255 matches found
CVE-2026-44714
The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj...
CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...
PT-2026-43713
Name of the Vulnerable Software and Affected Versions Erlang OTP versions 27.0 through 27.3.4.11 Erlang OTP versions prior to 28.5.0.1 Erlang OTP versions prior to 29.0.1 public key versions 1.16 through 1.17.1.2 public key versions prior to 1.20.3.1 public key versions prior to 1.21.1 Descriptio...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
Key Exchange without Entity Authentication
Overview apache-airflow-providers-google is a Provider for Apache Airflow. Implements apache-airflow-providers-google package Affected versions of this package are vulnerable to Key Exchange without Entity Authentication due to SSH host key verification being disabled by default in the...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PYSEC-0000-CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PYSEC-2026-166
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PYSEC-2026-166
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
EUVD-2026-31659
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
CVE-2026-45361
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
CVE-2026-45361 Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
PT-2026-43023
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-google versions prior to 22.0.0 Description The ComputeEngineSSHHook disables SSH host-key verification by default. This configuration exposes SSH traffic between an Airflow worker and a Compute Engine VM to in-path...
CVE-2026-39829
CVE-2026-39829 affects golang.org/x/crypto/ssh. The vulnerability arises because the RSA/DSA public key parsers did not enforce size limits on key parameters, allowing crafted keys with oversized modulus or DSA parameters to cause prolonged CPU use during signature verification. Affected behavior...
Improper Check for Certificate Revocation
Overview Affected versions of this package are vulnerable to Improper Check for Certificate Revocation in the SignatureKey verification process. An attacker can bypass revocation enforcement by presenting a certificate with a revoked SignatureKey, potentially allowing unauthorized access or trust...
Astra Linux - уязвимость в openssh
A vulnerability was discovered in OpenSSH when the VerifyHostKeyDNS option is enabled. A man-in-the-middle attack can be carried out by a malicious machine pretending to be a legitimate server. This issue arises due to the way OpenSSH handles error codes under certain conditions during the...
GHSA-MXG3-432P-MR72 goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request
Summary The --tunnel / -t flag opens an outbound SSH connection to localhost.run:22 with HostKeyCallback: ssh.InsecureIgnoreHostKey. The Go documentation for that function states verbatim: "It should not be used for production code." With the callback disabled the client accepts any host key the...
goshs: SSH host key verification disabled, allowing transparent MITM of every tunnelled HTTP request
Summary The --tunnel / -t flag opens an outbound SSH connection to localhost.run:22 with HostKeyCallback: ssh.InsecureIgnoreHostKey. The Go documentation for that function states verbatim: "It should not be used for production code." With the callback disabled the client accepts any host key the...
CVE-2026-44714
The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends contains two fast-path verification bugs for standard P2PKH and native P2WPKH spends in core/src/main/java/org/bitcoinj/script/ScriptExecution.java. In both branches, bitcoinj...
CVE-2026-44467
The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in /.ssh/knownhosts without comparing the server's...