Lucene search
K

7655 matches found

GitLab Advisory Database
GitLab Advisory Database
added 2026/07/02 12:0 a.m.8 views

9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass

9router uses a publicly known hardcoded string "9router-default-secret-change-me" as the fallback of JWT secret for all Dashboard session JWTs when the JWTSECRET environment variable is not set. Because this secret is committed in the public repository and unchanged across all releases, any...

9.8CVSS5.8AI score0.0019EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/06/29 11:50 a.m.7 views

PYSEC-2026-280 Cross-site Scripting in Apache superset

A stored cross-site scripting XSS vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their...

9.6CVSS5.6AI score0.0083EPSS
Exploits0References6
OSV
OSV
added 2026/06/26 11:3 p.m.6 views

GHSA-5C25-7VPJ-9MQH Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key

Summary fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves...

9.1CVSS5.9AI score0.00451EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/26 11:0 p.m.13 views

EUVD-2026-36599

Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing...

6.5CVSS5.8AI score0.00282EPSS
Exploits0References2
OSV
OSV
added 2026/06/26 11:0 p.m.4 views

GHSA-X6FG-52VR-HJ4W Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing

Summary An authenticated non-admin user who owns any server can create or update a NAT profile whose domain is equal to the dashboard's own HTTP Host for example, dashboard.example:8008. The dashboard's top-level HTTP/gRPC multiplexer checks NATShared.GetNATConfigByDomainr.Host before dispatching...

6.5CVSS5.8AI score0.00282EPSS
Exploits0References3
Chainguard
Chainguard
added 2026/06/26 8:22 p.m.8 views

GHSA-45GG-VH54-H5M9 vulnerabilities

Vulnerabilities for packages: knative-kafka-broker, telegraf, containerd, external-dns, keda-fips, kyverno-fips, argocd-image-updater-fips, spire-server, commercial-grafana, osv-scanner, external-secrets-operator-fips, cert-manager, backup-restore-operator, zarf, gitlab-rails-ce-fips, gitea-fips,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.10 views

GHSA-X527-X647-Q7GG vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, kine, flux, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf, gitlab-kas, loki, prometheus,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.16 views

GHSA-RM3J-F69W-WQMQ vulnerabilities

Vulnerabilities for packages: flux-operator, trivy-operator, istio, gomplate, eksctl, crossplane-provider-aws-elasticache, chisel, apko, step, nfpm, kubernetes, flux-kustomize-controller, nuclei, grype, crossplane-provider-aws-sns, docker-compose, gitea, cloud-provider-aws, falcoctl,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.9 views

GHSA-W879-237Q-WC7R vulnerabilities

Vulnerabilities for packages: flux-operator, trivy-operator, istio, gomplate, docker-machine-driver-harvester, eksctl, chisel, apko, step, nfpm, kubernetes, flux-kustomize-controller, nuclei, grype, gitea, cloud-provider-aws, falcoctl, kubernetes-dashboard, skaffold, cert-manager,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.6 views

GHSA-JPPX-RXG9-JMRX vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, istio, containerd, vitess, kine, flux, external-dns, nerdctl, rancher, spire-server, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, buildah, gitlab-kas, kaf, loki, prometheus, helm, kots, cloud-provider-aws, teleport, rancher-agent,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.7 views

GHSA-9M57-25V3-79X9 vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, istio, containerd, opentofu, vitess, kine, flux, external-dns, nerdctl, rancher, spire-server, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, buildah, gitlab-kas, kaf, loki, prometheus, helm, kots, cloud-provider-aws, teleport,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.10 views

GHSA-45GG-VH54-H5M9 vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, trivy-operator, istio, containerd, osv-scanner, vitess, docker-machine-driver-harvester, flux, kine, external-dns, chisel, nerdctl, rancher, spire-server, flux-source-controller, k3s, kubernetes, cilium-cli, mattermost, argo-cd, aactl, kaf,...

6.1AI score
Exploits0
Wolfi
Wolfi
added 2026/06/26 8:22 p.m.7 views

GHSA-78MQ-XCR3-XM33 vulnerabilities

Vulnerabilities for packages: opentelemetry-collector, argo-events, guac, trivy-operator, istio, containerd, gomplate, osv-scanner, opentofu, pulumi-language-yaml, vitess, kine, flux, external-dns, gptscript, pulumi-language-dotnet, splunk-otel-collector, apko, nerdctl, spire-server,...

6.1AI score
Exploits0
OSV
OSV
added 2026/06/26 8:43 a.m.6 views

BIT-GRAFANA-2026-42127 Pre-authentication denial of service in the public dashboard query endpoint

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

7.5CVSS6.1AI score0.00432EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.5 views

FreeBSD : Gitlab -- Vulnerabilities (ee1e7aef-7117-11f1-873f-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ee1e7aef-7117-11f1-873f-2cf05da270f3 advisory. Gitlab reports: Cross-site Scripting issue in Analytics Dashboard impacts GitLab EE Cross-site...

8.7CVSS5.7AI score0.00328EPSS
Exploits0References15
Chainguard
Chainguard
added 2026/06/25 8:37 p.m.7 views

CVE-2026-56761 vulnerabilities

Vulnerabilities for packages: librechat, langfuse, wazuh-dashboard, kibana, langfuse-fips...

5.3CVSS6.1AI score0.00174EPSS
Exploits0
OSV
OSV
added 2026/06/25 6:43 p.m.6 views

GO-2026-5355 Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator

Grafana Operator: Privilege escalation from namespace admin to cluster admin via GrafanaDashboard jsonnetLib fileName in github.com/grafana/grafana-operator...

8.8CVSS5.8AI score0.00361EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/25 12:33 a.m.7 views

EUVD-2026-39139

Quest NetVault Backup NVBUDashboard SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...

8.8CVSS6.5AI score0.00689EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 6:32 p.m.6 views

EUVD-2026-38798

A Reflected Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component...

5.1CVSS5.8AI score0.00268EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 6:32 p.m.7 views

EUVD-2026-38802

A Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of untrusted input in the Form Dashboard headline renderer...

4.6CVSS5.8AI score0.00256EPSS
Exploits0References3
Rows per page
Query Builder