2668 matches found
TencentOS Server 3: glibc (TSSA-2025:0498)
The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0498 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...
AZL-65136 CVE-2025-49809 affecting package mtr 0.95-1
mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTRPACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries...
Exploit for Server-Side Request Forgery in Apache Kafka
Disclaimer: The vulnerabilities described in this article and...
CVE-2025-49809
CVE-2025-49809 affects mtr up to version 0.95. In certain privileged contexts, execution of a program specified by the MTR_PACKET environment variable is mishandled, enabling potential local impact. Public details consistently mention macOS sudo-related considerations due to Homebrew not installi...
CVE-2025-49809
mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTRPACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries...
kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider
A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider...
Security Bulletin: Security Vulnerability in Apache Kafka Client Affects IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2024-31141)
Summary IBM Sterling B2B Integrator and IBM Sterling File Gateway have addressed the security vulnearbility in Apache Kafka Client Vulnerability Details CVEID:CVE-2024-31141 DESCRIPTION: Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kaf...
GO-2025-3745 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk
listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user in github.com/knadh/listmonk. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...
Environment Variable Exposure
github.com/knadh/listmonk is vulnerable to Environment Variable Exposure. The vulnerability is due to the use of env and expandenv template functions in Sprig, which allows non-super-admin users to capture sensitive environment variables in multi-user installations...
CVE-2025-49136 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-use...
CVE-2025-49136 listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-use...
GHSA-JC7G-X28F-3V3H listmonk's Sprig template Injection vulnerability leads to reading of Environment Variable for low privilege user
Summary The env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on the host. While this may not be a problem on single-user super admin installations, on multi-user installations, this allows non-super-admin users with campaign or template...
listmonk 安全漏洞
listmonk is a high-performance, self-hosted, newsletter and mailing list manager with a modern dashboard by the individual developer Kailash Nadh. A security vulnerability exists in listmonk versions prior to 5.0.2, which stems from a template function capturing an environment variable that could...
PT-2025-24526 · Sprig +1 · Sprig +1
Name of the Vulnerable Software and Affected Versions: Listmonk versions 4.0.0 through 5.0.2 Description: Listmonk is a standalone, self-hosted, newsletter and mailing list manager. The env and expandenv template functions, enabled by default in Sprig, allow capturing of environment variables on...
CVE-2025-48934
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...
CVE-2025-48934
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...
CVE-2025-48934 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...
CVE-2025-48934
CVE-2025-48934 affects Deno runtime prior to v2.1.13 and v2.2.13, where Deno.env.toObject() can reveal environment variables despite --deny-env, due to the reading of variables exempt from the deny filter. The issue allows code to access most environment variables via toObject, potentially leakin...
CVE-2025-48934 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...
Contrast workload secrets leak to logs on INFO level
Impact When the Contrast initializer is configured with a CONTRASTLOGLEVEL of info or debug, the workload secret is logged to stderr and written to Kubernetes logs. Since info is the default setting, this affects all Contrast installations that don't customize their initializers' log level. The...