CVE-2026-44543

Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in the local-path-storage namespace can manipulate the helperPod.yaml template used by...

Exploit for OS Command Injection in Kubeai

CVE-2026-34940 — OS Command Injection in KubeAI via Model URL...

EUVD-2025-206337

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

CVE-2025-14459

A flaw was found in KubeVirt Containerized Data Importer CDI. This vulnerability allows a user to clone PersistentVolumeClaims PVCs from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism...

Red Hat OpenShift Virtualization 4 安全漏洞

Red Hat OpenShift Virtualization 4 is a virtual machine management component from Red Hat USA. A security vulnerability exists in Red Hat OpenShift Virtualization 4 that originates from unauthorized PVC cloning...

AZL-69958 CVE-2025-64433 affecting package kubevirt for versions less than 0.59.0-33

KubeVirt is a virtual machine management add-on for Kubernetes. Prior to 1.5.3 and 1.6.1, a vulnerability was discovered that allows a VM to read arbitrary files from the virt-launcher pod's file system. This issue stems from improper symlink handling when mounting PVC disks into a VM...

CVE-2025-64433

CVE-2025-64433 affects KubeVirt prior to 1.5.3 and 1.6.1, enabling a VM to read arbitrary files from the virt-launcher pod filesystem via improper symlink handling when mounting PVCs. The issue arises when a malicious user controls PVC contents and can create a symlink to a file in the virt-launc...

CVE-2025-47906 vulnerabilities

Vulnerabilities for packages: vexctl, vault-benchmark, grafana-operator, docker-credential-ecr-login, cloud-provider-aws, bank-vaults, secrets-store-csi-driver-provider-aws, k8sgpt-operator, newrelic-fluent-bit-output, custom-pod-autoscaler-operator, kserve-rest-proxy, checksec,...

GHSA-GWRF-JF3H-W649 vulnerabilities

Vulnerabilities for packages: vexctl, vault-benchmark, grafana-operator, docker-credential-ecr-login, cloud-provider-aws, bank-vaults, secrets-store-csi-driver-provider-aws, k8sgpt-operator, newrelic-fluent-bit-output, custom-pod-autoscaler-operator, kserve-rest-proxy, checksec,...

GHSA-GWRF-JF3H-W649 vulnerabilities

Vulnerabilities for packages: azurefile-csi-fips, shfmt, openbao-k8s-fips, rancher-machine, checksec, prometheus-nats-exporter, newrelic-nri-statsd, kube-vip, prometheus-bind-exporter, apm-server-fips, cloud-provider-aws, azuredisk-csi-fips, gitlab-runner, stakater-reloader, knative-eventing,...

CVE-2016-15040

The Kento Post View Counter plugin for WordPress is vulnerable to SQL Injection via the 'kentopvcgeo' parameter in versions up to, and including, 2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

PVC Export Fails Due to Timeout

Challenge The export action will fail if Veeam Kasten for Kubernetes takes more than 45 minutes to complete the job. Checking the export action details, the message below is the clue where Veeam Kasten for Kubernetes hits the timeout for the operation waitWithBackoffwithRetries with the duration...

SUSE CVE-2020-8569

Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes...

pvc-zagorje-plast.hr Cross Site Scripting vulnerability OBB-3906717

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Page View Count < 2.6.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. Exploit Additional CSS classes for "Page Views"...

Page View Count < 2.6.1 - Contributor+ Stored XSS

The plugin does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. PoC Exploit Additional CSS classes for "Page Views"...

KubeVirt vulnerable to arbitrary file read on host

Impact Users with the permission to create VMIs can construct VMI specs which allow them to read arbitrary files on the host. There are three main attack vectors: 1. Some path fields on the VMI spec were not properly validated and allowed passing in relative paths which would have been mounted in...

pvc-stolarija.com Cross Site Scripting vulnerability OBB-2756055

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2021-24509

The Page View Count WordPress plugin before 2.4.9 does not escape the postid parameter of pvcstats shortcode, allowing users with a role as low as Contributor to perform Stored XSS attacks. A post made by a contributor would still have to be approved by an admin to have the XSS triggered in the...

der-pvc-planen-spezialist.de Cross Site Scripting vulnerability OBB-1427691

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...