Apache Airflow < 3.2.0 Multiple Vulnerabilities

The version of Apache Airflow installed on the remote host is prior to 3.2.0. It is, therefore, affected by multiple vulnerabilities, including: - DAG authors who normally should not be able to execute code in the webserver context can craft an XCom payload causing the webserver to execute...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

GHSA-H97W-PM3W-MWMC Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

Apache Airflow allows users with asset materialize permissions to trigger DAGs outside of their permissions

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

EUVD-2026-23664

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

CVE-2026-32228

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

PT-2026-33594

Name of the Vulnerable Software and Affected Versions Airflow versions prior to 3.2.0 Description A user with asset materialize permission via the UI or API can trigger DAGs Directed Acyclic Graphs, which are collections of all the tasks you want to run, organized in a way that reflects their...

org.webjars.npm:canvas (>=2.5.0 <=2.6.0), org.webjars.npm:color-thief (=2.2.5) +12 more potentially affected by CVE-2026-29786 via org.webjars.npm:tar (>=0.1.20 <=4.4.19)

org.webjars.npm:tar MAVEN version =0.1.20, =2.5.0, =0.97.5, =0.2.0, =3.4.0, =0.6.19, =2.0.0, =3.1.4, =3.4.1 - org.webjars.npm:tar.gz =1.0.7 Source cves: CVE-2026-29786 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15416076...

CVE-2019-11003

In Materialize through 1.0.0, XSS is possible via the Autocomplete feature...

CVE-2019-11004

In Materialize through 1.0.0, XSS is possible via the Toast feature...

EUVD-2025-175992

Malicious code in test-janus-eslint-config-materialize npm...

EUVD-2025-180469

Malicious code in aldebaran-polaris-materialize-xenobiology npm...

Malicious code in quark-eslint-config-materialize-css-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f14e76d31b688dacef1a496176a9ca1ea81b594b81b2373404d54a5de86a60df This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176856

Malicious code in quark-eslint-config-materialize-css-loader npm...

EUVD-2025-178915

Malicious code in figures-materialize-markdown-pdf-miranda npm...

EUVD-2025-175528

Malicious code in xanadu-dotenv-safe-markdownlint-materialize npm...

EUVD-2025-177941

Malicious code in materialize-docusaurus-oauth-centaurus npm...

EUVD-2025-177940

Malicious code in materialize-dotenv-safe-sublimation-meteor npm...

EUVD-2025-180023

Malicious code in blitz-materialize-link-lint-staged npm...