BIT-JENKINS-2026-53442

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission, or access to t...

CVE-2026-53442

A flaw was found in Jenkins. Secrets submitted via POST config.xml are stored unencrypted in job configuration files on the Jenkins controller. This allows users with 'Item/Extended Read' permission, or those with direct access to the Jenkins controller file system, to view sensitive information...

PT-2026-48427

Name of the Vulnerable Software and Affected Versions Jenkins versions prior to 2.568 Jenkins LTS versions prior to 2.555.3 Description Secrets provided via POST config.xml submissions are stored unencrypted in job configuration files on the Jenkins controller. This allows users with Item/Extende...

GHSA-W5FQ-8965-C969 Juju: CloudSpec method leaking cloud credentials

Impact If a user has login permission to a controller and knows the controller model UUID, they can call the CloudSpec method on the Controller facade and get cloud credentials used to bootstrap the controller. The CloudSpec API is called by workers running in the controller to maintain connectio...

EUVD-2025-209211

Juju has a resource poisoning vulnerability...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the resource handler. An attacker can gain unauthorized access and modify application resources across the entire controller by leveraging authenticated access as a user, machine, or controller. Remediation A...

CVE-2025-68153

Juju is an open source application orchestration engine that enables any application operation on any infrastructure at any scale through special operators called ‘charms’. From versions 2.9 to before 2.9.56 and 3.6 to before 3.6.19, any authenticated user, machine or controller under a Juju...

CVE-2026-23434

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: serialize lock/unlock against other NAND operations nandlock and nandunlock call into chip-ops.lockarea/unlockarea without holding the NAND device lock. On controllers that implement SETFEATURES via multiple low-lev...

PT-2026-30121

Name of the Vulnerable Software and Affected Versions Juju versions 2.9 through 2.9.55 and 3.6 through 3.6.18 Description Juju, an application orchestration engine, allows any authenticated user, machine, or controller to modify application resources within a Juju controller. This impacts version...

PT-2026-30129

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contained a flaw where nand lock and nand unlock functions did not hold the NAND device lock when calling chip-ops.lock area/unlock area. This could lead to race...

CVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

BIT-NGINX-INGRESS-CONTROLLER-2026-4342 ingress-nginx comment-based nginx configuration injection

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that i...

CVE-2026-4342 ingress-nginx comment-based nginx configuration injection

A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that i...

PT-2026-26428

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.13.9, v1.14.5, and v1.15.1 Description A security issue exists in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code...

CVE-2026-33003

Jenkins LoadNinja Plugin 2.1 and earlier stores LoadNinja API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2026-33001

Jenkins 2.554 and earlier, LTS 2.541.2 and earlier does not safely handle symbolic links during the extraction of .tar and .tar.gz archives, allowing crafted archives to write files to arbitrary locations on the filesystem, restricted only by file system access permissions of the user running...

CVE-2026-32709

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, An unauthenticated path traversal vulnerability in the PX4 Autopilot MAVLink FTP implementation allows any MAVLink peer to read, write, create, delete, and rename arbitrary files on the flight controller filesystem withou...

CVE-2026-3288

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible t...

PT-2026-24119

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.13.7 and 1.14.3 Description A security issue exists in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be exploited to inject configuration into nginx. This can result...

CVE-2025-15566

A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/auth-proxy-set-headers Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...