Lucene search
K

7860 matches found

NVD
NVD
added 2026/04/24 5:16 p.m.3 views

CVE-2026-6912

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS0.00419EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/04/24 4:37 p.m.9 views

k8sGPT has Prompt Injection through its k8sGPT-Operator

Summary In the auto-remediation pipeline, objecttoexecution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object. Details This issue was fixed after coordination with Alex Jones. PoC To minimize the...

5.3AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/04/24 4:37 p.m.4 views

GHSA-RP7V-4384-HFRP k8sGPT has Prompt Injection through its k8sGPT-Operator

Summary In the auto-remediation pipeline, objecttoexecution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object. Details This issue was fixed after coordination with Alex Jones. PoC To minimize the...

8.7CVSS5.8AI score
Exploits0References2
Snyk
Snyk
added 2026/04/24 4:31 p.m.4 views

Insufficient Verification of Data Authenticity

Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the ForwardAuth middleware when trustForwardHeader is set to false and the deployment is behind a trusted upstream proxy. An attacker can gain unauthorized access to protected backend...

10CVSS5.5AI score0.00267EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/24 4:11 p.m.22 views

CVE-2026-6912 Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS0.00419EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/24 4:11 p.m.3 views

CVE-2026-6912 Privilege Escalation via Self-Writable Cognito Custom Attribute in AWS Ops Wheel

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/24 4:11 p.m.3 views

CVE-2026-6912

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References4
CVE
CVE
added 2026/04/24 4:11 p.m.10 views

CVE-2026-6912

The CVE-2026-6912 affects AWS Ops Wheel prior to PR #165, where access to dynamically determined Cognito User Pool attributes can be abused. The root cause is improper control over updates to object attributes, enabling remote authenticated users to escalate to deployment-admin privileges by craf...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/24 4:11 p.m.5 views

EUVD-2026-25577

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References3
OSV
OSV
added 2026/04/24 3:32 p.m.4 views

GHSA-W7RC-Q6CM-F5GM Apache Airflow's asset dependency graph did not restrict nodes by the viewer's DAG read permissions

The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...

4.3CVSS5.8AI score0.00352EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.5 views

PT-2026-35028

Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR 165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API...

8.8CVSS5.5AI score0.00419EPSS
Exploits0References4
NVD
NVD
added 2026/04/23 10:16 p.m.10 views

CVE-2026-41339

OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks...

5.3CVSS0.00283EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/23 3:7 p.m.6 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via import flow. An attacker can gain remote code execution using company creation endpoint that improperly checks for admin rights in authenticated mode deployment with default configuration. Remediation Upgrade...

10CVSS6.5AI score0.01972EPSS
Exploits4References2
Packet Storm News
Packet Storm News
added 2026/04/23 12:0 a.m.5 views

A-THENA: Early Intrusion Detection for IoT with Time-Aware Hybrid Encoding and Network-Specific Augmentation

The proliferation of Internet of Things IoT devices has significantly expanded attack surfaces, making IoT ecosystems particularly susceptible to sophisticated cyber threats. To address this challenge, this work introduces A-THENA, a lightweight early intrusion detection system EIDS that...

5.3AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/23 12:0 a.m.15 views

Oracle Siebel Server <= 26.2 (April 2026 CPU)

The versions of Oracle Siebel CRM installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory. - Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM component: REST Jettison. Supported versions that are affected are...

8.8CVSS6.5AI score0.62368EPSS
Exploits11References31
Packet Storm
Packet Storm
added 2026/04/23 12:0 a.m.103 views

📄 Keras 3.13.0 Malicious ML Model Server HDF5 Shape Bomb

This script is a Flask-based web server that distributes .keras machine learning model files, but it is designed in a malicious way for security research/testing scenarios. The main idea is a denial of service via memory exhaustion, where generated Keras models contain artificially declared...

7.5CVSS6.5AI score0.00299EPSS
Exploits3
Cvelist
Cvelist
added 2026/04/22 11:7 p.m.27 views

CVE-2026-3621 IBM WebSphere Application Server Liberty is affected by identity spoofing

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.4 IBM WebSphere Application Server Liberty is vulnerable to identity spoofing under limited conditions when an application is deployed without authentication and authorization configured...

7.5CVSS0.00276EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/22 7:57 p.m.9 views

monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

8.3CVSS6.1AI score0.00331EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/04/22 7:57 p.m.7 views

GHSA-29V9-FRVH-C426 monetr: Server-side request forgery in Lunch Flow link creation and refresh

Impact A server-side request forgery SSRF vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream response...

8.3CVSS6.1AI score0.00331EPSS
Exploits0References6
Imperva Blog
Imperva Blog
added 2026/04/22 12:59 p.m.7 views

Enterprise-Grade Application Security, Cloud-Native Speed: Introducing Imperva for Google Cloud

In today’s dynamic digital environment, the pressure to innovate has never been greater. Development teams are pushing for native cloud tools to maximize performance and cost-efficiency, while security teams require best-of-breed, enterprise-grade protection to defend against an ever-evolving...

5.8AI score
Exploits0
Rows per page
Query Builder