GHSA-8V8J-3HXP-93WR Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

Spring Boot's default security filter chain has no authorization rule with Actuator but without Health

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

EUVD-2026-25940

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter...

CVE-2026-40976

CVE-2026-40976 affects Spring Boot 4.0.0–4.0.5. In vulnerable configurations, a servlet-based web application that relies on Spring Boot’s default web security (no custom Spring Security config), depends on spring-boot-actuator-autoconfigure, and does not rely on spring-boot-health can experience...

GHSA-82FM-WPC2-5PMP Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization causing web security to be ineffective and allowing unauthorized access to all endpoints. Note: This is only exploitable if the following conditions are met: - the application is servlet-based; - the application ha...

GHSA-WVVQ-WGCR-9Q48 Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

Summary There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the...

EUVD-2026-13663

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config...

CVE-2026-32305 Traefik mTLS bypass via fragmented ClientHello SNI extraction failure

Traefik is an HTTP reverse proxy and load balancer. Versions 2.11.40 and below, 3.0.0-beta1 through 3.6.11, and 3.7.0-ea.1 are vulnerable to mTLS bypass through the TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records,...

CVE-2026-27589

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...

CVE-2025-32057

The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 – 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server...

PT-2026-1941

Name of the Vulnerable Software and Affected Versions pnpm versions 10.0.0 through 10.25 Description pnpm is a package manager affected by an issue where git-hosted dependencies can execute arbitrary code during the pnpm install process. This bypasses the security feature introduced in version 10...

PT-2026-27775

Name of the Vulnerable Software and Affected Versions BIND versions 9.20.0 through 9.20.20 BIND versions 9.21.0 through 9.21.19 BIND versions 9.20.9-S1 through 9.20.20-S1 Description A use-after-return issue exists in the named server when processing DNS queries signed with SIG0. A crafted DNS...

Jira issue creation fails due to a problem with security level mapping.

h3. Issue Summary As per the issue-level security configuration|https://confluence.atlassian.com/adminjiraserver103/configuring-issue-level-security-1489807354.html documentation, when setting the default security level for an issue security scheme, if the issue reporter does not have the 'Set...

EUVD-2014-7693

Malware in sbrugna...

EUVD-2021-12744

Malware in sbrugna...

CVE-2025-55118 BMC Control-M/Agent memory corruption in SSL/TLS communication

Memory corruptions can be remotely triggered in the Control-M/Agent when SSL/TLS communication is configured. The issue occurs in the following cases: Control-M/Agent 9.0.20: SSL/TLS configuration is set to the non-default setting "useopenssl=n"; Control-M/Agent 9.0.21 and 9.0.22: Agent router...

Spring Framework MVC Applications Path Traversal Vulnerability

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: the application is deployed as a WAR or with an embedded Servlet container the Servlet...

CVE-2025-41242

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: the application is deployed as a WAR or with an embedded Servlet container the Servlet...