Lucene search
K

9 matches found

OSV
OSV
added 2026/06/05 5:40 a.m.8 views

BIT-AIRFLOW-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.6AI score0.00592EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/02 10:2 a.m.15 views

CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.0055EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/01 10:29 a.m.11 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint PATCH /api/v2/xcomEntries/key that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that...

8.8CVSS5.6AI score0.0055EPSS
Exploits0References2
OSV
OSV
added 2026/06/01 9:16 a.m.8 views

PYSEC-2026-185

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.00592EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/01 7:49 a.m.13 views

CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.8AI score0.00592EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/01 7:49 a.m.22 views

CVE-2026-42359

CVE-2026-42359 (Apache Airflow) : A bug in the XCom PATCH endpoint (PATCH /api/v2/xcomEntries/{key}) allows an authenticated UI/API user with XCom write permission on a DAG to set XCom entries under reserved keys (e.g., return_value) that bypass a prior validation on the POST path. The endpoint c...

8.8CVSS5.8AI score0.0055EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.16 views

PT-2026-45371

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.2 Description A bug in the XCom PATCH endpoint "PATCH /api/v2/xcomEntries/key" allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries using reserved key names, such as...

8.8CVSS5.7AI score0.0055EPSS
Exploits0References8
Snyk
Snyk
added 2026/04/09 10:7 a.m.5 views

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go. An attacker can set forbidden low-level VM configuration keys, such as raw.apparmor or raw.qemu.conf in a project th...

9.1CVSS5.4AI score0.00363EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/26 6:50 p.m.6 views

Convict has prototype pollution via load(), loadFile(), and schema initialization

Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. config.load / config.loadFile — overlay recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype e.g. from a JSON file causes the recursion to reach...

5.8AI score0.00037EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder