Lucene search
K

70 matches found

NVD
NVD
added 2026/07/07 4:17 a.m.13 views

CVE-2026-34168

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a...

8.8CVSS0.00403EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/07 3:15 a.m.29 views

CVE-2026-42143 Coolify: OS Command Injection via Persistent Volume Names - Root RCE on Managed Servers

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, user-controlled persistent volume names are interpolated into shell commands executed on managed servers without escaping or validation, allowing an authenticated member to...

8.8CVSS0.00435EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/07 3:5 a.m.31 views

CVE-2026-34168 Coolify: Command injection via unsanitized persistent storage name in docker volume commands

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a...

8.8CVSS0.00403EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/07 3:5 a.m.6 views

CVE-2026-34168

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a...

8.8CVSS6AI score0.00403EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/07/07 3:5 a.m.14 views

EUVD-2026-41986

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the LocalPersistentVolume.name field is interpolated directly into docker volume shell commands without shell argument escaping, allowing an authenticated user to set a...

8.8CVSS6AI score0.00403EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.9 views

PT-2026-56136

Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. An authenticated user can execute commands on managed servers when a resource is deleted...

8.8CVSS6AI score0.00403EPSS
Exploits0References7
SUSE CVE
SUSE CVE
added 2026/05/29 1:22 a.m.18 views

SUSE CVE-2026-9804

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS5.8AI score0.00516EPSS
Exploits0References3
OSV
OSV
added 2026/05/28 9:31 a.m.3 views

GHSA-MPMF-3W4R-QFPF KubeVirt has a Link Following issue

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS5.9AI score0.00516EPSS
Exploits0References11
NVD
NVD
added 2026/05/28 9:16 a.m.18 views

CVE-2026-9804

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS0.00516EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/28 8:15 a.m.14 views

EUVD-2026-32748

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS5.8AI score0.00516EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/28 8:15 a.m.14 views

CVE-2026-9804

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing a symbolic link symlink within an exported filesystem Persistent Volume Claim PVC that points...

7.7CVSS5.8AI score0.00516EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/28 6:0 a.m.6 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via the virt-exportserver process. An attacker can access sensitive files from the exporter pod's filesystem by placing a symbolic link within an exported filesystem Persistent Volume Claim PVC that points outside its...

7.7CVSS5.5AI score0.00516EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/18 1:7 a.m.8 views

EUVD-2026-23500

Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields...

6.9CVSS5.7AI score0.00424EPSS
Exploits0References5
Snyk
Snyk
added 2026/04/18 1:7 a.m.4 views

Arbitrary Argument Injection

Overview Affected versions of this package are vulnerable to Arbitrary Argument Injection via unsanitized volumeHandle and mounttargetip fields. An attacker can inject unauthorized mount options by supplying specially crafted values to these fields when creating a PersistentVolume, resulting in...

7.7CVSS5.9AI score0.00424EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/17 12:0 a.m.6 views

PT-2026-33485

Name of the Vulnerable Software and Affected Versions AWS EFS CSI Driver versions prior to v3.0.1 Description Improper neutralization of argument delimiters in the volume handling component allows remote authenticated users with PersistentVolume creation permissions to inject arbitrary mount...

6.9CVSS5.9AI score0.00424EPSS
Exploits0References15
Veracode
Veracode
added 2026/04/07 3:26 p.m.7 views

Improper Symlink Handling

kubevirt.io/kubevirt is vulnerable to improper symlink handling. The vulnerability is due to improper validation of symbolic links in PVC disk mounting along with incorrect file ownership changes, which allows an attacker with control over PVC contents to create malicious symlinks and read...

6.5CVSS6AI score0.00475EPSS
Exploits1References5Affected Software1
SUSE CVE
SUSE CVE
added 2026/03/28 12:26 a.m.6 views

SUSE CVE-2026-32771

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals i.e. logs, metrics and distributed traces. In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go lines 248-254 is vulnerable to Path Traversal due to a missing...

9.8CVSS5.8AI score0.00655EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.6 views

CVE-2026-32771

The CTFer.io Monitoring component is in charge of the collection, process and storage of various signals i.e. logs, metrics and distributed traces. In versions prior to 0.2.2, the sanitizeArchivePath function in pkg/extract/extract.go lines 248–254 is vulnerable to Path Traversal due to a missing...

8.8CVSS5.8AI score0.00655EPSS
Exploits1References1
RedHat Linux
RedHat Linux
added 2026/02/26 3:8 p.m.6 views

Important: Red Hat Security Advisory: Red Hat OpenShift API for Data Protection

A new version of OpenShift API for Data Protection OADP is now available. OpenShift API for Data Protection OADP enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and...

8.9CVSS6.6AI score0.02667EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/02/04 12:0 a.m.3 views

PT-2026-6443

Impact A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories. Example: apiVersion: storage.k8s.io/v1 kind: StorageClass metadata:...

9.9CVSS5.7AI score
Exploits0References4
Rows per page
Query Builder