Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007584)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007584 advisory. In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndopollcontroller to avoid deadlocks There is a deadlock issue found in sungem...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007312)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007312 advisory. In the Linux kernel, the following vulnerability has been resolved: can: j1939: Fix UAF in j1939skmatchfilter during setsockoptSOJ1939FILTER Lock jsk-sk to prevent U...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007565)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007565 advisory. In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Do not enable irqs when handling spurious interrups We triggered the following...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007417)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007417 advisory. In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvsworkqueue During the detaching of Marvell's SAS/SATA...

GHSA-8WFP-579W-6R25 Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)

Summary Kyverno's apiCall service mode automatically attaches the admission controller's ServiceAccount SA token to outbound HTTP requests. This results in unintended credential exposure when requests are sent to external or attacker-controlled endpoints. The behavior is insecure-by-default and n...

GHSA-F9G8-6PPC-PQQ4 Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions ...

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions ...

USN-8179-1: Linux kernel vulnerabilities

Josh Eads, Kristoffer Janke, Eduardo Vela Nava, Tavis Ormandy, and Matteo Rizzo discovered that some AMD Zen processors did not properly verify the signature of CPU microcode. This flaw is known as EntrySign. A privileged attacker could possibly use this issue to cause load malicious CPU microcod...

PT-2026-34846

Name of the Vulnerable Software and Affected Versions Kyverno versions prior to 1.18.0 Kyverno versions prior to 1.17.2 Kyverno versions prior to 1.16.4 Description The apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP request...

Microsoft Windows Server Domain Role Detection

SMB-login based domain role detection with powershell fallback for Windows Server. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescriptio...

CLEANSTART-2026-BZ28794 Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service

Multiple security vulnerabilities affect the aws-load-balancer-controller package. Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. See references for...

SUSE CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the /SyncPlay/New endpoint. An attacker can exhaust system memory and disrupt service availability by submitting excessively large SyncPlay group names in POST requests to the...

External Control of File Name or Path

Overview Affected versions of this package are vulnerable to External Control of File Name or Path in the POST /Videos/itemId/Subtitles endpoint due to insufficient validation of the Format field, which allows path traversal via the file extension and enables arbitrary file write. An attacker can...

Kyverno has SSRF via CEL http.Get/http.Post in NamespacedValidatingPolicy allows cross-namespace data access

Summary A Server-Side Request Forgery SSRF vulnerability in Kyverno's CEL HTTP library pkg/cel/libs/http/ allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal services in...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

EUVD-2026-22505

Out-of-bounds read in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally...

EUVD-2026-22445

Integer underflow wrap or wraparound in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally...

EUVD-2026-22301

A Broken Object-Level Authorization BOLA in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request...

EUVD-2026-22300

A Broken Object-Level Authorization BOLA in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request...