47486 matches found
PT-2026-36084
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-smtp affected versions not specified Description The SmtpHook component in the SMTP provider calls the Python function smtplib.SMTP.starttls without an SSL context. This omission prevents certificate validation during...
MINI-W3HX-QM5F-F3CV
Bulletin has no description...
netfoil's optional seccomp sandboxing was not applied
Summary The optional flag --filter-system-calls was not applied even if specified. Details This is a defense in depth feature to apply additional seccomp filters after the binary has started. The example config also sandboxes the binary with systemd. Impact Reduced sandboxing of the netfoil binar...
Improper Certificate Validation
Overview ckan is a world’s leading Open Source data portal platform. It powers dozens of Open Data portals around the world, including data.gov, open.canada.ca and europeandataportal.eu but also regional, research and community organizations. It makes easy to publish, share and find data online a...
CKAN has no certificate validation on STMP connection
Impact Configured SMTP server may be spoofed with any certificate e.g. self-signed, leaving credentials and all emails sent open to MITM attacks. Patches The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5...
GHSA-MPFM-FPGX-647Q CKAN has no certificate validation on STMP connection
Impact Configured SMTP server may be spoofed with any certificate e.g. self-signed, leaving credentials and all emails sent open to MITM attacks. Patches The vulnerability has been patched in CKAN 2.10.10 and CKAN 2.11.5...
GHSA-55M9-299J-53C7 OneCollector exporter reads unbounded HTTP response bodies
Summary When exporting telemetry to a back-end/collector over HTTP using the OpenTelemetry.Exporter.OneCollector exporter, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause...
OneCollector exporter reads unbounded HTTP response bodies
Summary When exporting telemetry to a back-end/collector over HTTP using the OpenTelemetry.Exporter.OneCollector exporter, if the request results in a unsuccessful request i.e. HTTP 4xx or 5xx, the response is read into memory with no upper-bound on the number of bytes consumed. This could cause...
OpenTelemetry.Resources.Azure has an unbounded HTTP response body read
Summary OpenTelemetry.Resources.Azure reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle MitM to cause excessive memory allocation and possible process...
CVE-2026-28221 Wazuh: Pre-auth stack-based buffer overflow in wazuh-remoted print_hex_string() due to signed char promotion on x86_64
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in printhexstring in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintfdstbuf +...
CVE-2026-42520
Jenkins Credentials Binding Plugin 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins...
CVE-2026-42520
Jenkins Credentials Binding Plugin 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins...
CVE-2026-42520
Jenkins Credentials Binding Plugin 719.v80e905ef14eb and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins...
MAL-2026-3182 Malicious code in redeem-onchain-sdk (npm)
redeem-onchain-sdk is a malicious npm package impersonating a Polymarket on-chain SDK. It collects SSH keys, AWS credentials, .npmrc tokens, Docker auth, Chrome saved logins, .env files, and a month of git commit history, then ships everything over a raw TCP socket to an AWS-hosted C2. Two trigge...
US-Estonian Suspect Arrested Over Alleged Scattered Spider Cyberattacks
US-Estonian suspect Peter Stokes arrested in Finland over alleged ties to Scattered Spider, facing US charges for cyberattacks, fraud, and data breaches...
Improper Hostname Verification
Spring Boot is vulnerable to improper hostname verification. The vulnerability is due to missing hostname verification in SSL bundle configuration, which allows an attacker to perform man-in-the-middle attacks by impersonating the RabbitMQ broker...
Malicious code in amazon-boto (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 649bb559f3078565515a9fee16dbe78e0d1b5575943cbaf020135f8e70e2f17d When using the package, the given AWS credentials are silently exfiltrated to a hardcoded location. This incarnation of the long-running campaign was first...
PT-2026-35914
Name of the Vulnerable Software and Affected Versions Jenkins Credentials Binding Plugin versions prior to 719.v80e905ef14eb Description Insufficient sanitization of file names for file and zip file credentials allows attackers who can provide credentials to a job to write files to arbitrary...
PT-2026-37115
Name of the Vulnerable Software and Affected Versions OpenTelemetry.Resources.Azure versions prior to 1.15.0-beta.2 Description The AzureVmMetaDataRequestor function makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without a size limit. An...
Improper Validation of Specified Quantity in Input
Overview Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input due to improper handling of oversized Subject Alternative Name fields during certificate validation. An attacker can bypass certificate validation by crafting a certificate with an...