286 matches found
CVE-2026-44024
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the $tag placeholder, and insufficient validation of $tag in file configurations such as the path...
CVE-2026-44025
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related...
CVE-2026-44161
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...
CVE-2026-44160
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...
CVE-2026-44161
Fluentd’s out_http plugin (pre-1.19.3) allows placeholders such as ${tag} in the endpoint configuration. If a placeholder comes from untrusted input, an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services (SSRF). Affected versi...
CVE-2026-44161 Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...
CVE-2026-44161 Fluentd: Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, the Fluentd outhttp output plugin allows placeholders such as $tag in the endpoint configuration parameter, and if a placeholder value is derived from untrusted...
CVE-2026-44160 Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...
CVE-2026-44160
Fluentd CVE-2026-44160 affects in_http and in_forward plugins prior to 1.19.3, where gzip-compressed payloads were restricted only by body_size_limit and chunk_size_limit. Crafted compressed data can decompress in memory to an excessive size, causing DoS via memory exhaustion. The issue is fixed ...
CVE-2026-44160 Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's inhttp and inforward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as bodysizelimit and...
CVE-2026-44025 Fluentd: Exposure of Sensitive Information via Monitor Agent API
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related...
CVE-2026-44025 Fluentd: Exposure of Sensitive Information via Monitor Agent API
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API, and responses from /api/plugins.json and related...
CVE-2026-44025
CVE-2026-44025 affects Fluentd’s Monitor Agent in_monitor_agent. Prior to version 1.19.3, the REST API responses (e.g., /api/plugins.json) could expose internal metrics and plugin information that may contain sensitive data such as database passwords, API keys, or cloud credentials. The issue is ...
CVE-2026-44024
CVE-2026-44024 affects Fluentd. The issue arises when file paths are dynamically constructed via the ${tag} placeholder in configurations (notably in the out_file plugin). Insufficient validation of ${tag} with untrusted tags can introduce path traversal, enabling an attacker to write or overwrit...
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the $tag placeholder, and insufficient validation of $tag in file configurations such as the path...
CVE-2026-44024 Fluentd: Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the $tag placeholder, and insufficient validation of $tag in file configurations such as the path...
GHSA-PR7J-96CJ-549H vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset...
GHSA-72F5-RR8C-R6GR vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset...
GHSA-44HJ-4M45-FRJ3 vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset...
CVE-2026-44161 vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, kube-logging-operator, kube-fluentd-operator, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, ruby3.4-fluentd-kubernetes-daemonset...