721 matches found
MinIO - Incomplete Signature Validation for Unsigned-Trailer Uploads
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on...
MinIO Operator Console Authentication Bypass
MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. id: CVE-2021-41266 info: name: MinIO Operator...
MinIO Browser API - Server-Side Request Forgery
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version...
MinIO Cluster Deployment - Information Disclosure
MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIOSECRETKEY and MINIOROOTPASSWORD. An attacker can potentially obtain sensitive...
CVE-2026-15378
A flaw was found in the guardrails-detectors component. This vulnerability allows a remote attacker to perform a blind Server-Side Request Forgery SSRF by submitting a specially crafted XML Schema Definition XSD string. This can lead to unauthorized access to sensitive information, including...
CVE-2026-54352
Budibase is an open-source low-code platform. Prior to 3.39.9, POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, open...
CVE-2026-54352 Budibase: Arbitrary file read by workspace-builder via PWA-zip symlink upload
Budibase is an open-source low-code platform. Prior to 3.39.9, POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, open...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: prometheus-mongodb-exporter, coder-fips, kubernetes-dashboard, calico-fips, traefik, zarf-fips, argo-cd, argo-workflows-fips, reports-server, knative-serving-fips, aactl, mattermost-fips, rancher-agent, k9s, argo-workflows, spire-server, traefik-fips,...
GHSA-X527-X647-Q7GG vulnerabilities
Vulnerabilities for packages: flux, fscrypt, kubernetes-dashboard, k9s, argocd-image-updater, loki, mattermost, argo-cd, zarf, containerd, knative-serving, minio, trivy-operator, trivy, skaffold, flux-image-automation-controller, opentelemetry-collector, rancher, helm, cloud-provider-aws, kots,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: guac, glab, crossplane-provider-azure-storage, tflint, terraform-provider-tls, cluster-api-azure-controller, ko, step, opentelemetry-collector, pulumi-language-yaml, cloud-provider-aws, spire-server, kaf, mods, nfpm, ksops, go-discover, tekton-chains,...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: flux, fscrypt, kubernetes-dashboard, k9s, argocd-image-updater, loki, mattermost, argo-cd, zarf, containerd, knative-serving, minio, trivy-operator, trivy, skaffold, flux-image-automation-controller, opentelemetry-collector, rancher, helm, cloud-provider-aws, kots,...
GHSA-JPPX-RXG9-JMRX vulnerabilities
Vulnerabilities for packages: flux, fscrypt, teleport, kubernetes-dashboard, loki, mattermost, argo-cd, containerd, knative-serving, minio, docker-cli-buildx, opentelemetry-collector, rancher, helm, cloud-provider-aws, kots, buildah, spire-server, kaf, prometheus-operator, kubernetes, cert-manage...
GHSA-F5WC-C3C7-36MC vulnerabilities
Vulnerabilities for packages: guac, step, opentelemetry-collector, pulumi-language-yaml, cloud-provider-aws, spire-server, kaf, nfpm, go-discover, dagger, snyk-cli, istio, openbao, step-issuer, aactl, rancher, flux-source-controller, flux, mattermost, syft, trivy, skaffold, pulumi-language-java,...
Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload
Summary POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting...
ROOT-APP-GOBINARY-CVE-2026-40344 CVE-2026-40344 in rootio-github.com/minio/minio - Patched by Root
Root has patched CVE-2026-40344 in the rootio-github.com/minio/minio package for Root:Go. Multiple fixed versions available...
ROOT-APP-GOBINARY-CVE-2026-41145 CVE-2026-41145 in rootio-github.com/minio/minio - Patched by Root
Root has patched CVE-2026-41145 in the rootio-github.com/minio/minio package for Root:Go. Multiple fixed versions available...
MinIO RELEASE.2022-07-24T01-54-52Z < RELEASE.2026-04-14T21-32-45Z Path Traversal (CVE-2026-42600)
The version of MinIO installed on the remote host is RELEASE.2022-07-24T01-54-52Z or later but prior to RELEASE.2026-04-14T21-32-45Z. It is, therefore, affected by a path traversal vulnerability: - A path traversal vulnerability in MinIO's ReadMultiple internode storage-REST endpoint allows a...
PenguinMod-BackendApi 输入验证错误漏洞
PenguinMod-BackendApi is a backend API service developed under the open source of PenguinMod, supporting storage using MongoDB and MinIO. Prior to version 1.0.0 of PenguinMod-BackendApi, there was a vulnerability related to input validation errors. This vulnerability stemmed from NoSQL injection ...
GHSA-HV4R-MVR4-25VW vulnerabilities
Vulnerabilities for packages: minio...
GHSA-H749-FXX7-PWPG vulnerabilities
Vulnerabilities for packages: minio...