21 matches found
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: steampipe, guac, sops, loki, tw, ko, containerd, wal-g, gptscript, crossplane-provider-aws-rds, chisel, eksctl, opentelemetry-collector, step, policy-controller, argo-events, caddy, syft, crossplane-provider-aws-sqs, fscrypt, witness,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: steampipe, guac, sops, loki, ko, containerd, wal-g, gptscript, chisel, eksctl, opentelemetry-collector, step, policy-controller, argo-events, caddy, syft, fscrypt, witness, crossplane-provider-azure-managedidentity, pulumi-language-dotnet, kyverno, rancher, terragrun...
CVE-2026-41178 vulnerabilities
Vulnerabilities for packages: steampipe, terraform-provider-grafana, azure-workload-identity-webhook, loki, tw, containerd, cert-manager-webhook-pdns, vcluster, grafana-mimir, trufflehog, kubernetes-csi-node-driver-registrar, blob-csi, policy-controller, cadvisor, envoy-ratelimit, syft, spicedb,...
GHSA-5WRP-CWCJ-Q835 vulnerabilities
Vulnerabilities for packages: steampipe, terraform-provider-grafana, azure-workload-identity-webhook, loki, tw, containerd, cert-manager-webhook-pdns, vcluster, grafana-mimir, trufflehog, kubernetes-csi-node-driver-registrar, blob-csi, policy-controller, cadvisor, envoy-ratelimit, syft, spicedb,...
SUSE CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
GHSA-H9CX-XJG6-5V2W Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
EUVD-2026-21150
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering...
Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Impact The gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any valid Google-issued token, to authenticate against the Receiver webhook endpoint, triggering unauthorized Flux reconciliations...
CVE-2026-40109
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering
Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...
CVE-2026-40109
CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...
GHSA-9H8M-3FM2-QJRQ vulnerabilities
Vulnerabilities for packages: gitlab-runner-fips, livekit-server, velero-plugin-for-gcp-fips, harbor, vitess, falcosidekick-fips, kubescape-operator-fips, verticadb-operator-fips, cass-operator, gatekeeper, descheduler-fips, cert-manager, terragrunt-fips, containerd, kubescape-server, hydra-fips,...
GHSA-7WRW-R4P8-38RX vulnerabilities
Vulnerabilities for packages: rabbitmq-messaging-topology-operator, wgcf, bank-vaults, wireguard-go, flannel, cri-tools, kubecolor, kind, mage, ip-masq-agent, opa-envoy, stakater-reloader, cortex, linkerd2-proxy-init, xcaddy, helm-push, render-template, thanos, regclient, wuzz, overmind,...
CVE-2024-24786 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-lambda, nfs-subdir-external-provisioner, kube-logging-operator, clusterctl, vertical-pod-autoscaler, falcosidekick-fips, azure-aad-pod-identity-mic, skopeo, cass-operator, atlantis-fips, cert-manager, crossplane-provider-aws-cloudformation,...
GHSA-3F2Q-6294-FMQ5 vulnerabilities
Vulnerabilities for packages: snyk-cli, flux-notification-controller, argo-events-fips, task, argo-events, argo-workflows, melange, pulumi-kubernetes-operator...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: snyk-cli, flux-notification-controller, argo-events-fips, task, argo-events, argo-workflows, melange, pulumi-kubernetes-operator...
CVE-2023-46402 vulnerabilities
Vulnerabilities for packages: flux-notification-controller, task, snyk-cli, argo-workflows, melange, argo-events, pulumi-kubernetes-operator...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: cluster-autoscaler-fips, kiam, kube-oidc-proxy, prometheus-stackdriver-exporter, bank-vaults-fips, kubevela, smarter-device-manager-fips, terraform-provider-sendgrid, dgraph, terraform-provider-sendgrid-fips, kubescape, prometheus-blackbox-exporter, k3d,...
GHSA-M425-MQ94-257G vulnerabilities
Vulnerabilities for packages: buildkitd, up, k3d, kubeflow, dgraph, kubescape, cortex, scorecard, src, terraform-provider-sendgrid, kubevela, slsa-verifier, spark-operator, aactl, falco, prometheus-blackbox-exporter...