CVE-2026-5412

CVE-2026-5412 (Juju) : An authorization issue in the Juju Controller facade allows an authenticated, low-privileged user to call the CloudSpec API and extract cloud credentials used to bootstrap the controller. This affects Juju versions prior to 2.9.57 and 3.6.21. The issue is mitigated by upgra...

CVE-2026-5412 Juju CloudSpec API could leak senstive information

In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This...

CLSA-2026-1775657929 kernel: Fix of 9 CVEs

ovl: Filter invalid inodes with missing lookup function CVE-2024-56570 - ALSA: aloop: Fix racy access at PCM trigger CVE-2026-23191 - media: imon: reorganize serialization CVE-2025-39993 - usb: xhci: Fix inverted ringxrunevent check in handletxevent CVE-2025-37882 - Revert "VFS: Impose ordering...

PT-2026-31912

Name of the Vulnerable Software and Affected Versions Juju versions prior to 2.9.57 and 3.6.21 Description Juju versions prior to 2.9.57 and 3.6.21 contain an authorization issue in the Controller facade. An authenticated user can call the CloudSpec API method to extract cloud credentials used fo...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

CVE-2026-39957 Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

EUVD-2026-20954

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

GHSA-HFVC-G4FC-PQHX vulnerabilities

Vulnerabilities for packages: rancher-system-agent, kine, pulumi-language-dotnet, thanos, kube-rbac-proxy, etcd, temporal, docker-compose, trillian, cloud-provider-azure, envoy-ratelimit, fluent-bit-plugin-loki, gitaly, percona-server-mongodb-operator, neuvector-sigstore-interface,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: rancher-system-agent, kine, pulumi-language-dotnet, thanos, kube-rbac-proxy, etcd, temporal, docker-compose, trillian, cloud-provider-azure, envoy-ratelimit, fluent-bit-plugin-loki, gitaly, percona-server-mongodb-operator, neuvector-sigstore-interface,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: ld-relay, opentelemetry-collector, ansible-operator, frankenphp-8.2, rancher-system-agent, percona-server-mongodb-operator-fips, gotrue, knative-net-istio, velero-plugin-for-gcp, gitlab-pages, traefik, moby-ryuk, jaeger-operator, k8s-image-swapper,...

GHSA-HFVC-G4FC-PQHX vulnerabilities

Vulnerabilities for packages: ld-relay, opentelemetry-collector, ansible-operator, frankenphp-8.2, rancher-system-agent, percona-server-mongodb-operator-fips, gotrue, knative-net-istio, velero-plugin-for-gcp, gitlab-pages, traefik, moby-ryuk, jaeger-operator, k8s-image-swapper,...

EUVD-2024-17238

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on t...

CVE-2024-1490

An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on t...

CVE-2024-1490

CVE-2024-1490 affects WAGO PLCs via the web-based management interface (WBM) OpenVPN configuration. An authenticated remote attacker with high privileges can exploit the WBM to cause OpenVPN to execute arbitrary shell commands if user-defined scripts are allowed, enabling remote command execution...

Contemporary Controls BASC 20T

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls. 2. RECOMMENDED PRACTICES CISA recommends users...