Lucene search
+L

17 matches found

cve
cve
added last week39 views

CVE-2026-55882

Summary: Tilt (Tilt HUD server) before v0.37.4 exposes Go pprof endpoints under /debug with no access control, allowing unauthenticated network-accessible listeners to read memory and tokens via /debug/pprof/heap and /debug/pprof/goroutine, and potentially degrade performance via /debug/pprof/pro...

8.3CVSS6.2AI score0.00384EPSS
Exploits0References4
osv
osv
added last week4 views

CVE-2026-55882 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...

8.3CVSS6.2AI score0.00384EPSS
Exploits0References6
nvd
nvd
added 2026/07/02 8:17 p.m.5 views

CVE-2026-59092

JuiceFS through 1.3.1, fixed in commit a46979c, contains an authentication bypass vulnerability that allows unauthenticated remote attackers to access sensitive debug and metrics endpoints by exploiting improper handler registration on the shared http.DefaultServeMux. Attackers can request the...

7.7CVSS0.00266EPSS
Exploits0References4
susecve
susecve
added 2026/06/17 2:22 a.m.6 views

SUSE CVE-2026-23517

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.2AI score0.00246EPSS
Exploits0References3
github
github
added 2026/06/11 5:10 p.m.9 views

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...

6.1AI score0.0009EPSS
Exploits0References4Affected Software1
redhatcve
redhatcve
added 2026/06/05 7:18 p.m.11 views

CVE-2026-45044

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds...

8.8CVSS5.5AI score0.0031EPSS
Exploits0References1
nvd
nvd
added 2026/05/28 7:16 p.m.22 views

CVE-2026-45044

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds...

8.8CVSS0.0031EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/05/28 6:31 p.m.12 views

CVE-2026-45044

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds...

8.8CVSS5.8AI score0.0031EPSS
Exploits0References2Affected Software1
euvd
euvd
added 2026/05/28 6:31 p.m.12 views

EUVD-2026-32994

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds...

8.8CVSS5.8AI score0.0031EPSS
Exploits0References1
cve
cve
added 2026/05/28 6:31 p.m.22 views

CVE-2026-45044

RustFS prior to 1.0.0-beta.2 is vulnerable. The admin router’s whitelist of /profile/cpu and /profile/memory from authentication allows any unauthenticated client to invoke profiling handlers. On supported builds (e.g., glibc), the handler runs a fixed 60-second CPU profiling operation, potential...

8.8CVSS5.8AI score0.0031EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/01/22 11:24 p.m.7 views

CVE-2026-23517

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.5AI score0.00246EPSS
Exploits0References1
cvelist
cvelist
added 2026/01/21 9:45 p.m.24 views

CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS0.00246EPSS
Exploits0References2
euvd
euvd
added 2026/01/21 9:45 p.m.11 views

EUVD-2026-3349

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.5AI score0.00246EPSS
Exploits0References3
vulnrichment
vulnrichment
added 2026/01/21 9:45 p.m.5 views

CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.5AI score0.00246EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/01/21 9:45 p.m.8 views

CVE-2026-23517

Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...

8.7CVSS5.3AI score0.00246EPSS
Exploits0References3Affected Software1
osv
osv
added 2026/01/20 8:55 p.m.8 views

GHSA-4R5R-CCR6-Q6F6 Fleet has an Access Control vulnerability in debug/pprof endpoints

Summary A broken access control issue in Fleet allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Impact Fleet’s debug/pprof endpoints...

7.1CVSS5.5AI score0.00246EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2021/09/01 12:0 a.m.8 views

PT-2021-6571

Name of the Vulnerable Software and Affected Versions Kubernetes affected versions not specified Description A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect...

4.1CVSS6AI score0.021EPSS
Exploits0References22
Rows per page
Query Builder