Insufficiently Protected Credentials

Overview Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the apiCall executor. An attacker can obtain sensitive credentials by sending crafted HTTP requests to endpoints controlled by the attacker, causing the automatic forwarding of the ServiceAccount...

Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)

Summary Kyverno's apiCall service mode automatically attaches the admission controller's ServiceAccount SA token to outbound HTTP requests. This results in unintended credential exposure when requests are sent to external or attacker-controlled endpoints. The behavior is insecure-by-default and n...

CVE-2026-4160

The CVE-2026-4160 entry concerns the WordPress Fluent Forms plugin (versions up to 6.1.21). Affected component: Stripe SCA confirmation AJAX endpoint handling a submission_id parameter. Root cause: missing authorization and ownership validation on a user-controlled key enables Insecure Direct Obj...

Revive Adserver: Missing access control when modifying parent entities via XML‑RPC

Vulnerability description not provided...

CLEANSTART-2026-GN18755 gRPC-Go is the Go language implementation of gRPC

Multiple security vulnerabilities affect the calico package. gRPC-Go is the Go language implementation of gRPC. See references for individual vulnerability details...

CVE-2026-26183

Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally...

GHSA-Q93Q-V844-JRQP kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token

kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount tok...

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the apiCall servicecall helper. An attacker can obtain sensitive service account tokens by crafting a policy that triggers an outbound request without an explicit Authorization...

kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token

kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because context.apiCall.service.url is policy-controlled, this can send the kyverno serviceaccount tok...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the APICall feature. An attacker can access sensitive internal resources and exfiltrate confidential data by supplying arbitrary URLs to the APICall feature, which are executed with elevated privilege...

GHSA-FMQP-4WFC-W3V7 Kyverno APICall SSRF Vulnerability Leading to Multi-Tenant Isolation Breach

Summary Kyverno's APICall feature contains a Server-Side Request Forgery SSRF vulnerability that allows users with Policy creation permissions to access arbitrary internal resources through Kyverno's high-privilege ServiceAccount. In multi-tenant Kubernetes environments, this constitutes a classi...

EUVD-2026-22518

Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally...

EUVD-2026-22428

Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally...

EUVD-2025-209453

An improper neutralization of special elements used in an sql command 'sql injection' vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4,...

CVE-2026-32085

Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally...

CVE-2026-26183

Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally...

CVE-2026-32085 Remote Procedure Call Information Disclosure Vulnerability

...

CVE-2026-32085 Remote Procedure Call Information Disclosure Vulnerability

...

CVE-2026-32085

CVE-2026-32085 affects Windows Remote Procedure Call and corresponds to an information-disclosure vulnerability that can allow an authenticated local attacker to read sensitive data. The NVD/NCSC/MSRC entries confirm this vulnerability and note that Microsoft has released updates to fix the issue...

CVE-2025-61848

An improper neutralization of special elements used in an sql command 'sql injection' vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4,...