76 matches found
CVE-2026-50562 FastGPT: Untrusted PR artifacts are pushed and deployed by privileged preview workflows
FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged...
Malicious code in date-fns-lite (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4694a079d83e33dcee7f87140c41737009d9f0b19f351c23f2ae3dbce9a47a51 [email protected] presents as a lightweight date-formatting utility but ships a malicious postinstall.js that runs automatically on npm install. T...
CVE-2026-6720
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-6720
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-6720
Calico component calicoctl is affected. When run with --log-level=info or --log-level=debug, it prints the full contents of its loaded connection-configuration struct to stderr in a single log line, exposing credentials (inline kubeconfig with bearer token, Kubernetes API bearer token, etcd passw...
EUVD-2026-32932
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-6720
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-6720 Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-6720 Calicoctl leaks cluster credentials to stderr when verbose logging is enabled
When calicoctl is invoked with --log-level=info or --log-level=debug, the client prints the full contents of its loaded connection-configuration struct to stderr in a single log line. The struct embeds every credential calicoctl uses to talk to the cluster — inline kubeconfig with bearer token,...
CVE-2026-7163
A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...
CVE-2026-7163
A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...
CVE-2026-7163
A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...
CVE-2026-7163
CVE-2026-7163 affects the Assisted-service REST API in the Multicluster Engine (MCE) used with Red Hat ACM/MCE on-prem deployments. An authenticated user with minimal namespace privileges can obtain administrative credentials (the kubeadmin password) and kubeconfig for any cluster provisioned thr...
EUVD-2026-26374
A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...
CVE-2026-7163 Assisted-service: assisted-service: authenticated users can gain administrative access to openshift clusters via credential disclosure
A vulnerability in the assisted-service REST API, an optional Assisted Installer assisted-service component in the Multicluster Engine MCE, allows an authenticated user with minimal namespace-scoped privileges to obtain administrative credentials for arbitrary clusters provisioned through the hub...
PT-2026-36097
Name of the Vulnerable Software and Affected Versions Multicluster Engine affected versions not specified Red Hat Advanced Cluster Management affected versions not specified Description A flaw in the assisted-service REST API, an optional Assisted Installer component in the Multicluster Engine,...
BIT-FLUX-2022-24817 Improper kubeconfig validation allows arbitrary code execution
Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also...
EUVD-2020-23181
Malware in sbrugna...
EUVD-2021-1164
Malware in sbrugna...
EUVD-2022-5436
Malicious code in bioql PyPI...