Important: Red Hat Security Advisory: RHTAS 1.3.2 - Tech Preview Release Of the Model Validation Operator

The Tech Preview release of the RHTAS Model Validation Operator. For more details please visit the product documentation at https://access.redhat.com/documentation/en-us/redhattrustedartifactsigner/1.3 The RHTAS Model Validation Operator can be used with OpenShift Container Platform 4.16, 4.17,...

CVE-2026-30962

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check...

EUVD-2026-10826

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter...

GHSA-P9XR-7P9P-GPQX Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

CVE-2026-30962

Parse Server is vulnerable prior to versions 9.5.2-alpha.6 and 8.6.19 due to a flawed protection check that only validates top-level query keys for protected fields. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed, allowing any authenticated us...

GO-2026-4591 Rancher Backup Operator pod's logs leak S3 tokens in github.com/rancher/backup-restore-operator

Rancher Backup Operator pod's logs leak S3 tokens in github.com/rancher/backup-restore-operator. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerabili...

GHSA-RV83-G57W-FR8J vulnerabilities

Vulnerabilities for packages: kubevela, sftpgo-plugin-eventsearch, runc, wgcf, prometheus-alertmanager, q, kubernetes-ingress-defaultbackend, wazero, newrelic-k8s-metadata-injection, victoriametrics, amass, influx, stakater-reloader, tailscale, gitlab-pages, mc, terraform-provider-sendgrid,...

GHSA-J3GX-2473-5FP8 vulnerabilities

Vulnerabilities for packages: kubevela, sftpgo-plugin-eventsearch, runc, wgcf, prometheus-alertmanager, q, kubernetes-ingress-defaultbackend, newrelic-k8s-metadata-injection, victoriametrics, amass, influx, stakater-reloader, tailscale, gitlab-pages, mc, terraform-provider-sendgrid,...

CVE-2026-25679 vulnerabilities

Vulnerabilities for packages: kubevela, sftpgo-plugin-eventsearch, runc, wgcf, prometheus-alertmanager, q, kubernetes-ingress-defaultbackend, newrelic-k8s-metadata-injection, victoriametrics, amass, influx, stakater-reloader, tailscale, gitlab-pages, mc, terraform-provider-sendgrid,...

CVE-2026-25679 vulnerabilities

Vulnerabilities for packages: knative-net-istio-fips, kapp, datadog-agent, influxd, restic-fips, http-echo, gatus-fips, kube-bench, custom-pod-autoscaler-fips, ingress-nginx-controller, postgres-operator-fips, terraform-provider-azuread, crossplane-provider-aws-sqs-fips, elastic-agent,...

GHSA-J4J7-VW47-RHFQ vulnerabilities

Vulnerabilities for packages: knative-net-istio-fips, datadog-agent, influxd, restic-fips, gatus-fips, ingress-nginx-controller, terraform-provider-azuread, crossplane-provider-aws-sqs-fips, elastic-agent, kube-state-metrics, goose, kapp-controller-fips, ollama-fips, envoy-gateway-fips, snyk-cli,...

GHSA-RV83-G57W-FR8J vulnerabilities

Vulnerabilities for packages: knative-net-istio-fips, kapp, datadog-agent, influxd, restic-fips, http-echo, gatus-fips, kube-bench, custom-pod-autoscaler-fips, ingress-nginx-controller, postgres-operator-fips, terraform-provider-azuread, crossplane-provider-aws-sqs-fips, elastic-agent,...

CLEANSTART-2026-AB04032 OpenTelemetry-Go is the Go implementation of OpenTelemetry

Multiple security vulnerabilities affect the fluent-operator-fips package. OpenTelemetry-Go is the Go implementation of OpenTelemetry. See references for individual vulnerability details...

PT-2026-24455

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.6 Parse Server versions prior to 8.6.19 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its validation process for protected fields. The...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the chat.send process. An attacker can perform unauthorized persistent configuration changes by routing /config set or /config unset commands through an...

GHSA-HFPR-JHPQ-X4RM OpenClaw: `operator.write` chat.send could reach admin-only config writes

Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable...

OpenClaw: `operator.write` chat.send could reach admin-only config writes

Summary A gateway client authenticated with operator.write could route /config set or /config unset through chat.send and reach persistent config mutation even though direct config RPC methods are admin-scoped. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable...

Information Disclosure

github.com/authzed/spicedb is vulnerable to Information Disclosure. The vulnerability is due to the exclusion operator in the authorization schema, where a large payload can cause the WriteRelationships call to fail silently, and incorrect permission check results are returned, allowing attackers...

CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

PT-2026-24022

Name of the Vulnerable Software and Affected Versions Apache Airflow Providers Http versions prior to 6.0.0 Description A user with database access can create a malicious database entry that executes code on the Triggerer, granting them the same permissions as a Dag Author. Direct database access...