Lucene search
+L

1262 matches found

NVD
NVD
added 4 days ago4 views

CVE-2026-15738

Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource. To mitigate this...

8.5CVSS0.00373EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-15738 Cross-namespace traffic interception via incorrect route precedence ordering in AWS Load Balancer Controller

Incorrect behavior order in the Gateway API listener-rule generation in Amazon AWS Load Balancer Controller before 3.4.2 might allow an authenticated remote user to intercept, spoof, or deny another namespace's gRPC traffic on a shared Gateway via a crafted HTTPRoute resource. To mitigate this...

8.5CVSS0.00373EPSS
Exploits0References2
NVD
NVD
added 4 days ago4 views

CVE-2026-48068

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in...

7.5CVSS0.00625EPSS
Exploits0References13
NVD
NVD
added 4 days ago4 views

CVE-2026-48069

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming compressed message can cause a client or server process that uses @grpc/grpc-js to crash. This issue is fixed in...

7.5CVSS0.00625EPSS
Exploits0References13
CVE
CVE
added 4 days ago144 views

CVE-2026-48069

@grpc/grpc-js (pure JavaScript implementation) is affected by a crash when processing an invalid incoming compressed message. Affected versions: prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. Fixed in 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4. Remediation: upgrade to the ...

7.5CVSS6.1AI score0.00625EPSS
Exploits0References13
CVE
CVE
added 4 days ago33 views

CVE-2026-48068

The CVE-2026-48068 entry concerns @grpc/grpc-js (Pure JavaScript gRPC implementation). The issue is triggered by an invalid incoming HTTP/2 stream initiation, which can cause the server process created by @grpc/grpc-js to crash. Affected versions are pre-fix: 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13...

7.5CVSS6.1AI score0.00625EPSS
Exploits0References13
OSV
OSV
added 4 days ago4 views

CVE-2026-48068 @grpc/grps-js: A malformed request can cause a server crash

@grpc/grps-js implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to 1.9.16, 1.10.12, 1.11.4, 1.12.7, 1.13.5, and 1.14.4, an invalid incoming HTTP/2 stream initiation can cause a server process created using @grpc/grpc-js to crash. This issue is fixed in...

7.5CVSS6.1AI score0.00625EPSS
Exploits0References15
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43634

In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional datapoint field in PublishValueRequest. When a request contains a valid signalid but omits datapoint, the server directly calls unwrap on request.datapoint,...

6.5CVSS6.1AI score0.00237EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-13699

In Eclipse KUKSA Databroker version 0.6.1, the kuksa.val.v2.VAL/PublishValue gRPC handler fails to validate the existence of the optional datapoint field in PublishValueRequest. When a request contains a valid signalid but omits datapoint, the server directly calls unwrap on request.datapoint,...

4.3CVSS6.1AI score0.00237EPSS
Exploits0References2Affected Software1
RedHat Linux
RedHat Linux
added 5 days ago6 views

nginx: NGINX: Arbitrary code execution or Denial of Service via heap-based buffer overflow with crafted HTTP/2 headers

A flaw was found in NGINX. When NGINX is configured to proxy HTTP/2 traffic using the ngxhttpproxyv2module or ngxhttpgrpcmodule with specific settings, a remote, unauthenticated attacker can send specially crafted large headers. This can trigger a heap-based buffer overflow, leading to a restart ...

9.2CVSS7.2AI score0.03552EPSS
Exploits1References5
OSV
OSV
added 2026/07/10 6:43 p.m.6 views

MAL-2026-10165 Malicious code in @injectivelabs/sdk-ts (npm)

@injectivelabs/[email protected] published 2026-07-08 20:59 UTC contains a wallet-credential stealer disguised as "key derivation telemetry". A file packages/sdk-ts/src/utils/key-derivation-telemetry.ts plus a hook added to packages/sdk-ts/src/core/accounts/PrivateKey.ts capture wallet secrets durin...

5.8AI score
Exploits0References9
EUVD
EUVD
added 2026/07/10 12:31 a.m.8 views

EUVD-2026-42723

An Improper Handling of Undefined Parameters vulnerability in the packet forwarding engine pfe of Juniper Networks Junos OS on EX Series devices allows an authenticated attacker with low privileges to cause a Denial-of-Service DoS. If an attempt is made to subscribe to an unsupported telemetry...

7.1CVSS5.9AI score0.00421EPSS
Exploits0References2
OSV
OSV
added 2026/07/09 1:16 p.m.2 views

SUSE-RU-2026:2816-1 Recommended update for python-aioresponses, python-google-api-core, python-google-api-python-client, python-google-auth, python-google-auth-httplib2, python-google-cloud-appengine-logging, python-google-cloud-artifact-registry, python-google-cloud-audit-log, python-google-cloud-build, python-google-cloud-compute, python-google-cloud-core, python-google-cloud-dns, python-google-cloud-domains, python-google-cloud-iam, python-google-cloud-kms, python-google-cloud-kms-inventory, python-google-cloud-logging, python-google-cloud-run, python-google-cloud-secret-manager, python-google-cloud-service-directory, python-google-cloud-spanner, python-google-cloud-storage, python-google-cloud-vpc-access, python-google-crc32c, python-google-resumable-media, python-googleapis-common-protos, python-grpc-google-iam-v1, python-grpc-interceptor, python-mmh3, python-mypy, python-opentelemetry-resourcedetector-gcp, python-poetry-core, python-proto-plus, python-pytest-asyncio, python-syrupy, python-typed-ast, python-uritemplate, python-dnspython, python-trio, python-websocket-client

This update for python-aioresponses, python-google-api-core, python-google-api-python-client, python-google-auth, python-google-auth-httplib2, python-google-cloud-appengine-logging, python-google-cloud-artifact-registry, python-google-cloud-audit-log, python-google-cloud-build,...

7CVSS6.8AI score0.01857EPSS
Exploits1References4
RedHat Linux
RedHat Linux
added 2026/07/09 8:19 a.m.7 views

google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation

A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...

9.1CVSS6.6AI score0.01557EPSS
Exploits1References5
NVD
NVD
added 2026/07/08 9:16 p.m.9 views

CVE-2026-59818

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the...

8.1CVSS0.00319EPSS
Exploits0References9
Debian CVE
Debian CVE
added 2026/07/08 9:0 p.m.6 views

CVE-2026-59818

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the...

8.1CVSS6.1AI score0.00319EPSS
Exploits0
CVE
CVE
added 2026/07/08 9:0 p.m.10 views

CVE-2026-59818

CVE-2026-59818 affects etcd (distributed key-value store). Prior to versions 3.5.32 and 3.6.13, when etcd uses separate HTTP and gRPC client listeners, the --client-crl-file CRL is not enforced on the gRPC listener, letting a revoked-certificate client authenticate over gRPC. The issue is fixed i...

8.1CVSS6AI score0.00319EPSS
Exploits0References9Affected Software1
Snyk
Snyk
added 2026/07/08 9:0 p.m.14 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00319EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 9:0 p.m.4 views

CVE-2026-59818 etcd: gRPC client listener does not enforce `--client-crl-file` certificate revocation

etcd is a distributed key-value store for the data of a distributed system. Prior to 3.5.32 and 3.6.13, when etcd is configured with --listen-client-http-urls to split HTTP and gRPC client endpoints onto separate listeners, the --client-crl-file Certificate Revocation List is not enforced on the...

6.5CVSS6.1AI score0.00319EPSS
Exploits0References11
Snyk
Snyk
added 2026/07/08 9:0 p.m.7 views

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to improper enforcement of the Certificate Revocation List on the gRPC listener when separate listeners are configured for HTTP and gRPC client endpoints. An attacker can gain unauthorized access and...

8.5CVSS6.1AI score0.00319EPSS
Exploits0References2
Rows per page
Query Builder