613 matches found
Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...
waf-engine
WAF & SOAR Engine A cloud-native Web Application Firewall and...
Extending EOL/EOS Software Intelligence Across Containers, Kubernetes, and Modern Workloads
Key Takeaways Unsupported software increasingly exists inside container images and Kubernetes workloads, not just traditional infrastructure. Lifecycle risk extends beyond CVEs because unsupported software eventually stops receiving patches and vendor maintenance. Outdated base images and runtime...
CVE-2026-44477
CVE-2026-44477 affects CloudNativePG prior to 1.29.1 and 1.28.3. The metrics exporter opens a PostgreSQL connection as the superuser and demotes to pg_monitor with SET ROLE, but the session_user remains postgres. Any SQL in the scrape session can call RESET ROLE to recover superuser privileges, t...
CloudNativePG 代码问题漏洞
CloudNativePG is an open-source platform developed by CloudNativePG for managing the entire lifecycle of PostgreSQL databases on Kubernetes. Versions of CloudNativePG prior to 1.29.1 and 1.28.3 contained code vulnerabilities. These vulnerabilities stemmed from the metric exporter using the pod’s...
Exploit for Improper Input Validation in Siemens 6Bk1602-0Aa12-0Tp0_Firmware
log4j-vuln-demo Intentionally vulnerable demo image for Sys...
When configuration becomes a vulnerability: Exploitable misconfigurations in AI apps
In this article 1. Background 2. What is an exploitable misconfiguration? 3. Exploitable misconfigurations in popular AI applications 4. Minimizing the risk: Practical deployment guidance 5. How Microsoft Defender for Cloud helps detect exposures in Kubernetes 6. Learn more AI and agentic...
CloudNativePG's metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE
Impact The CloudNativePG metrics exporter opens its PostgreSQL connection as the postgres superuser via the pod-local Unix socket, then demotes the session with SET ROLE pgmonitor. SET ROLE changes only currentuser; sessionuser remains postgres. That residual superuser identity is the foothold fo...
EUVD-2026-27550
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line...
CVE-2026-35255
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line...
CVE-2026-35255
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line...
PT-2026-37373
Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily exploitable vulnerability allows unauthenticated attacker to compromise Oracle Cloud Native Environment Command Line...
PT-2026-37356
Name of the Vulnerable Software and Affected Versions Argo CD versions 3.2.0 through 3.2.10 Argo CD versions 3.3.0 through 3.3.8 Description A missing authorization and data-masking gap exists in the '/application.ApplicationService/ServerSideDiff' endpoint. This allows an attacker with read-only...
Oracle Cloud Native Environment Command Line Interface 代码注入漏洞
Oracle Cloud Native Environment Command Line Interface is a command-line tool for managing cloud-native environment clusters provided by Oracle Corporation. Version 2.3.2 of Oracle Cloud Native Environment Command Line Interface contains a code injection vulnerability. This vulnerability could...
EUVD-2026-25392
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.17.2 and 1.16.4, an unchecked type assertion in the forEach mutation handler allows any user with permission to create a Policy or ClusterPolicy to crash the cluster-wide background controller int...
PT-2026-34846
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...
GHSA-M4PR-4J3G-9V7V vulnerabilities
Vulnerabilities for packages: flannel, slsa-verifier, vexctl, postgres-operator, kargo, dataplaneapi, kine, falco-no-driver, terraform-provider-azapi, aws-flb-kinesis, polaris, bazelisk, aws-sigv4-proxy, kots, nri-nginx, knative-eventing, prometheus, kubernetes-dashboard-metrics-scraper,...
IBM Concert 安全漏洞
IBM Concert is a new tool developed by the American international business company IBM. It utilizes generative AI to assist in managing complex cloud-native applications. Versions of IBM Concert from 1.0.0 to 2.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the creatio...
IBM Concert Access Control Error Vulnerability (CNVD-2026-16128)
IBM Concert is a new tool from International Business Machines IBM Inc. that uses generative AI to help manage complex cloud-native applications. An Access Control Error vulnerability exists in IBM Concert 2.2.0 and prior versions. The vulnerability stems from a lack of functional-level access...
IBM Concert 安全漏洞
IBM Concert is a new tool developed by the American international business machine IBM. It utilizes generative AI to assist in managing complex cloud-native applications. Versions of IBM Concert prior to 2.2.0 contained a security vulnerability, which stemmed from improper restrictions on channel...