522 matches found
CVE-2026-32828 Kargo: SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration
Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery SSRF against link-local addresses, most...
CVE-2026-27826
MCP Atlassian is a Model Context Protocol MCP server for Atlassian products Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL b...
be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1376 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.4.4)
org.springframework.security:spring-security-core MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE, =1.12.0,...
CVE-2025-23206
The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...
CVE-2024-39669
In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security...
cargo-lambda (>=0.11.0 <=0.12.0), cargo-lambda-deploy (>=0.11.0 <=0.12.0) +1 more potentially affected by unknown CVE via aws-sdk-iam (>=0.14.0 <=0.17.0)
aws-sdk-iam CARGO version =0.14.0, =0.11.0, =0.11.0, =0.12.0 - vaultrs-login =0.1.7 Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...
RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation
Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...
GHSA-VCWH-PFF9-64CC RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation
Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...
CVE-2026-22043 RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed denyonly short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privilege...
CVE-2026-22042
CVE-2026-22042 / RustFS : Prior to 1.0.0-alpha.79, the ImportIam admin API validates permissions with ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Importing IAM data can create or modify users, groups, policies, an...
PT-2026-2143
Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.79 Description RustFS is a distributed object storage system built in Rust. The ImportIam API endpoint incorrectly validates permissions using ExportIAMAction instead of ImportIAMAction. This allows a...
CVE-2025-1969
Improper request input validation in Temporary Elevated Access Management TEAM for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM. Upgrade TEAM to the latest release v.1.2.2. Follow instructions in updating TEAM documentation for updating process...
PT-2025-51281
Name of the Vulnerable Software and Affected Versions Harmonix on AWS versions 0.3.0 through 0.4.1 Description An overly-permissive IAM trust policy within the Harmonix on AWS framework could allow IAM principals within the same AWS account to escalate privileges through role assumption. The EKS...
CISA Releases 12 Industrial Control Systems Advisories
CISA released 12 Industrial Control Systems ICS Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-345-01 Johnson Controls iSTAR ICSA-25-345-02 Johnson Controls iSTAR Ultra ICSA-25-345-03 AzeoTech DAQFactor...
CVE-2025-40800
A vulnerability has been identified in COMOS V10.6 All versions V10.6.1, COMOS V10.6 All versions V10.6.1, NX V2412 All versions V2412.8700, NX V2506 All versions V2506.6000, Simcenter 3D All versions V2506.6000, Simcenter Femap All versions V2506.0002, Solid Edge SE2025 All versions V225.0 Updat...
Siemens IAM Client
SUMMARY Multiple Siemens products are affected by improper certificate validation in IAM Client. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet...
Malicious code in verify-tayic-iam (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db8d8d038ca79a29b37e92386fdb291ca60ceecdf940ecd3e293a567a0d9889d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-146314
Malicious code in verify-tayic-iam npm...
MAL-2025-170498 Malicious code in verify-tayic-iam (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db8d8d038ca79a29b37e92386fdb291ca60ceecdf940ecd3e293a567a0d9889d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-191741 Malicious code in google-cloud-iam-credentials (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 e75faf49c379401db38883bfb490edbc74161e0d52d38f6aac38f6166645133a Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...