Lucene search
+L

522 matches found

Cvelist
Cvelist
added 2026/03/20 12:39 a.m.24 views

CVE-2026-32828 Kargo: SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration

Kargo manages and automates the promotion of software artifacts. In versions 1.4.0 through 1.6.3, 1.7.0-rc.1 through 1.7.8, 1.8.0-rc.1 through 1.8.11, and 1.9.0-rc.1 through 1.9.4, the http and http-download promotion steps allow Server-Side Request Forgery SSRF against link-local addresses, most...

5.1CVSS0.00328EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/10 6:46 p.m.5 views

CVE-2026-27826

MCP Atlassian is a Model Context Protocol MCP server for Atlassian products Confluence and Jira. Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL b...

8.2CVSS5.9AI score0.14958EPSS
Exploits1References3Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/22 9:33 p.m.10 views

be.personify.iam:personify-frontend (>=1.5.4.RELEASE <=1.5.7.RELEASE), ch.admin.bit.jeap:jeap-archrepo-instance (>=1.12.0 <=1.14.0) +1376 more potentially affected by CVE-2025-22234 via org.springframework.security:spring-security-core (=6.4.4)

org.springframework.security:spring-security-core MAVEN version =6.4.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.security:spring-security-core and may be impacted: - be.personify.iam:personify-frontend =1.5.4.RELEASE, =1.12.0,...

5.3CVSS6AI score0.00402EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/01/09 10:58 a.m.6 views

CVE-2025-23206

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

8.1CVSS6.9AI score0.00312EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 9:33 a.m.10 views

CVE-2024-39669

In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security...

9.8CVSS7.8AI score0.00767EPSS
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/01/08 9:46 p.m.4 views

cargo-lambda (>=0.11.0 <=0.12.0), cargo-lambda-deploy (>=0.11.0 <=0.12.0) +1 more potentially affected by unknown CVE via aws-sdk-iam (>=0.14.0 <=0.17.0)

aws-sdk-iam CARGO version =0.14.0, =0.11.0, =0.11.0, =0.12.0 - vaultrs-login =0.1.7 Source cves: unknown CVE Source advisory: OSV:GHSA-G59M-GF8J-GJF5...

5.8AI score
Exploits0
Github Security Blog
Github Security Blog
added 2026/01/08 8:36 p.m.15 views

RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...

8.8CVSS7.1AI score0.00392EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/01/08 8:36 p.m.6 views

GHSA-VCWH-PFF9-64CC RustFS has IAM Incorrect Authorization in ImportIam that Allows Privilege Escalation

Summary The ImportIam admin API validates permissions using ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Since importing IAM data performs privileged write actions creating/updating users, groups, policies, and...

7.1CVSS5.8AI score0.00392EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/01/08 3:3 p.m.37 views

CVE-2026-22043 RustFS has IAM deny_only Short-Circuit that Allows Privilege Escalation via Service Account Minting

RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed denyonly short-circuit in RustFS IAM allows a restricted service account or STS credential to self-issue an unrestricted service account, inheriting the parent’s full privilege...

7.1CVSS6.8AI score0.00378EPSS
Exploits1References1
CVE
CVE
added 2026/01/08 2:58 p.m.23 views

CVE-2026-22042

CVE-2026-22042 / RustFS : Prior to 1.0.0-alpha.79, the ImportIam admin API validates permissions with ExportIAMAction instead of ImportIAMAction, allowing a principal with export-only IAM permissions to perform import operations. Importing IAM data can create or modify users, groups, policies, an...

8.8CVSS6.5AI score0.00392EPSS
Exploits1References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/08 12:0 a.m.13 views

PT-2026-2143

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.79 Description RustFS is a distributed object storage system built in Rust. The ImportIam API endpoint incorrectly validates permissions using ExportIAMAction instead of ImportIAMAction. This allows a...

7.1CVSS6.7AI score0.00392EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/01/07 9:17 a.m.11 views

CVE-2025-1969

Improper request input validation in Temporary Elevated Access Management TEAM for AWS IAM Identity Center allows a user to modify a valid request and spoof an approval in TEAM. Upgrade TEAM to the latest release v.1.2.2. Follow instructions in updating TEAM documentation for updating process...

5.3CVSS7AI score0.00308EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/12/15 12:0 a.m.12 views

PT-2025-51281

Name of the Vulnerable Software and Affected Versions Harmonix on AWS versions 0.3.0 through 0.4.1 Description An overly-permissive IAM trust policy within the Harmonix on AWS framework could allow IAM principals within the same AWS account to escalate privileges through role assumption. The EKS...

8.6CVSS7.2AI score0.00447EPSS
Exploits0References7
CISA
CISA
added 2025/12/11 12:0 p.m.15 views

CISA Releases 12 Industrial Control Systems Advisories

CISA released 12 Industrial Control Systems ICS Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-345-01 Johnson Controls iSTAR ICSA-25-345-02 Johnson Controls iSTAR Ultra ICSA-25-345-03 AzeoTech DAQFactor...

6.7AI score
Exploits0References12
Cvelist
Cvelist
added 2025/12/09 10:44 a.m.27 views

CVE-2025-40800

A vulnerability has been identified in COMOS V10.6 All versions V10.6.1, COMOS V10.6 All versions V10.6.1, NX V2412 All versions V2412.8700, NX V2506 All versions V2506.6000, Simcenter 3D All versions V2506.6000, Simcenter Femap All versions V2506.0002, Solid Edge SE2025 All versions V225.0 Updat...

9.1CVSS0.00188EPSS
Exploits0References2
ICS
ICS
added 2025/12/09 12:0 a.m.12 views

Siemens IAM Client

SUMMARY Multiple Siemens products are affected by improper certificate validation in IAM Client. This could allow an unauthenticated remote attacker to perform man in the middle attacks. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet...

9.1CVSS6.7AI score0.00188EPSS
Exploits0References10
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/12 4:47 p.m.8 views

Malicious code in verify-tayic-iam (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db8d8d038ca79a29b37e92386fdb291ca60ceecdf940ecd3e293a567a0d9889d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
EUVD
EUVD
added 2025/11/12 4:47 p.m.4 views

EUVD-2025-146314

Malicious code in verify-tayic-iam npm...

6.6AI score
Exploits0
OSV
OSV
added 2025/11/12 4:47 p.m.5 views

MAL-2025-170498 Malicious code in verify-tayic-iam (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector db8d8d038ca79a29b37e92386fdb291ca60ceecdf940ecd3e293a567a0d9889d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.8AI score
Exploits0
OSV
OSV
added 2025/11/12 4:6 p.m.5 views

MAL-2025-191741 Malicious code in google-cloud-iam-credentials (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e75faf49c379401db38883bfb490edbc74161e0d52d38f6aac38f6166645133a Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

7.2AI score
Exploits0References1
Rows per page
Query Builder