GHSA-8P9X-46GM-QFX2 Kyverno Cross-Namespace Privilege Escalation via Policy apiCall

Summary A critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved urlPath is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with...

CVE-2025-62596

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62596

Youki container runtime (Rust) versions ≤ 0.5.6 are affected by a vulnerability in apparmor write-target validation combined with path substitution during pathname resolution. A shared-mount race can substitute intermediate path components, allowing writes to unintended procfs locations and poten...

CVE-2025-62596 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

CVE-2025-62596 youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

EUVD-2025-37938

Youki is a container runtime written in Rust. In versions 0.5.6 and below, youki’s apparmor handling performs insufficiently strict write-target validation, and when combined with path substitution during pathname resolution, can allow writes to unintended procfs locations. While resolving a path...

youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check youki only verifies that the destination lies somewhere under procfs. ...

GHSA-VF95-55W6-QMRF youki container escape and denial of service due to arbitrary write gadgets and procfs write redirects

Impact youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check youki only verifies that the destination lies somewhere under procfs. ...

CVE-2024-23904

Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file syst...

PT-2024-5150 · Artifex +3 · Artifex Ghostscript +3

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.0 Description: The issue is related to a stack-based buffer overflow in the Ghostscript software, which can be exploited via the CIDFSubstPath and CIDFSubstFont parameters. This can potentially allo...