CVE-2026-35533 mise has a local settings bypass config trust checks

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

EUVD-2026-19952

Local settings bypass config trust checks...

GHSA-436V-8FW5-4MJ8 Local settings bypass config trust checks

Summary mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as env .source, templates, hooks, or tasks. The...

Malicious code in botbooster (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 0ac97422a8ea78df8c5538d0dbada7aad5720510773f1855cf5e4b5a9cbc56cb When using the provided function, code exfiltrates the sensitive token from local settings.json to the hardcoded location. --- Category: MALICIOUS - The campai...

HCL BigFix IVR 安全漏洞

HCL BigFix IVR is a vulnerability fixing tool from HCL India. A security vulnerability exists in HCL BigFix IVR version 4.2, which stems from improper authentication and lack of CSRF protection for the Local Settings Interface component, which could lead to unauthorized configuration changes...

PT-2025-48966

Aquarius Desktop 3.0.069 for macOS stores user authentication credentials in the local file /Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is "encrypted" through predictable byte-substitution that can be trivially reversed, allowing immediate...

EUVD-2022-51773

Malicious code in bioql PyPI...

CVE-2024-45034

Apache Airflow versions before 2.10.1 have a vulnerability that allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later...

Arbitrary Code Execution

Apache Airflow is vulnerable to Arbitrary Code Execution. The vulnerability is due to DAG authors being able to add local settings to the DAG folder, which are then executed by the scheduler, allowing unintended code execution...

Apache Airflow 安全漏洞

Apache Airflow is an open source platform for creating, managing and monitoring workflows from the Apache USA Foundation. The platform is characterized by scalability and dynamic monitoring. A security vulnerability exists in Apache Airflow versions prior to 2.10.1 that stems from the ability of ...

PT-2024-31385 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.10.1 Description: The issue allows DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author...

PT-2024-36536 · WordPress · Wp Staging Pro

Name of the Vulnerable Software and Affected Versions: WP STAGING Pro WordPress Backup Plugin versions up to, and including, 5.6.0 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the sub parameter. This allows unauthenticated attacke...

SUSE CVE-2012-5474

The file /etc/openstack-dashboard/localsettings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release python-django-horizon package before 2012.1.1 is world readable and exposes the secret key value...

CVE-2022-4428

Cloudflare WARP client (Windows) is affected by CVE-2022-4428 due to unvalidated support_uri in the local settings file (mdm.xml). A crafted XML config or a manipulated path could be used to escalate privileges and trigger execution of an arbitrary local executable when the user interacts with th...

CVE-2022-4428

supporturi parameter in the WARP client local settings file mdm.xml lacked proper validation which allowed for privilege escalation and launching an arbitrary executable on the local machine upon clicking on the "Send feedback" option. An attacker with access to the local file system could use a...

Cloudflare WARP 输入验证错误漏洞

Cloudflare WARP Cloudflare Vpn is a client-side application for secure connections from Cloudflare, Inc. A security vulnerability in Cloudflare WARP, which stems from a lack of proper validation of the supporturi parameter in its client-side local settings file mdm.xml, allows an attacker to...

UBUNTU-CVE-2021-3899

There is a race condition in the 'replaced executable' detection that, with the correct local configuration, allow an attacker to execute arbitrary code as root...

DEBIAN-CVE-2012-5474

The file /etc/openstack-dashboard/localsettings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release python-django-horizon package before 2012.1.1 is world readable and exposes the secret key value...