2451037 matches found
Important: Red Hat Security Advisory: Red Hat Edge Manager Version 1.0.3 Security Update
Red Hat Edge Manager Version 1.0.3 Security Update Red Hat Edge Manager RHEM provides simple, scalable, and security-focused management of edge devices and applications. It supports image-mode RHEL and container workloads that run on Podman/Docker or Kubernetes. RHEM is now available as a...
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak p...
google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 :path pseudo-header. A remote attacker can exploit this by sending raw HTTP/2 frames with a malformed :path that omits the mandato...
github.com/prometheus/prometheus: Prometheus: Information disclosure of Azure OAuth client secret via config API
A flaw was found in Prometheus, an open-source monitoring system. The clientsecret field within the Azure Active Directory AD remote write OAuth configuration was incorrectly handled as a plain string instead of a secure Secret type. This misconfiguration allowed any user or process with access t...
CVE-2026-59882 guzzlehttp/psr7: Host Confusion via Weak URI Host Validation
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...
CVE-2026-59882
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...
CVE-2026-59882 guzzlehttp/psr7: Host Confusion via Weak URI Host Validation
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...
EUVD-2026-42319
guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Prior to 2.12.3, Uri::assertValidHost does not reject URI host components containing authority delimiters, embedded ports, or malformed IPv6 brackets, allowing Uri::getHost to disagree with the URI authority used for security ...
CVE-2026-59882
The CVE affects guzzlehttp/psr7 (PSR-7 HTTP message library for PHP). Prior to version 2.12.3, Uri::assertValidHost() fails to reject authority delimiters, embedded ports, or malformed IPv6 brackets in host components, causing Uri::getHost() to disagree with the URI authority used for security or...
CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
CVE-2026-59725
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
CVE-2026-59725 Socket.IO: Engine.IO Polling Transport Connection Exhaustion
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
EUVD-2026-42313
Socket.IO enables bidirectional and low-latency communication for every platform. From 4.1.0 before 6.6.7, Engine.IO protocol v4 polling transport does not properly close the HTTP response for invalid binary POST requests with Content-Type: application/octet-stream, allowing an unauthenticated...
CVE-2026-59725
CVE-2026-59725 affects Socket.IO’s Engine.IO polling transport (versions 4.1.0–6.6.6). The root cause is that invalid binary POST requests with Content-Type: application/octet-stream are not properly closing the HTTP response, enabling unauthenticated attackers to exhaust server-side connections ...
Exploit for Integer Overflow or Wraparound in Haproxy
CVE-2021-40346 — HAProxy Integer Overflow leading to HTTP Requ...
CVE-2026-54652
Frigate is an open source network video recorder. In version 0.17.1, the GET /api/logs/service endpoint allows any authenticated user including the viewer role to download Frigate and nginx logs, exposing auto-generated admin passwords and camera credentials logged in request query strings and...
CVE-2026-10708
This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...
CVE-2026-54344 ToolJet GitHub Actions comment body shell injection exposes deployment secrets
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a...
CVE-2026-54344
CVE-2026-54344 affects ToolJet prior to version 3.20.180. The render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, enabling any GitHub user who can comment on an open PR with a deploy command to execute shell commands on the CI ...
CVE-2026-54344
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a...