Sensitive Information Exposure

Harvester is vulnerable to Sensitive Information Exposure. The vulnerability is due to the interactive installer exposing the operating system’s default SSH login password during cluster creation or host addition, potentially allowing unauthorized access to affected systems...

CLSA-2026-1778858907 mod_proxy_cluster: Fix of 2 CVEs

CVE-2023-6710: stored XSS in modcluster-manager HTML output via virtual host and context names rendered without HTML escaping - CVE-2024-10306: unauthorized MCMP requests due to directive being ignored for protocol-handler filtering; runtime guard now refuses siblings of EnableMCPMReceive, and...

CVE-2026-44015

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwar...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes v2.13.7 security update

Red Hat Advanced Cluster Management for Kubernetes 2.13 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. Red Hat Advanced Cluster Management for Kubernetes 2.13 images Red Hat Advanced Cluster Management for Kubernetes provides...

Improper Authentication

Juju is vulnerable to Improper Authentication. The vulnerability is due to improper TLS client and server certificate validation in the internal Dqlite database cluster, which allows an unauthenticated attacker to join the cluster and gain full read and write access to the database...

CVE-2026-44514

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

EUVD-2026-30331

Kubetail is a real-time logging dashboard for Kubernetes. Prior to 0.14.0, Kubetail's dashboard exposes WebSocket endpoints that did not adequately validate the Origin header on connection upgrade. A malicious web page visited by a user with an active Kubetail session could open a WebSocket to th...

Malicious Package

Overview knot-rails-assets-pipeline is a malicious package. This package is part of a malicious cluster of Ruby gems published by the threat actor knot-theory. Designed to impersonate legitimate utilities, it executes a payload upon installation that harvests environment variables, SSH keys, AWS...

CVE-2026-25705

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: Overwrite Rancher binaries or configuration to inject...

Important: Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.6.11

Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.6.11 General Availability release, with updates to container images. Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.6.11 release that simplify the process of...

EUVD-2026-30180

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials...

CVE-2026-32992

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials...

CVE-2026-32992

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials...

CVE-2026-32992

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials...

CVE-2026-32992

CVE-2026-32992 affects the DNS Cluster system where SSL verification is disabled, enabling a man-in-the-middle capture of credentials. Documented impact aligns with CVSSv3.1 base score 8.2 (HIGH) with network attack, no user interaction required, and no privileges. The NVD description specifies t...

CVE-2026-25705

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: Overwrite Rancher binaries or configuration to inject...

CVE-2026-25705

CVE-2026-25705 describes a path-traversal vulnerability in Rancher Extensions where the compressedEndpoint field in a UIPlugin deployment can be abused to overwrite Rancher binaries/configs, tamper with cluster state in /var/lib/rancher/, and, if hostPath volumes are mounted, write to the host no...

CVE-2026-25705 Rancher Extensions have arbitrary file access via path traversal

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: Overwrite Rancher binaries or configuration to inject...

CVE-2026-25705 Rancher Extensions have arbitrary file access via path traversal

A vulnerability has been identified in Rancher's Extensions where malicious code can be injected in Rancher through a path traversal in the compressedEndpoint field inside a UIPlugin deployment. A malicious UI extension could abuse that to: Overwrite Rancher binaries or configuration to inject...

MAL-2026-3630 Malicious code in knot-activesupport-logger (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a4e4f74e90479d472a307d311d48214827e21cf93ecf9b0b62ff2cb72adb2c9e This package is a malicious packages part of the Go BufferZoneCorp and RubyGems knot-theory clusters. The packages in this cluster steal...