AZL-76910 CVE-2025-47911 affecting package containerized-data-importer 1.62.0-1

The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service DoS if an attacker provides specially crafted HTML content...

GHSA-QH4C-XF7M-GXFC vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process media from URLs provided by users, using different Python parsing libraries when restrictin...

CVE-2026-24779

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.14.1, a Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process...

CVE-2026-24779

CVE-2026-24779 is an SSRF vulnerability in vLLM’s MediaConnector. Before version 0.14.1, load_from_url and load_from_url_async fetch media from user-supplied URLs and validate via Python urllib urlparse, while the request is issued with requests/urllib3, whose parsing follows a different standard...

AZL-75395 CVE-2025-14459 affecting package cloud-provider-kubevirt 0.5.1-3

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

AZL-75446 CVE-2025-14459 affecting package kubevirt 1.7.0-3

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

AZL-75404 CVE-2025-14459 affecting package containerized-data-importer 1.62.0-2

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

AZL-75443 CVE-2025-14459 affecting package containerized-data-importer 1.55.0-28

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

AZL-75494 CVE-2025-14459 affecting package kubevirt 0.59.0-38

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

CVE-2025-14459

CVE-2025-14459 affects KubeVirt Containerized Data Importer (CDI). A flaw allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. The CVSS 3.1 analysis indicates high impact to confide...

CVE-2025-14459

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

CVE-2025-14459 Virt-cdi-controller: unauthorized pvc cloning via dataimportcron

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

CVE-2025-14459 Virt-cdi-controller: unauthorized pvc cloning via dataimportcron

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

PT-2026-4805

Name of the Vulnerable Software and Affected Versions KubeVirt Containerized Data Importer CDI affected versions not specified Description A flaw exists in KubeVirt Containerized Data Importer CDI that allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces. This can lead ...

CVE-2026-24047

Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the resolveSafeChildPath utility function in @backstage/backend-plugin-api, which is...

CVE-2026-24046 Backstage has a Possible Symlink Path Traversal in Scaffolder Actions

Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files vi...

PT-2026-3875

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 0.12.2, 0.13.2, 0.14.1, and 0.15.0 @backstage/plugin-scaffolder-backend versions prior to 2.2.2, 3.0.2, and 3.1.1 @backstage/plugin-scaffolder-node versions prior to 0.11.2 and 0.12.3 Description The software is...

CVE-2025-65637 affecting package containerized-data-importer for versions less than 1.55.0-27

CVE-2025-65637 affecting package containerized-data-importer for versions less than 1.55.0-27. A patched version of the package is available...

CVE-2025-65637 affecting package containerized-data-importer for versions less than 1.57.0-18

CVE-2025-65637 affecting package containerized-data-importer for versions less than 1.57.0-18. A patched version of the package is available...

CVE-2025-58183 affecting package containerized-data-importer for versions less than 1.57.0-17

CVE-2025-58183 affecting package containerized-data-importer for versions less than 1.57.0-17. A patched version of the package is available...