GHSA-W2Q5-6Q6X-X959 vulnerabilities

Vulnerabilities for packages: seaweedfs-rocksdb, kiali-fips, terraform-provider-pagerduty, rabbitmq-messaging-topology-operator, spark-operator-fips, cilium-certgen, kubelet-csr-approver-fips, secrets-store-csi-driver-fips, portieris-fips, metallb-fips, goldilocks-fips, dgraph,...

PT-2026-47556

Impact The Ironic Standalone Operator IRSO is the operator to maintain an Ironic deployment for Metal3. The Prometheus metrics exporter binds to 0.0.0.0 all network interfaces by default with no authentication. The default config is disabled. If enabled, this exposes operational metrics to any ho...

CVE-2026-44902

Summary: CVE-2026-44902 affects the OpenTelemetry JS client, specifically the Prometheus exporter in opentelemetry-js prior to 0.217.0. A single malformed HTTP request to the default metrics endpoint (0.0.0.0:9464) has no URL parsing error handling, causing an uncaught TypeError that crashes the ...

CVE-2026-44902 opentelemetry-js: Prometheus exporter process crash via malformed HTTP request

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

CVE-2026-44902

opentelemetry-js is the OpenTelemetry JavaScript Client. Prior to 0.217.0, a single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid...

OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

Summary OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the metrics exporter to spend excessive CPU time in a tight loop every collection interval. Details The vulnerable loop is in...

PT-2026-41785

Name of the Vulnerable Software and Affected Versions OpenTelemetry eBPF Instrumentation versions prior to 0.9.0 Description OpenTelemetry eBPF Instrumentation OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can...

PT-2026-39676

Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...

CLEANSTART-2026-DI15427 Security fixes for CVE-2025-61732, CVE-2025-68121, CVE-2026-26958, ghsa-f6x5-jh6r-wrfv, ghsa-j5w8-q4qc-rx2x applied in versions: 0.18.0-r0, 0.19.0-r0

Multiple security vulnerabilities affect the prometheus-mysqld-exporter package. These issues are resolved in later releases. See references for individual vulnerability details...

GHSA-52JH-2XXH-PWH6 vulnerabilities

Vulnerabilities for packages: nats-top, nats, k3s, kine, telegraf...

CVE-2026-26069

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

CVE-2026-26069

Scraparr is a Prometheus Exporter for various components of the arr Suite. From 3.0.0-beta to before 3.0.2, when the Readarr integration was enabled, the exporter exposed the configured Readarr API key as the alias metric label value. Users were affected only if all of the following conditions ar...

GHSA-447V-2QG4-H8HC vulnerabilities

Vulnerabilities for packages: cephcsi-fips, cyberark-secrets-provider-for-k8s-fips, cert-manager-cmctl, petname, dex-k8s-authenticator, spark-operator-fips, secrets-store-csi-driver-provider-aws, cilium-certgen, mods, portieris-fips, pguser, secrets-store-csi-driver, argo-rollouts,...

GHSA-9GCR-GP5F-JW27 vulnerabilities

Vulnerabilities for packages: cephcsi-fips, cyberark-secrets-provider-for-k8s-fips, cert-manager-cmctl, petname, dex-k8s-authenticator, spark-operator-fips, secrets-store-csi-driver-provider-aws, cilium-certgen, mods, portieris-fips, pguser, secrets-store-csi-driver, argo-rollouts,...

[SECURITY] Fedora 43 Update: rust-monitord-exporter-0.4.1-6.fc43

monitord-exporter is a Prometheus exporter using monitord to export statistic to Prometheus collectors...

[SECURITY] Fedora 42 Update: prometheus-podman-exporter-1.19.0-1.fc42

Prometheus exporter for podman environments exposing containers, pods, images, volumes and networks information...

[SECURITY] Fedora 43 Update: prometheus-podman-exporter-1.18.1-1.fc43

Prometheus exporter for podman environments exposing containers, pods, images, volumes and networks information...

[SECURITY] Fedora 41 Update: rust-monitord-exporter-0.4.1-2.fc41

monitord-exporter is a Prometheus exporter using monitord to export statistic to Prometheus collectors...

[SECURITY] Fedora 42 Update: rust-monitord-exporter-0.4.1-5.fc42

monitord-exporter is a Prometheus exporter using monitord to export statistic to Prometheus collectors...

Security update 5.0.5 for Multi-Linux Manager Client Tools, Salt and Salt Bundle

This update fixes the following issues: golang-github-prometheus-nodeexporter: Security issues fixed: CVE-2025-22870: Prevent a matching of hosts against proxy patterns to improperly treat an IPv6 zone ID as a hostname component bsc1238686 Other bugs fixed: Fixed Darwin memory leak pressure: Fix...