7655 matches found
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, any...
PYSEC-2026-280 Cross-site Scripting in Apache superset
A stored cross-site scripting XSS vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their...
GHSA-5C25-7VPJ-9MQH Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Summary fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves...
EUVD-2026-36599
Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing...
GHSA-X6FG-52VR-HJ4W Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing
Summary An authenticated non-admin user who owns any server can create or update a NAT profile whose domain is equal to the dashboard's own HTTP Host for example, dashboard.example:8008. The dashboard's top-level HTTP/gRPC multiplexer checks NATShared.GetNATConfigByDomainr.Host before dispatching...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: knative-kafka-broker, telegraf, containerd, external-dns, keda-fips, kyverno-fips, argocd-image-updater-fips, spire-server, commercial-grafana, osv-scanner, external-secrets-operator-fips, cert-manager, backup-restore-operator, zarf, gitlab-rails-ce-fips, gitea-fips,...
GHSA-X527-X647-Q7GG vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, kine, flux, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf, gitlab-kas, loki, prometheus,...
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: flux-operator, trivy-operator, istio, gomplate, eksctl, crossplane-provider-aws-elasticache, chisel, apko, step, nfpm, kubernetes, flux-kustomize-controller, nuclei, grype, crossplane-provider-aws-sns, docker-compose, gitea, cloud-provider-aws, falcoctl,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: flux-operator, trivy-operator, istio, gomplate, docker-machine-driver-harvester, eksctl, chisel, apko, step, nfpm, kubernetes, flux-kustomize-controller, nuclei, grype, gitea, cloud-provider-aws, falcoctl, kubernetes-dashboard, skaffold, cert-manager,...
GHSA-JPPX-RXG9-JMRX vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, istio, containerd, vitess, kine, flux, external-dns, nerdctl, rancher, spire-server, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, buildah, gitlab-kas, kaf, loki, prometheus, helm, kots, cloud-provider-aws, teleport, rancher-agent,...
GHSA-9M57-25V3-79X9 vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, istio, containerd, opentofu, vitess, kine, flux, external-dns, nerdctl, rancher, spire-server, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, buildah, gitlab-kas, kaf, loki, prometheus, helm, kots, cloud-provider-aws, teleport,...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, docker-machine-driver-harvester, flux, kine, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf,...
GHSA-78MQ-XCR3-XM33 vulnerabilities
Vulnerabilities for packages: opentelemetry-collector, argo-events, guac, trivy-operator, istio, containerd, gomplate, osv-scanner, opentofu, pulumi-language-yaml, vitess, kine, flux, external-dns, gptscript, pulumi-language-dotnet, splunk-otel-collector, apko, nerdctl, spire-server,...
BIT-GRAFANA-2026-42127 Pre-authentication denial of service in the public dashboard query endpoint
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...
FreeBSD : Gitlab -- Vulnerabilities (ee1e7aef-7117-11f1-873f-2cf05da270f3)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ee1e7aef-7117-11f1-873f-2cf05da270f3 advisory. Gitlab reports: Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE Cross-site...
CVE-2026-56761 vulnerabilities
Vulnerabilities for packages: librechat, langfuse, wazuh-dashboard, kibana, langfuse-fips...
GO-2026-5355 Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator
Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator...
EUVD-2026-39139
Quest NetVault Backup NVBUDashboard SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
EUVD-2026-38798
A Reflected Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component...
EUVD-2026-38802
A Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer...