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

CVE-2026-45366 typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol

typescript-utcp is a typescript implementation of UTCP. Prior to 1.1.2, the @utcp/http package is vulnerable to a blind Server-Side Request Forgery SSRF caused by a trust-boundary inconsistency between manual discovery and tool invocation. registerManual validates the discovery URL against an HTT...

EUVD-2022-1548

Malicious code in bioql PyPI...

Improper Access Control

github.com/clastix/kamaji is vulnerable to Improper Access Control. The vulnerability is due to inadequate use of an "open at the top" range definition in RBAC for etcd roles, which allows some TCPs API servers to read, write, and delete data of other control planes...

RBAC Roles for `etcd` created by Kamaji are not disjunct

Summary Using an "open at the top" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes. Details The problematic code is this:...

CVE-2024-42480

Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed i...

CVE-2024-42480 Kamaji's RBAC Roles for `etcd` are not disjunct

Kamaji is the Hosted Control Plane Manager for Kubernetes. In versions 1.0.0 and earlier, Kamaji uses an "open at the top" range definition in RBAC for etcd roles leading to some TCPs API servers being able to read, write, and delete the data of other control planes. This vulnerability is fixed i...

CVE-2024-42480

CVE-2024-42480 describes a vulnerability in Kamaji (Hosted Control Plane Manager for Kubernetes) where versions 1.0.0 and earlier use an "open at the top" range definition in RBAC for etcd roles. This misconfiguration allows certain TCP API servers to read, write, and delete data belonging to oth...

Apache CloudStack Security Vulnerability

Apache CloudStack is a suite of Infrastructure-as-a-Service IaaS cloud computing platforms from the Apache USA Foundation. The platform is primarily used to deploy and manage large networks of virtual machines. Apache CloudStack suffers from a security vulnerability that stems from improper...

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

We analyze a cryptojacking attack campaign exploiting exposed Docker remote API servers to deploy cryptocurrency miners, using Docker images from the open-source Commando project...

Zod denial of service vulnerability during email validation

Impact API servers running express-zod-api having: - version of express-zod-api below 10.0.0-beta1, - and using the following or similar validation schema in its implementation: z.string.email, are vulnerable to a DoS attack due to: - Inefficient Regular Expression Complexity in zod versions up t...

GHSA-MVRP-3CVX-C325 Zod denial of service vulnerability during email validation

Impact API servers running express-zod-api having: - version of express-zod-api below 10.0.0-beta1, - and using the following or similar validation schema in its implementation: z.string.email, are vulnerable to a DoS attack due to: - Inefficient Regular Expression Complexity in zod versions up t...

kube-apiserver: Aggregated API server can cause clients to be redirected (SSRF)

A security issue was discovered in kube-apiserver that allows an aggregated API server to redirect client traffic to any URL. This issue leads to the client performing unexpected actions and forwarding the client's API server credentials to third parties...

Fedora: Security Advisory for golang-k8s-kube-aggregator (FEDORA-2022-37aef44d1e)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 35 Update: golang-k8s-kube-aggregator-1.22.0-4.fc35

Aggregator for Kubernetes-style API servers: dynamic registration, discovery summarization, secure proxy...

Fedora: Security Advisory for golang-k8s-kube-aggregator (FEDORA-2022-fae3ecee19)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-k8s-kube-aggregator-1.22.0-4.fc36

Aggregator for Kubernetes-style API servers: dynamic registration, discovery summarization, secure proxy...

380K Kubernetes API Servers Exposed to Public Internet

More than 380,000 Kubernetes API servers allow some kind of access to the public internet, making the popular open-source container-orchestration engine for managing cloud deployments an easy target and broad attack surface for threat actors, researchers have found. The Shadowserver Foundation...

Fedora: Security Advisory for golang-k8s-kube-aggregator (FEDORA-2022-3a63897745)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

GHSA-VPMW-77VM-4MJG Cross-site Scripting in Cipi

Cipi 3.1.15 allows Add Server stored cross-site scripting via the /api/servers name field...