385 matches found
RLSA-2026:35826 Important: grafana-pcp security update
The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fixes: golang.org/x/net/idna: golang: golang.org/x/net/idna: Privilege escalation via...
CVE-2026-10539
creationtimestamp| type| source ---|---|--- 2026-07-01 09:00:27+00:00| seen| https://infosec.exchange/users/offseq/statuses/116843900249979266 2026-07-01 09:00:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mpl5q6s6c62x 2026-07-01 09:13:02+00:00| seen|...
CVE-2026-58375 JimuReport 2.5.0 - Unauthenticated Report Export via /jmreport/auto/export
JimuReport through 2.5.0 exposes the POST /jmreport/auto/export endpoint without authentication: the handler is annotated @JimuNoLoginRequired, so JimuReportTokenInterceptor skips all authentication and authorization, and the export service streams the rendered report for any supplied report id...
CVE-2026-12473
OHIF Viewers are affected: two default-configured data sources, DICOMWebProxy and DICOMJSON, fetch an arbitrary URL parameter without validation. A global authentication service in OHIF automatically injects the user's OIDC Bearer token into those requests and transmits it to an attacker-controll...
EUVD-2026-39470
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credentialid is supplied in th...
CVE-2026-55411 ToolJet: Cross-tenant credential decryption (IDOR) in POST /api/data-sources/decrypt — any authenticated user can decrypt any organization's data-source secrets
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credentialid is supplied in th...
CVE-2026-11717
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When verifying an unparsed opaque token via an OAuth 2.0 introspection endpoint RFC 7662, the toolbox decodes the response into an introspectResp struct where t...
llm-endpoint-vulnerability-poc
LLM Endpoint Vulnerability PoC A proof-of-concept for exposin...
PT-2026-46969
Name of the Vulnerable Software and Affected Versions DataDog::DogStatsd versions prior to 0.08 Description DataDog::DogStatsd does not properly sanitize input, which allows metric injections from untrusted sources. The format event method, utilized by the event method, fails to validate tag...
State of Post Quantum Cryptography
Discussion of PQC relevant statistics that we see across our customers and other data sources...
CVE-2026-46427
Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...
Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction
GitHub Security Advisory Draft — GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Severity CVSS 3.1: 8...
Budibase 代码问题漏洞
Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.1 contained code-related vulnerabilities. These vulnerabilities stemmed from the integratio...
Budibase 安全漏洞
Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.39.0 contained security vulnerabilities. These vulnerabilities stemmed from the fact that GET...
PT-2026-44147
GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowed classes restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...
PT-2026-44055
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.3 Description The removeSecrets function in the server SDK fails to mask datasource configuration fields unless their schema type is DatasourceFieldType.PASSWORD. Because the Snowflake integration defines the...
FreeBSD : Grafana -- Public dashboards discloses all direct mode datasources (6b2bf8e9-5900-11f1-b525-3c7c3fba4204)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 6b2bf8e9-5900-11f1-b525-3c7c3fba4204 advisory. https://grafana.com/security/security-advisories/cve-2026-27877 reports: When using public dashboards a...
cve-researcher
cve-researcher AI-powered CVE research in your terminal —...
CVE-2026-28910
creationtimestamp| type| source ---|---|--- 2026-05-21 17:47:19+00:00| seen| https://infosec.exchange/users/alexandreborges/statuses/116613816857863838 2026-05-21 17:47:29+00:00| seen| https://bsky.app/profile/alexandreborges.bsky.social/post/3mmexyl75a22g 2026-05-22 04:40:06+00:00| seen|...
RLSA-2023:2177 Moderate: grafana-pcp security and enhancement update
The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fixes: golang: net/http: handle server errors after sending GOAWAY CVE-2022-27664 For...