Lucene search
K

60 matches found

RedHat Linux
RedHat Linux
added 2026/07/01 5:33 p.m.5 views

foreman: foreman: Cross-tenant private SSH key disclosure via taxonomy scoping bypass

A flaw was found in foreman. Authenticated users with 'viewkeypairs' permission can bypass taxonomy scoping, allowing them to download private SSH Secure Shell keys from other organizations by directly querying key pair IDs. This vulnerability leads to cross-tenant data exposure in multi-tenant...

6.5CVSS5.7AI score0.00253EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.15 views

PT-2026-54788

Name of the Vulnerable Software and Affected Versions foreman affected versions not specified Description Authenticated users with 'view keypairs' permission can bypass taxonomy scoping, which is a mechanism used to restrict access to resources based on organizational boundaries. This allows them...

6.5CVSS6AI score0.00253EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/20 6:27 p.m.9 views

CVE-2026-56346

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

6.9CVSS5.9AI score0.00392EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/20 6:27 p.m.11 views

EUVD-2026-38133

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

6.9CVSS5.9AI score0.00392EPSS
Exploits0References2
OSV
OSV
added 2026/06/20 6:27 p.m.3 views

CVE-2026-56346 AVideo - Unauthenticated PGP Message Decryption via decryptMessage.json.php Endpoint

AVideo through version 25.0 contains an authentication bypass vulnerability in the decryptMessage.json.php endpoint that allows unauthenticated users to decrypt PGP messages. Remote attackers can submit private keys, ciphertext, and passphrases to perform server-side decryption without credential...

6.9CVSS6AI score0.00392EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.10 views

Budibase 信息泄露漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.3 contained a vulnerability related to information leakage. This vulnerability...

7.7CVSS5.8AI score0.00223EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/25 9:19 a.m.21 views

EUVD-2026-31661

This vulnerability exists in CP Plus Wi-Fi Camera due to improper protection of sensitive information in runtime memory. An attacker with physical access could exploit this vulnerability by accessing the UART interface and performing memory extraction to obtain sensitive information, including...

5.2CVSS5.8AI score0.00125EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/22 4:7 p.m.3 views

CVE-2026-35341

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up...

7.1CVSS5.9AI score0.00165EPSS
Exploits1References2
NVD
NVD
added 2026/04/08 5:21 p.m.7 views

CVE-2026-33461

Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be...

7.7CVSS0.00282EPSS
Exploits0References1
OSV
OSV
added 2026/04/03 5:24 p.m.3 views

MAL-2026-2482 Malicious code in strapi-plugin-seed (npm)

strapi-plugin-seed is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. I...

6AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/24 12:0 a.m.5 views

PT-2026-27624

Name of the Vulnerable Software and Affected Versions GoDoxy versions prior to 0.27.5 Description GoDoxy, a reverse proxy and container orchestrator, contains a path traversal flaw in the file content API endpoint at /api/v1/file/content. The filename query parameter is directly used in...

6.5CVSS5.8AI score0.00502EPSS
Exploits1References6
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.8 views

jsrsasign 安全漏洞

jsrsasign is a signature verification library developed by Kenji Urushima. Versions of jsrsasign from 7.0.0 to 11.1.1 contained security vulnerabilities. These vulnerabilities stemmed from incomplete comparisons in the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions located...

9.3CVSS5.8AI score0.00476EPSS
Exploits1References5
Snyk
Snyk
added 2026/03/11 12:37 a.m.4 views

Use of Hard-coded Credentials

Overview Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the JWKS resolver, which can be exposed if a fetch operation fails. An attacker can obtain private keys by forcing such a failure. Note: The keys are exposed even if RequestAuthentication is in use...

8.7CVSS5.8AI score0.00378EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/10 9:57 p.m.1 views

CVE-2026-31837 Istio JWKS resolver to prevent private key material from being exposed when JWKS fetch fails.

Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a user of Istio is impacted if the JWKS resolver becomes unavailable or the fetch fails, exposing hardcoded defaults regardless of use of the RequestAuthentication resource. This...

8.7CVSS5.8AI score0.00378EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/07 4:15 p.m.31 views

CVE-2026-29196 Netmaker: Service User with Network Access Can Access config files with WireGuard Private Keys

Netmaker makes networks with WireGuard. Prior to version 1.5.0, a user assigned the platform-user role can retrieve WireGuard private keys of all wireguard configs in a network by calling GET /api/extclients/network or GET /api/nodes/network. While the Netmaker UI restricts visibility, the API...

8.7CVSS0.00252EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/03/07 12:0 a.m.8 views

Gravitl Netmaker 安全漏洞

Gravitl Netmaker is a platform developed by the American company Gravitl, which uses WireGuard to create and manage fast, secure, and dynamic virtual overlay networks. It is used to create and control automated virtual networks. Versions of Gravitl Netmaker prior to 1.5.0 contained security...

8.7CVSS7.3AI score0.00252EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/30 9:23 p.m.5 views

CVE-2026-24413

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the %ProgramData%\icinga2\var folder on Windows. This resulted in the its contents - including the private key of the...

6.8CVSS5.9AI score0.00068EPSS
Exploits0References1
NVD
NVD
added 2026/01/29 6:16 p.m.11 views

CVE-2026-24413

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the %ProgramData%\icinga2\var folder on Windows. This resulted in the its contents - including the private key of the...

6.8CVSS0.00068EPSS
Exploits0References3
NVD
NVD
added 2026/01/29 6:16 p.m.8 views

CVE-2026-24414

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows certificate directory grant every user read access, which results in...

6.8CVSS0.00097EPSS
Exploits2References3
ATTACKERKB
ATTACKERKB
added 2026/01/29 5:35 p.m.5 views

CVE-2026-24414

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows certificate directory grant every user read access, which results in...

6.8CVSS5.9AI score0.00097EPSS
Exploits2References4Affected Software1
Rows per page
Query Builder