204 matches found
CVE-2026-57349
Unauthenticated Cross Site Scripting XSS in WPeMatico RSS Feed Fetcher = 2.8.17 versions...
MAL-2026-6691 Malicious code in polymarket-clob-maths (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession function that runs a...
Credential Exposure
Overview Affected versions of this package are vulnerable to Credential Exposure in jsonnetfetcher.go that may expose the Kubernetes service account token of the Grafana Operator manager to users with sufficient privileges to create Dashboard or LibraryPanel resources. This token can be used to...
CVE-2026-50568
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...
CVE-2026-46617
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted...
Fission 安全漏洞
Fission is an open-source function deployment framework based on Kubernetes. Versions of Fission prior to 1.25.0 contain security vulnerabilities. These vulnerabilities stem from the SanitizeFilePath function, which uses string prefix checks instead of directory boundary checks. As a result,...
CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability
The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. Spring for GraphQL application are vulnerable when all the...
PT-2026-48513
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, SanitizeFilePath in pkg/utils/utils.go validated that a path stayed under a safe directory by calling strings.HasPrefixpath,...
PT-2026-48512
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.25.0, Unarchive in pkg/utils/zip.go joined each archive entry name with the destination directory via filepath.Join and wrote the result...
Medium: credentials-fetcher
Issue Overview: A denial of service vulnerability GHSA-XMRV-PMRH-HHX2 was found in the bundled AWS SDK for Go v2 EventStream decoder used by credentials-fetcher. An attacker who can inject a malformed EventStream response frame with a crafted header value type byte outside the valid range can cau...
Amazon Linux 2023 : credentials-fetcher (ALAS2023-2026-1792)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1792 advisory. A denial of service vulnerability GHSA-XMRV-PMRH-HHX2 was found in the bundled AWS SDK for Go v2 EventStream decoder used by credentials-fetcher. An attacker who can inject a malformed EventStream...
Linux Distros Unpatched Vulnerability : CVE-2025-68616
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery SSRF protection bypass exists in WeasyPrint's...
CVE-2026-10517
A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured opt-in, not enforced by default, an unauthenticated attacker can submit a manifest with...
CVE-2026-10517
The CVE describes a flaw in Clair’s fetcher where it makes outbound HTTP requests to attacker-supplied URIs taken from manifest layer descriptors without filtering IPs or schemes. If PSK authentication is not configured, an unauthenticated attacker can submit a manifest pointing to internal servi...
CVE-2026-10517
A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured opt-in, not enforced by default, an unauthenticated attacker can submit a manifest with...
CVE-2026-10517
A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured opt-in, not enforced by default, an unauthenticated attacker can submit a manifest with...
Clair 代码问题漏洞
Clair is a project open source by QUAY. It is used for static analysis of vulnerabilities in application containers currently including OCI and Docker. Clair has code-related vulnerabilities. These vulnerabilities arise from the fetcher component, which allows unauthenticated attackers to perform...
Server-side Request Forgery (SSRF)
Overview compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HTTPSFetcher.dofetch function. A user can access internal services or cloud metadata...
PT-2026-44178
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer url values when the signature matches, combined with a...
GHSA-G3VG-VX23-3858 compliance-trestle Remote Fetching Mechanism has an Arbitrary File Write via Cache Path Traversal
Summary The compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...