Lucene search
+L

53 matches found

nvd
nvd
added 6 days ago7 views

CVE-2026-55882

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...

8.3CVSS0.00384EPSS
Exploits0References4
cvelist
cvelist
added 6 days ago30 views

CVE-2026-55882 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...

8.3CVSS0.00384EPSS
Exploits0References4
cve
cve
added 2026/07/02 7:39 p.m.22 views

CVE-2026-59092

JuiceFS

7.7CVSS5.9AI score0.00266EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/07/02 12:0 a.m.12 views

PT-2026-55293

Name of the Vulnerable Software and Affected Versions JuiceFS versions prior to 1.3.2 Description An authentication bypass exists due to improper handler registration on the shared http.DefaultServeMux. This allows unauthenticated remote attackers to access sensitive debug and metrics endpoints...

7.7CVSS6AI score0.00266EPSS
Exploits0References7
osv
osv
added 2026/06/25 10:34 p.m.4 views

GO-2026-5457 Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc...

5.8AI score0.0009EPSS
Exploits0References3
snyk
snyk
added 2026/06/19 1:52 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof debug endpoints mounted under /debug without access control. An attacker can extract sensitive process memory, including session and apiserver tokens, and degrade server performance by holding the...

8.3CVSS5.8AI score0.00384EPSS
Exploits0References2
osv
osv
added 2026/06/19 1:52 p.m.10 views

GHSA-P749-9W62-W533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

8.3CVSS6AI score0.00384EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/19 12:0 a.m.20 views

PT-2026-50978

Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...

8.3CVSS6AI score0.00384EPSS
Exploits0References11
snyk
snyk
added 2026/06/11 5:10 p.m.3 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via unauthenticated access to the /debug/pprof endpoints. An attacker can retrieve sensitive runtime information, including in-memory state, call stacks, and authentication cache data, or...

8.8CVSS5.9AI score0.0009EPSS
Exploits0References2
snyk
snyk
added 2026/06/11 5:10 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via unauthenticated access to the /debug/pprof endpoints. An attacker can retrieve sensitive runtime information, including in-memory state, call stacks, and authentication cache data, or...

8.8CVSS5.9AI score0.0009EPSS
Exploits0References2
osv
osv
added 2026/06/11 5:10 p.m.6 views

GHSA-J93G-RP6M-J32M Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

8.8CVSS6.1AI score0.0009EPSS
Exploits0References4
ptsecurity
ptsecurity
added 2026/06/11 12:0 a.m.18 views

PT-2026-48807

Name of the Vulnerable Software and Affected Versions Arc versions prior to 26.06.1 Description Arc registers Go net/http/pprof handlers at the /debug/pprof/ endpoint. Due to a configuration where /debug/pprof is added to PublicPrefixes and the authentication middleware short-circuits before toke...

8.8CVSS6AI score0.0009EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/06/05 7:13 p.m.13 views

CVE-2026-40173

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

9.4CVSS5.4AI score0.00509EPSS
Exploits1References1
vulncheck_kev
vulncheck_kev
added 2026/05/01 12:0 a.m.23 views

VulnCheck KEV: CVE-2025-60021

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC all versions 1.15.0 on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service /pprof/heap does not validate the user-provided extraoptions parameter and...

9.8CVSS7.6AI score0.26163EPSS
In wildExploits3References2
snyk
snyk
added 2026/04/15 10:30 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
snyk
snyk
added 2026/04/15 10:30 p.m.6 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
snyk
snyk
added 2026/04/15 10:30 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
snyk
snyk
added 2026/04/15 10:30 p.m.7 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
snyk
snyk
added 2026/04/15 10:30 p.m.3 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof endpoint. An attacker can obtain sensitive authentication tokens by sending unauthenticated requests to the /debug/pprof/cmdline endpoint and subsequently use the leaked token to gain unauthorized...

9.4CVSS5.5AI score0.00509EPSS
Exploits1References2
vulnrichment
vulnrichment
added 2026/04/15 8:40 p.m.6 views

CVE-2026-40173 Dgraph: Unauthenticated pprof endpoint leaks admin auth token

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

9.4CVSS5.8AI score0.00509EPSS
Exploits1References2
Rows per page
Query Builder