EUVD-2025-21135

Malicious code in bioql PyPI...

MAL-2025-25213 Malicious code in lexi-data-api (npm)

The package lexi-data-api was found to contain malicious code...

Malicious code in lexi-data-api (npm)

The package lexi-data-api was found to contain malicious code...

Security update for cosign

This update for cosign fixes the following issues: Update to version 2.5.3 jscSLE-23879: CVE-2025-46569: Fixed OPA server Data API HTTP path injection of Rego bsc1246725 Changelog: Update to 2.5.3: Add signing-config create command 4280 Allow multiple services to be specified for trusted-root...

OPA server Data API HTTP path injection of Rego

...

SUSE CVE-2025-46569

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

GO-2025-3660 OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa

OPA server Data API HTTP path injection of Rego in github.com/open-policy-agent/opa...

Incorrect Authorization

Overview github.com/open-policy-agent/opa/server is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack. Affected versions of this package are vulnerable to Incorrect Authorization via the HTTP Data API. An attacker can...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the HTTP Data API. An attacker can manipulate the Rego code within the query to either cause the server to perform unintended actions or to consume excessive resources, leading to a Denial of Service DoS. Not...

AZL-63067 CVE-2025-46569 affecting package opa for versions less than 0.63.0-2

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

CVE-2025-46569

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

CVE-2025-46569 OPA server Data API HTTP path injection of Rego

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

CVE-2025-46569 OPA server Data API HTTP path injection of Rego

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

CVE-2025-46569

Summary: CVE-2025-46569 affects Open Policy Agent (OPA) prior to 1.4.0 when run as a server. A HTTP Data API path can be crafted to inject Rego code into the constructed query, enabling potential oracle attacks, incorrect policy decisions, and a DoS via expensive evaluation. Impact: high (policy ...

OPA server Data API HTTP path injection of Rego

Impact When run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used...

PT-2025-18710 · Unknown · Open Policy Agent

Name of the Vulnerable Software and Affected Versions: Open Policy Agent OPA versions prior to 1.4.0 Description: The issue concerns the Open Policy Agent OPA, a general-purpose policy engine. In versions prior to 1.4.0, when run as a server, OPA exposes an HTTP Data API. A crafted HTTP request...

CVE-2025-42603 Information Disclosure Vulnerability in Meon KYC solutions

This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive...

CVE-2024-47053

CVE-2024-47053 concerns an authorization flaw in Mautic’s API. Any authenticated user can access all reports and their data via the API, bypassing permissions intended to restrict access to non-system reports (e.g., View Own/View Others). The vulnerability arises from Mautic’s HTTP Basic Authenti...

Apache Superset SQL Injection Vulnerability (CNVD-2024-26534)

Apache Superset is a data visualization and data exploration platform from the Apache USA Foundation. Apache Superset suffers from a SQL injection vulnerability that stems from the application's lack of validation of externally entered SQL statements. An attacker can exploit the vulnerability to...

PT-2024-20550 · Apache · Apache Superset

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 3.0.4 Apache Superset versions 3.1.0 through 3.1.0 Description: A guest user could exploit a chart data REST API and send arbitrary SQL statements that, on error, could leak information from the underlying...