Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos

Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools...

EUVD-2020-29512

Malware in sbrugna...

EUVD-2020-29508

Malware in sbrugna...

EUVD-2019-19300

Malware in sbrugna...

EUVD-2020-29509

Malware in sbrugna...

EUVD-2020-29507

Malware in sbrugna...

EUVD-2021-1352

Malware in sbrugna...

EUVD-2023-1930

Malicious code in bioql PyPI...

EUVD-2025-12401

Malicious code in bioql PyPI...

EUVD-2025-22653

Malicious code in bioql PyPI...

CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

CVE-2025-30086

CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter...

CVE-2025-30086

CVE-2025-30086 affects CNCF Harbor: Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 are vulnerable to an ORM leak via the /api/v2.0/users endpoint. The q URL parameter lets an administrator filter by any column and abuse password=~ to leak a user’s password hash and salt character by charact...

PT-2025-30605 · Cncf · Cncf Harbor

Name of the Vulnerable Software and Affected Versions: CNCF Harbor versions 2.12.0 through 2.12.3 CNCF Harbor versions 2.13.0 through 2.13.0 Description: An ORM leak exists in the /api/v2.0/users endpoint, allowing administrators to potentially disclose users' password hash and salt values. The q...

GO-2025-3646 CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s

CNCF K3s Kubernetes kubelet configuration exposes credentials in github.com/k3s-io/k3s. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

CVE-2025-46599

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing...

GHSA-864F-7XJM-2JP2 CNCF K3s Kubernetes kubelet configuration exposes credentials

CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing...