Anyscale Ray 2.6.3 and 2.8.0 - Server-Side Request Forgery

The Ray Dashboard API is affected by a Server-Side Request Forgery SSRF vulnerability in the url parameter of the /logproxy API endpoint. The API does not perform sufficient input validation within the affected parameter and any HTTP or HTTPS URLs are accepted as valid. id: CVE-2023-48023 info:...

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: cadvisor-fips, gitlab-runner-fips, kubernetes-csi-external-snapshotter, beats-fips, kubescape-operator-fips, gitlab-cng-fips, terraform-provider-databricks, cerbos-fips, datadog-agent-fips, boring-registry-fips, kubescape, argo-workflows-fips, linkerd2-fips, zot,...

CVE-2026-56342

AVideo through version 27.0 contains a server-side request forgery vulnerability in plugin/Live/test.php that allows authenticated administrators to read arbitrary URLs via the statsURL parameter, which lacks isSSRFSafeURL validation and accepts requests to private IP ranges and cloud metadata...

CVE-2026-50083 Aqara hardcoded OAuth client credentials

The Aqara IAM/SSO Gateway gw-builder.aqara.com used a hardcoded OAuth client credential, which is an instance of "CWE-798: Use of Hard-coded Credentials." This issue has an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 9.1 Critical. When combined with CVE-2026-50082, CVE-50084, a...

PT-2026-48910

Name of the Vulnerable Software and Affected Versions Aqara IAM/SSO gateway affected versions not specified Description The IAM/SSO gateway at 'gw-builder.aqara.com' exposes an unauthenticated AES oracle, allowing bidirectional AES round-trips against the platform's signing key. This occurs due t...

PT-2026-48911

Name of the Vulnerable Software and Affected Versions Aqara IAM/SSO gateway affected versions not specified Description The Aqara IAM/SSO gateway at 'gw-builder.aqara.com' contains a cross-origin resource sharing issue. This is a permissive cross-domain policy with untrusted domains, which allows...

PT-2026-48474

Affected: @hulumi/policies 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-697 Incorrect Comparison Summary AWS IAM trust policies can list more than one federated identity provider — for example, a role that accepts BOTH GitHub Actions OIDC and Google's OIDC. The G OIDC 1 and G OIDC 2 policy rule...

CVE-2026-49120

Medplum before 5.1.14 contains a server-side request forgery vulnerability in the subscription worker that allows authenticated users to perform unauthorized internal network requests by creating FHIR Subscription resources with arbitrary endpoint URLs. Attackers can point subscription endpoints ...

Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)

The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter...

CVE-2026-45043

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user minioadmin. The endpoint...

YAMCS yamcs-core 5.12.7 - User Enumeration

Exploit Title: YAMCS yamcs-core 1 else "http://localhost:8090" username = sys.argv2 if lensys.argv 2 else "testuser" password = sys.argv3 if lensys.argv 3 else "test" base = target.rstrip"/" print"=" 65 print" CVE-2026-44595 — YAMCS IAM User Enumeration PoC" printf" Target: target" printf"...

CVE-2026-45043

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user minioadmin. The endpoint...

EUVD-2026-33285

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper validation in the PUT /rustfs/admin/v3/import-iam endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user minioadmin. The endpoint...

PT-2026-44998

Name of the Vulnerable Software and Affected Versions ExtremeCloud IQ affected versions not specified Description A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path can intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued AP...

PT-2026-44825

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-beta.2 Description Improper validation in the 'PUT /rustfs/admin/v3/import-iam' endpoint allows a user with ImportIAMAction to create service accounts under arbitrary parent identities, including the root user...

Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints

Summary The IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user even those with low or no privileges can enumerate all user accounts in the system, including their...

PT-2026-43455

Summary The IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user even those with low or no privileges can enumerate all user accounts in the system, including their...

PT-2026-41172

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description A Server-Side Request Forgery SSRF bypass exists in the validate url function located in backend/open webui/retrieval/web/utils.py. The function calls validators.ipv6ip, private=True, but because...

GHSA-FQVV-JVHR-G5JC FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft

Impact The POST /api/v2/firefighter/raid/jirabot endpoint CreateJiraBotView is reachable without authentication permissionclasses = permissions.AllowAny. Its attachments payload is fetched server-side via httpx.get with no URL validation, then uploaded as an attachment on the Jira ticket that get...

PT-2026-36669

Name of the Vulnerable Software and Affected Versions Apache Polaris version 1.4.0 Description Apache Polaris allows the use of literal characters in namespace and table names. These characters are reused unescaped in S3 IAM resource patterns and s3:prefix conditions when building temporary S3...