Lucene search
K

13 matches found

Cvelist
Cvelist
added 6 days ago30 views

CVE-2026-55882 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...

8.3CVSS0.00384EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 7:39 p.m.21 views

CVE-2026-59092

JuiceFS

7.7CVSS5.9AI score0.00266EPSS
Exploits0References4
OSV
OSV
added 2026/06/25 10:34 p.m.4 views

GO-2026-5457 Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS in github.com/basekick-labs/arc...

5.8AI score0.0009EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 1:52 p.m.4 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the pprof debug endpoints mounted under /debug without access control. An attacker can extract sensitive process memory, including session and apiserver tokens, and degrade server performance by holding the...

8.3CVSS5.8AI score0.00384EPSS
Exploits0References2
OSV
OSV
added 2026/06/19 1:52 p.m.10 views

GHSA-P749-9W62-W533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

8.3CVSS6AI score0.00384EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.19 views

PT-2026-50978

Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...

8.3CVSS6AI score0.00384EPSS
Exploits0References11
Snyk
Snyk
added 2026/06/11 5:10 p.m.6 views

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via unauthenticated access to the /debug/pprof endpoints. An attacker can retrieve sensitive runtime information, including in-memory state, call stacks, and authentication cache data, or...

8.8CVSS5.9AI score0.0009EPSS
Exploits0References2
OSV
OSV
added 2026/06/11 5:10 p.m.6 views

GHSA-J93G-RP6M-J32M Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

8.8CVSS6.1AI score0.0009EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.18 views

PT-2026-48807

Name of the Vulnerable Software and Affected Versions Arc versions prior to 26.06.1 Description Arc registers Go net/http/pprof handlers at the /debug/pprof/ endpoint. Due to a configuration where /debug/pprof is added to PublicPrefixes and the authentication middleware short-circuits before toke...

8.8CVSS6AI score0.0009EPSS
Exploits0References6
OSV
OSV
added 2026/02/03 8:37 p.m.4 views

GO-2026-4334 Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet

Fleet has an Access Control vulnerability in debug/pprof endpoints in github.com/fleetdm/fleet...

8.7CVSS5.3AI score0.00246EPSS
Exploits0References2
Packet Storm
Packet Storm
added 2026/01/23 12:0 a.m.182 views

📄 Apache bRPC 1.14.0 Command Injection

Apache bRPC versions 1.14.0 and below proof of concept command injection exploit that leverages exposed pprof endpoints. ============================================================================================================================================= | Title : Apache bRPC = 1.14.0...

9.8CVSS5.5AI score0.26163EPSS
Exploits3
OSV
OSV
added 2026/01/21 9:45 p.m.8 views

CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.6AI score0.00246EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/01/20 8:55 p.m.13 views

Fleet has an Access Control vulnerability in debug/pprof endpoints

Summary A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Impact Fleet’s debug/pprof endpoints...

8.7CVSS5.5AI score0.00246EPSS
Exploits0References5Affected Software2
Rows per page
Query Builder