Lucene search
K

188 matches found

Nuclei
Nuclei
added yesterday6 views

Uptime-Kuma < v1.23.0 - Improper Access Control

Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...

5.3CVSS5.8AI score0.00425EPSS
Exploits1References2
NVD
NVD
added 2026/05/28 6:16 p.m.7 views

CVE-2026-45021

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS0.00028EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/28 5:45 p.m.4 views

EUVD-2026-32966

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/28 5:45 p.m.5 views

CVE-2026-45021

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References9Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/28 5:45 p.m.4 views

CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References8
CVE
CVE
added 2026/05/28 5:45 p.m.12 views

CVE-2026-45021

Kuma CVE-2026-45021 describes a cross-origin exposure in the default kuma-cp config where CorsAllowedDomains: "." and LocalhostIsAdmin: true enable a browser-based attacker to fetch admin credentials from the control plane. Before versions 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, a malicious...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/05/28 5:45 p.m.31 views

CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS0.00028EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.5 views

Kuma 安全漏洞

Kuma is a modern service mesh developed by Kuma OpenSource, based on Envoy. It can be run on Kubernetes and VMs, with single- or multi-zone capabilities, across various clouds. There were security vulnerabilities in versions of Kuma before 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5. These...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/14 8:15 p.m.3 views

Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References9Affected Software1
OSV
OSV
added 2026/05/14 8:15 p.m.2 views

GHSA-3VCP-CHFH-F6R2 Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Summary Default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is reachable from their browser. CorsAllowedDomains: "." reflects any Origin, and LocalhostIsAdmin: true promotes requests from 127.0.0.1 to mesh-system:admin...

5.1CVSS5.8AI score0.00028EPSS
Exploits0References9
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.4 views

CVE-2026-35205 vulnerabilities

Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...

8.4CVSS5.8AI score0.00019EPSS
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.4 views

GHSA-VMX8-MQV2-9GMG vulnerabilities

Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...

5.8AI score
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.4 views

CVE-2026-35204 vulnerabilities

Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...

8.6CVSS5.8AI score0.00018EPSS
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.5 views

GHSA-Q5JF-9VFQ-H4H7 vulnerabilities

Vulnerabilities for packages: kuma, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller, flux, cilium-cli, zarf, helm-push...

5.8AI score
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.3 views

GHSA-HR2V-4R36-88HR vulnerabilities

Vulnerabilities for packages: kuma, helm-mapkubeapis, chartmuseum, kubescape, kube-arangodb, flux-source-controller, eksctl, k8ssandra-client, zot, nova, k9s, helm-set-status, cert-manager-cmctl, rancher-fleet, tigera-operator, trivy, envoy-gateway, tw, chart-testing, pluto, cerbos, headlamp,...

5.8AI score
Exploits0
Wolfi
Wolfi
added 2026/04/11 2:41 p.m.4 views

CVE-2026-35206 vulnerabilities

Vulnerabilities for packages: kuma, helm-mapkubeapis, chartmuseum, kubescape, kube-arangodb, flux-source-controller, eksctl, k8ssandra-client, zot, nova, k9s, helm-set-status, cert-manager-cmctl, rancher-fleet, tigera-operator, trivy, envoy-gateway, tw, chart-testing, pluto, cerbos, headlamp,...

4.8CVSS5.8AI score0.00005EPSS
Exploits0
Chainguard
Chainguard
added 2026/04/11 2:18 p.m.3 views

CVE-2026-35204 vulnerabilities

Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...

8.6CVSS5.8AI score0.00018EPSS
Exploits0
Chainguard
Chainguard
added 2026/04/11 2:18 p.m.3 views

GHSA-VMX8-MQV2-9GMG vulnerabilities

Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...

5.8AI score
Exploits0
Chainguard
Chainguard
added 2026/04/11 2:18 p.m.3 views

GHSA-Q5JF-9VFQ-H4H7 vulnerabilities

Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...

5.8AI score
Exploits0
Chainguard
Chainguard
added 2026/04/11 2:18 p.m.4 views

CVE-2026-35205 vulnerabilities

Vulnerabilities for packages: kuma, flux-fips, kots, cert-manager-cmctl, rancher-fleet, flux-source-controller-fips, cert-manager-cmctl-fips, rancher-fleet-fips, zarf, flux-source-controller, flux, zarf-fips, cilium-cli, gitlab-operator, helm-push, helm-diff-fips, helm-diff, gitlab-operator-fips...

8.4CVSS5.8AI score0.00019EPSS
Exploits0
Rows per page
Query Builder