Lucene search
K

30 matches found

OSV
OSV
added 2026/06/30 11:39 p.m.5 views

BIT-ENVOY-2026-48706 Envoy Heap Buffer Overflow in TcpStatsdSink

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...

7.5CVSS6.5AI score0.0061EPSS
Exploits0References2
NVD
NVD
added 2026/06/26 6:17 p.m.8 views

CVE-2026-48706

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...

7.5CVSS0.0061EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/26 5:38 p.m.36 views

CVE-2026-48706 Envoy Heap Buffer Overflow in TcpStatsdSink

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...

5.9CVSS0.0061EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 5:38 p.m.5 views

CVE-2026-48706

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...

5.9CVSS6.5AI score0.0061EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/26 5:38 p.m.7 views

EUVD-2026-39825

Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...

5.9CVSS6.5AI score0.0061EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 5:38 p.m.18 views

CVE-2026-48706

CVE-2026-48706 affects Envoy TCP StatsD sink (TcpStatsdSink). A heap write overflow can occur when processing extremely long statistic names (>16 KiB) due to mismanagement of 16 KiB flush slices during buffer rotation, potentially causing process crash or remote code execution. Affected versio...

7.5CVSS6.5AI score0.0061EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.9 views

PT-2026-52891

Name of the Vulnerable Software and Affected Versions Envoy versions 1.34.0 through 1.35.12 Envoy versions 1.36.0 through 1.36.8 Envoy versions 1.37.0 through 1.37.4 Envoy versions 1.38.0 through 1.38.2 Description A heap write overflow exists in the TCP StatsD sink TcpStatsdSink when processing...

7.5CVSS6.2AI score0.0061EPSS
Exploits0References19
OSV
OSV
added 2026/06/25 10:34 p.m.3 views

GO-2026-5662 Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer in github.com/prometheus/prometheus

Prometheus has Stored XSS via metric names and label values in Prometheus web UI tooltips and metrics explorer in github.com/prometheus/prometheus. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this...

6.1CVSS5.8AI score0.0024EPSS
Exploits0References4
CVE
CVE
added 2026/06/10 6:32 p.m.26 views

CVE-2026-50637

The CVE concerns Metrics::Any::Adapter::Statsd (Perl) prior to v0.04, where the send path did not validate metric names/values, allowing metric injections when names contain newlines and statsd control characters (colon, pipe). This vulnerability affects Metrics::Any::Adapter::Statsd and related ...

8.2CVSS5.8AI score0.00323EPSS
Exploits0References6Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/05 2:49 p.m.10 views

CVE-2026-9270 DataDog::DogStatsd versions through 0.07 for Perl allow metric injections

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The sendstats method does not remove newlines from metric names $stat variable, allowing attackers to change t...

5.5AI score0.00331EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/05 2:49 p.m.7 views

CVE-2026-9270

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The sendstats method does not remove newlines from metric names $stat variable, allowing attackers to change t...

5.5AI score0.00331EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/04 3:45 p.m.12 views

CVE-2026-46739 Net::Statsd versions before 0.13 for Perl allow metric injections

Net::Statsd versions before 0.13 for Perl allow metric injections. The metric names are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. The updatestats used for updating counters and gauge methods do not check that values...

5.8AI score0.00258EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.26 views

PT-2026-41648

Name of the Vulnerable Software and Affected Versions Net::Statsd::Lite versions prior to 0.10.0 Description Net::Statsd::Lite for Perl allows metric injections because the set add function does not validate values for newlines, colons, or pipes. This allows metrics generated from untrusted sourc...

7.3CVSS5.8AI score0.00226EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/17 12:0 a.m.16 views

PT-2026-41581

Name of the Vulnerable Software and Affected Versions Net::Statsd::Tiny versions prior to 0.3.8 Description Net::Statsd::Tiny for Perl allows metric injections because metric names and set values are not validated for newlines, colons, or pipes. This allows metrics generated from untrusted source...

8.2CVSS5.8AI score0.00344EPSS
Exploits0References11
EUVD
EUVD
added 2026/05/16 1:37 p.m.16 views

EUVD-2026-30672

Net::Statsd::Lite versions before 0.9.0 for Perl allowed metric injections. The metric names were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics...

5.8AI score0.00306EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/16 12:0 a.m.12 views

Net::Statsd::Lite 注入漏洞

Net::Statsd::Lite is a lightweight StatsD client developed by Robert Rothenberg, which supports multiple metric data packets. Versions of Net::Statsd::Lite prior to 0.9.0 have a injection vulnerability. This vulnerability arises from the lack of checks for line breaks, colons, or vertical bars in...

6.5CVSS5.8AI score0.00306EPSS
Exploits0References2
OSV
OSV
added 2026/04/18 8:47 a.m.7 views

BIT-PROMETHEUS-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

6.1CVSS5.9AI score0.0024EPSS
Exploits0References4
SUSE CVE
SUSE CVE
added 2026/04/16 11:28 p.m.10 views

SUSE CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.4CVSS5.9AI score0.0024EPSS
Exploits0References9
NVD
NVD
added 2026/04/15 11:16 p.m.8 views

CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

6.1CVSS0.0024EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/15 10:26 p.m.23 views

CVE-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

5.3CVSS0.0024EPSS
Exploits0References3
Rows per page
Query Builder