Lucene search
K

494 matches found

Nuclei
Nuclei
added yesterday102 views

Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

9.8CVSS6AI score0.33618EPSS
Exploits1References4
Nuclei
Nuclei
added yesterday76 views

Ruby Dragonfly <1.4.0 - Remote Code Execution

Ruby Dragonfly before 1.4.0 contains an argument injection vulnerability that allows remote attackers to read and write to arbitrary files via a crafted URL when the verifyurl option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishand...

9.8CVSS7.2AI score0.72249EPSS
Exploits4References5
Circl
Circl
added 2026/07/06 10:35 p.m.7 views

CVE-2026-54709

creationtimestamp| type| source ---|---|--- 2026-07-06 22:35:29+00:00| published-proof-of-concept| https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-fhf9-m53m-863g...

5.9AI score
Exploits0References1
Circl
Circl
added 2026/07/06 10:35 p.m.8 views

CVE-2026-54637

creationtimestamp| type| source ---|---|--- 2026-07-06 22:35:14+00:00| published-proof-of-concept| https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-chwm-m7g7-685g...

5.9AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/07/06 8:32 p.m.10 views

Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery SSRF. When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled...

6.3AI score
Exploits0References11Affected Software1
OSV
OSV
added 2026/07/06 8:32 p.m.5 views

GHSA-CHWM-M7G7-685G Dragonfly scheduler v1 and v2 gRPC unauthenticated SSRF via attacker-controlled PeerHost in DownloadTinyFile

Summary The Dragonfly scheduler's v1 gRPC service contains an unauthenticated Server-Side Request Forgery SSRF. When a peer reports a successful download of a TINY task, the scheduler calls Peer.DownloadTinyFile and issues an HTTP GET to a host and port taken verbatim from the attacker-controlled...

6.9CVSS6.3AI score
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.8 views

PT-2026-56058

Name of the Vulnerable Software and Affected Versions Dragonfly versions prior to v2.4.4-rc.2 Description The scheduler's v1 gRPC service is vulnerable to an unauthenticated Server-Side Request Forgery SSRF. A remote attacker can force the scheduler to make HTTP GET requests to arbitrary internal...

6.9CVSS6.1AI score
Exploits0References13
Circl
Circl
added 2026/07/02 8:35 p.m.11 views

CVE-2026-49254

creationtimestamp| type| source ---|---|--- 2026-07-02 20:35:02+00:00| published-proof-of-concept| https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-4q9j-6299-gxmr...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/07/02 7:21 p.m.2 views

GHSA-4Q9J-6299-GXMR Dragonfly Manager OAuth provider client_secret disclosure via unauthenticated GET /api/v1/oauth

Summary The Dragonfly Manager exposes GET /api/v1/oauth and GET /api/v1/oauth/:id to unauthenticated clients. The response body deserializes the entire manager/models.Oauth struct, which includes the clientsecret field. Any network-reachable attacker can read the OAuth client secrets configured f...

6.3CVSS6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.9 views

PT-2026-55450

Name of the Vulnerable Software and Affected Versions dragonfly versions prior to 2.4.4 Description The Dragonfly Manager fails to enforce authentication on specific API endpoints, allowing unauthenticated network-reachable attackers to retrieve sensitive OAuth client secrets. The issue occurs...

6.3CVSS6AI score
Exploits0References4
NVD
NVD
added 2026/06/26 6:16 p.m.8 views

CVE-2026-47206

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS0.00283EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 4:39 p.m.35 views

CVE-2026-47206 Dragonfly: RESP Protocol Injection via Lua redis.error_reply() in EvalSerializer

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS0.00283EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:39 p.m.7 views

CVE-2026-47206

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS5.9AI score0.00283EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/06/26 4:39 p.m.21 views

CVE-2026-47206

Dragonfly is an in-memory store. Before version 1.39.9, it is vulnerable to RESP protocol injection via Lua redis.error_reply() in EvalSerializer, allowing an authenticated user to inject arbitrary RESP messages into the connection’s response stream and potentially desynchronize responses for con...

2.3CVSS5.9AI score0.00283EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/03/20 10:11 a.m.5 views

SUSE CVE-2025-59353

Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, a peer can obtain a valid TLS certificate for arbitrary IP addresses, effectively rendering the mTLS authentication useless. The issue is that the Manager's Certificate gRPC service does not...

7.5CVSS7.4AI score0.00219EPSS
Exploits1References2
SUSE CVE
SUSE CVE
added 2026/02/07 12:24 a.m.4 views

SUSE CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

9.8CVSS5.3AI score0.00713EPSS
Exploits1References3
OSV
OSV
added 2026/02/02 9:5 p.m.6 views

GO-2026-4356 Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly

Dragonfly Manager Job API Unauthenticated Access in d7y.io/dragonfly...

9.8CVSS5.2AI score0.00713EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/01/26 3:10 p.m.5 views

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

9.8CVSS5.9AI score0.00713EPSS
Exploits1References1
NVD
NVD
added 2026/01/22 11:15 p.m.8 views

CVE-2026-24124

Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints /api/v1/jobs lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with acce...

9.8CVSS0.00713EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/22 10:50 p.m.5 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the lack of JWT authentication middleware and RBAC authorization checks in the routing configuration for /api/v1/jobs endpoint. An attacker can view, update, and delete jobs by sending...

9.8CVSS5.6AI score0.00713EPSS
Exploits1References2
Rows per page
Query Builder