What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant

Introduction Containerization using Docker has become firmly established in modern development standards, significantly increasing the speed and convenience of deploying various services. Developers often use ready-made Docker images, making only minimal changes. The largest repository of contain...

RHEL 10 : podman (RHSA-2026:17040)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:17040 advisory. The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use...

Bubblewrap 安全漏洞

Bubblewrap is a set of open-source, non-privileged sandbox tools developed by Containers. Versions of Bubblewrap from 0.11.0 to 0.11.2 contained security vulnerabilities. These vulnerabilities stemmed from the ability for users to attach to Bubblewrap using setuid mode and control the...

CVE-2026-33587

Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code and subsequently OS commands on the docker container via Server-Side Template Injection SSTI for user-created transformations...

alika-vuln-shield

Vuln Shield Fast container vulnerability scanner that filters...

PT-2026-37314

Name of the Vulnerable Software and Affected Versions ciguard versions 0.1.0 through 0.8.1 Description The ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. As a static analyser, ciguard does not require root privileges. Running ...

Astra Linux - уязвимость в runc-app

Runc is a CLI tool for spawning and running containers according to the OCI specification. In versions 1.2.7, 1.3.2, and 1.4.0-rc.2, an attacker can trick runc into redirecting write operations to /proc to other procfs files by using a racing container with shared mounts. We have also verified th...

GHSA-Q96J-3FMM-7FV4 LXD: Importing a crafted backup leads to project restriction bypass

Summary LXD instance backup import validates project restrictions against backup/index.yaml embedded in the tar archive, but creates the actual instance from backup/container/backup.yaml extracted to the storage volume. Because these are separate, independently attacker-controlled files within th...

EUVD-2025-209298

A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected...

CVE-2025-57853 Web-terminal: privilege escalation via excessive /etc/passwd permissions

A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root...

Red Hat Multicluster Engine for Kubernetes 安全漏洞

Red Hat Multicluster Engine for Kubernetes is a software developed by Red Hat Corporation, used to manage Kubernetes or OpenShift clusters. There is a security vulnerability in Red Hat Multicluster Engine for Kubernetes. This vulnerability stems from the fact that the /etc/passwd file is set with...

CVE-2025-52638

HCL AION is affected by a vulnerability where generated containers may execute binaries with root-level privileges. Running containers with root privileges may increase the potential security risk, as it grants elevated permissions within the container environment. Aligning container configuratio...

CVE-2026-28384

An improper sanitization of the compressionalgorithm parameter in Canonical LXD allows an authenticated, unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 through 6.6 and was fixed in the sn...

Use Of Incorrectly-Resolved Name Or Reference

github.com/apptainer/apptainer is vulnerable to Use of Incorrectly-Resolved Name or Reference. The vulnerability is due to improper enforcement of the --security option, which allows an attacker to disable AppArmor or SELinux restrictions and bypass container security controls...

CVE-2026-23924

CVE-2026-23924 affects the Zabbix Agent 2 Docker plugin. The issue is improper sanitization of the docker.container_info parameters when forwarding to the Docker daemon, enabling an attacker capable of invoking Agent 2 to read arbitrary files from running Docker containers by injecting them via t...

Important: Red Hat Security Advisory: Release of containers for RHOSO 18.0.17 security update

Red Hat OpenStack Services on OpenShift RHOSO 18.0.17 containers are now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CVE-2025-57849 Fuse: privilege escalation via excessive /etc/passwd permissions

A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, ca...

CVE-2025-8766

A container privilege escalation flaw was found in certain Multi-Cloud Object Gateway Core images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container,...

OPENSUSE-SU-2026:20305-1 Security update for podman

This update for podman fixes the following issues: Changes in podman: - Add symlink to catatonit in /usr/libexec/podman bsc1248988 - CVE-2025-47914: Fixed golang.org/x/crypto/ssh/agent: non validated message size can cause a panic due to an out of bounds read bsc1253993 - CVE-2025-47913: Fixed...

CVE-2026-27208

bleon-ethical/api-gateway-deploy provides API gateway deployment. Version 1.0.0 is vulnerable to an attack chain involving OS Command Injection and Privilege Escalation. This allows an attacker to execute arbitrary commands with root privileges within the container, potentially leading to a...