14 matches found
Insufficiently Protected Credentials
Overview org.springframework.ai:spring-ai-autoconfigure-model-transformers is a Spring AI ONNX Transformers Auto Configuration Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the default cache directory used by TransformersEmbeddingModel. An attacker c...
CVE-2026-2836
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
EUVD-2026-9512
Pingora vulnerable to cache poisoning via insecure-by-default cache key...
Duplicate Advisory: Cache poisoning via insecure-by-default cache key
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...
GHSA-2M8C-2374-465F Duplicate Advisory: Cache poisoning via insecure-by-default cache key
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f93w-pcj3-rggc. This link is maintained to preserve external references. Original Description A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction...
Pingora 安全漏洞
Pingora is a library open sourced by Cloudflare, used for building fast, reliable, and scalable network services. Prior to version 0.8.0, Pingora had security vulnerabilities. These vulnerabilities stemmed from improper construction of default cache keys, which could lead to cross-tenant data lea...
CVE-2026-2836
Pingora CVE-2026-2836 affects the default cache key construction in Pingora’s alpha proxy caching feature, which uses only the URI path and omits the host header (authority) and other factors. This can enable cross-tenant data leakage and cache poisoning where cached responses may be served to us...
CVE-2026-2836 Cache poisoning via insecure-by-default cache key
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
CVE-2026-2836 Cache poisoning via insecure-by-default cache key
A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header authority...
PT-2026-23082
Name of the Vulnerable Software and Affected Versions Pingora versions prior to 0.8.0 Description A cache poisoning issue exists in the Pingora HTTP proxy framework’s default cache key construction. The default HTTP cache key implementation generates cache keys using only the URI path, excluding...
argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a defaultMaxCacheSize of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different...
kubernetes: Schema info written with world-writeable permissions when cached
A flaw was found in kubectl that leaves http-cache files with read/write permissions for any user. In conjunction with a non-default value for --cache-dir, this may lead to the cache content being placed in a location accessible to other users on the system...
Default configuration
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name...
infinispan: auth bypass in REST api
It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name...