GHSA-7CWM-FPFH-RRCH Ironic Standalone Operator's prometheus metrics exporter bound to all interfaces

Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

Astra Linux - уязвимость в linux-5.10

In the Linux kernel, the following vulnerability has been resolved: In isotp.bind, a check for the CAN address family was added. This prevents bindings that use non-AFCAN address families from being allowed. The Syzbot team created some code that matches the correct sockaddr structure size, but i...

PT-2026-42207

Summary The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553" — a Go http.Server.Addr of ":5553" listens on every interface. On...

GHSA-22QR-RP27-J9WM PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE

Summary The MCP module's ReplServer binds to all interfaces 0.0.0.0:4403 and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue...

CVE-2026-47356

Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery SSRF via the webhookurl parameter in the file scan endpoint POST /v1/iac/iacVersion/cloud/local/file/scan when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhookurl multipa...

Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

PT-2026-42034

Summary The MCP module's ReplServer binds to all interfaces 0.0.0.0:4403 and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue...

CVE-2026-7301

CVE-2026-7301 affects the SGLang multicast/multimodal generation runtime (sglang). The vulnerability stems from the ROUTER socket binding to 0.0.0.0 by default and a sink that calls pickle.loads() on incoming messages, enabling remote code execution when exposed to the internet. Affected componen...

EUVD-2026-30765

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

CVE-2026-7301 CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

CVE-2026-7301 CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

PT-2026-41668

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

Linux Distros Unpatched Vulnerability : CVE-2026-42503

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit ho...

EUVD-2026-27872

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host e.g. :8080, or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This...

CVE-2026-42503

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host e.g. :8080, or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This...

CVE-2026-42503 Accidental binding to INADDR_ANY might lead to RCE in golang.org/x/tools/gopls

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host e.g. :8080, or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This...

PT-2026-37661

gopls by default communicates via pipe. However, -port and -listen flags are supported as means of debugging. If -listen is given a value without an explicit host e.g. :8080, or -port is used, gopls will listen on 0.0.0.0. As a result, users might inadvertently cause gopls to bind 0.0.0.0. This...