Apache Airflow < 3.2.0 Multiple Vulnerabilities

The version of Apache Airflow installed on the remote host is prior to 3.2.0. It is, therefore, affected by multiple vulnerabilities, including: - DAG authors who normally should not be able to execute code in the webserver context can craft an XCom payload causing the webserver to execute...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

GHSA-H97W-PM3W-MWMC Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

EUVD-2026-23664

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

PT-2026-33594

Name of the Vulnerable Software and Affected Versions Airflow versions prior to 3.2.0 Description A user with asset materialize permission via the UI or API can trigger DAGs Directed Acyclic Graphs, which are collections of all the tasks you want to run, organized in a way that reflects their...

org.webjars.npm:canvas (>=2.5.0 <=2.6.0), org.webjars.npm:color-thief (=2.2.5) +12 more potentially affected by CVE-2026-29786 via org.webjars.npm:tar (>=0.1.20 <=4.4.19)

org.webjars.npm:tar MAVEN version =0.1.20, =2.5.0, =0.97.5, =0.2.0, =3.4.0, =0.6.19, =2.0.0, =3.1.4, =3.4.1 - org.webjars.npm:tar.gz =1.0.7 Source cves: CVE-2026-29786 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15416076...

CVE-2019-11003

In Materialize through 1.0.0, XSS is possible via the Autocomplete feature...

CVE-2019-11004

In Materialize through 1.0.0, XSS is possible via the Toast feature...

EUVD-2025-178461

Malicious code in ichnology-materialize-neptune-karma npm...

EUVD-2025-176856

Malicious code in quark-eslint-config-materialize-css-loader npm...

EUVD-2025-177941

Malicious code in materialize-docusaurus-oauth-centaurus npm...

EUVD-2025-177937

Malicious code in materialize-pegasus-typeorm-ursa npm...

EUVD-2025-177557

Malicious code in nodejs-csrf-sagitta-materialize npm...

EUVD-2025-177940

Malicious code in materialize-dotenv-safe-sublimation-meteor npm...

EUVD-2025-178816

Malicious code in fusion-nextjs-iota-materialize npm...

EUVD-2025-177936

Malicious code in materialize-prosthetics-petrology-resonance npm...

EUVD-2025-180023

Malicious code in blitz-materialize-link-lint-staged npm...