19120 matches found
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: k9s, harbor, zot, trivy, zarf, k8ssandra-client, helm-docs, chart-testing, cilium-cli, istio, headlamp, tw, kots, helm-operator, cert-manager-cmctl, eksctl, envoy-gateway, flux-source-controller, chartmuseum, helm-mapkubeapis, kubescape, pluto, flux, kuma,...
GHSA-HR2V-4R36-88HR vulnerabilities
Vulnerabilities for packages: k9s, harbor, zot, trivy, zarf, k8ssandra-client, helm-docs, chart-testing, cilium-cli, istio, headlamp, tw, kots, helm-operator, cert-manager-cmctl, eksctl, envoy-gateway, flux-source-controller, chartmuseum, helm-mapkubeapis, kubescape, pluto, flux, kuma,...
GHSA-FV83-X2XW-2J55 vulnerabilities
Vulnerabilities for packages: grafana-operator, victoriametrics-cluster, ingress-nginx-controller, oras, aws-privateca-issuer, aws-load-balancer-controller, goreleaser, aws-network-policy-agent, omnibump, envoy-ratelimit, temporal, newrelic-infra-operator, dkron, flux-image-reflector-controller,...
GHSA-JRG3-GFJW-HM96 vulnerabilities
Vulnerabilities for packages: mc, dynamic-localpv-provisioner, etcd, temporal, trillian, terraform, envoy-ratelimit, gitaly, crossplane-provider-keycloak, redka, kubernetes-dashboard, aws-node-termination-handler, incert, terraform-provider-time, rancher-system-upgrade-controller,...
GHSA-7MR4-XJXG-34G6 vulnerabilities
Vulnerabilities for packages: mc, kine, net-kourier, sftpgo-plugin-eventstore, memcached-exporter, vexctl, etcd, terraform-provider-azapi, temporal, trillian, cloud-provider-azure, envoy-ratelimit, terraform, gitaly, crossplane-provider-keycloak, zot, redka, kubernetes-dashboard, step-issuer,...
CVE-2026-32283 vulnerabilities
Vulnerabilities for packages: mc, dynamic-localpv-provisioner, etcd, temporal, trillian, terraform, envoy-ratelimit, gitaly, crossplane-provider-keycloak, redka, kubernetes-dashboard, aws-node-termination-handler, incert, terraform-provider-time, rancher-system-upgrade-controller,...
CVE-2026-32281 vulnerabilities
Vulnerabilities for packages: mc, dynamic-localpv-provisioner, etcd, temporal, trillian, terraform, envoy-ratelimit, gitaly, crossplane-provider-keycloak, amazon-k8s-cni, redka, kubernetes-dashboard, aws-node-termination-handler, incert, terraform-provider-time, rancher-system-upgrade-controller,...
CVE-2026-35206 vulnerabilities
Vulnerabilities for packages: helm-docs, pluto-fips, eksctl, kube-arangodb, helm-set-status, linkerd2, flux-source-controller-fips, consul-k8s, helm-push, cloudbeat, pluto, teleport, cert-manager-cmctl, cilium-cli, cloudbeat-fips, helm-mapkubeapis, cerbos, chaos-mesh, flux-source-controller,...
GHSA-5W89-2C2X-6X66 vulnerabilities
Vulnerabilities for packages: kyverno-policy-reporter-plugins-kyverno, kyverno-policy-reporter-kyverno-plugin, crossplane-provider-aws-servicediscovery-fips, secrets-store-csi-driver-provider-aws-fips, podman, gitlab-pages, traefik, amazon-cloudwatch-agent-operator, chisel-fips,...
CVE-2026-32283 vulnerabilities
Vulnerabilities for packages: minc, tekton-chains-fips, newrelic-infra-operator, prometheus-pushgateway-fips, local-path-provisioner-fips, kyverno-policy-reporter-plugins-kyverno, newrelic-fluent-bit-output-fips, stakater-reloader-fips, kyverno-policy-reporter-kyverno-plugin,...
PT-2026-32126
A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiate...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization via the CloudSpec method on the Controller facade. An attacker can obtain sensitive cloud credentials by making an authenticated API call with only basic login permissions, without requiring elevated privileges...
EUVD-2026-21364
Juju: CloudSpec method leaking cloud credentials...
Juju: CloudSpec method leaking cloud credentials
Impact If a user has login permission to a controller and knows the controller model UUID, they can call the CloudSpec method on the Controller facade and get cloud credentials used to bootstrap the controller. The CloudSpec API is called by workers running in the controller to maintain connectio...
GHSA-W5FQ-8965-C969 Juju: CloudSpec method leaking cloud credentials
Impact If a user has login permission to a controller and knows the controller model UUID, they can call the CloudSpec method on the Controller facade and get cloud credentials used to bootstrap the controller. The CloudSpec API is called by workers running in the controller to maintain connectio...
EUVD-2026-21150
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...
GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This...
CVE-2026-5412
In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This...