1255 matches found
Nezha's authenticated agents can forge service-monitor results for other users' services
Summary Nezha accepts service-monitor TaskResult messages from an authenticated agent based only on whether the reported service ID exists. The dashboard authenticates the agent and derives the reporter server ID from the gRPC stream, but the service-monitor result worker does not verify that the...
PT-2026-45493
Summary Nezha accepts service-monitor TaskResult messages from an authenticated agent based only on whether the reported service ID exists. The dashboard authenticates the agent and derives the reporter server ID from the gRPC stream, but the service-monitor result worker does not verify that the...
GHSA-7J6W-VVW2-5F9C OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens
Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...
Malicious code in nemo-reporter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 42a43ec0a345170ad191fa1c25bdd4000595aa8ce733c6b9c69de6b65a1defb2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-4836 Malicious code in nemo-reporter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 42a43ec0a345170ad191fa1c25bdd4000595aa8ce733c6b9c69de6b65a1defb2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SUSE CVE-2026-45907
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdevtrylock to protect against concurrent...
PT-2026-42562
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description Unauthenticated users can access page metadata on any page that has a configured summary template. This allows for the disclosure of private, draft, and restricted pages, leaking information suc...
CLEANSTART-2026-GB46352 Security fixes for CVE-2025-0913, CVE-2025-4673, CVE-2025-47907, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27141, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-34986, CVE-2026-39883, ghsa-2464-8j7c-4cjm, ghsa-78h2-9frx-2jm8, ghsa-fw7p-63qq-7hpr, ghsa-hfvc-g4fc-pqhx, ghsa-p77j-4mvh-x3m3, ghsa-xmrv-pmrh-hhx2 applied in versions: 3.3.2-r0, 3.5.0-r0, 3.7.2-r0, 3.7.3-r0, 3.7.3-r1, 3.7.3-r2, 3.7.4-r0
Multiple security vulnerabilities affect the kyverno-policy-reporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
GHSA-GXHX-2686-5H9G vulnerabilities
Vulnerabilities for packages: kyverno-policy-reporter, goreleaser, argo-rollouts, bento, argo-events, atlantis, argo-cd, kubewatch, kubernetes-event-exporter...
CVE-2026-44245
CVE-2026-44245 affects Kyverno’s policy-reporter-ui where the PropertyCard.vue component uses Vue.js v-html to render non-URL strings, bypassing escaping and allowing stored HTML payloads from Kubernetes PolicyReport.results[].properties to flow into the DOM. The isURL() guard only filters http/h...
CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...
GHSA-M5P4-GVPX-4MVR GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content
Summary GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs...
About the security content of macOS Sequoia 15.7.7
About the security content of macOS Sequoia 15.7.7 This document describes the security content of macOS Sequoia 15.7.7. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or...
GHSA-PMWQ-PJRM-6P5R vulnerabilities
Vulnerabilities for packages: flux-source-controller-fips, zot, trivy-fips, skaffold, docker-compose, gh, ko, kyverno-policy-reporter-plugins-kyverno, falcoctl, kyverno-fips, docker-cli-buildx, gitlab-runner, kubescape-server-fips, tekton-chains-fips, dagger, cg, reports-server, goreleaser, ratif...
Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component
Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...
CVE-2026-40557
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
GHSA-82FM-WPC2-5PMP Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
CVE-2026-40557
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...
CVE-2026-40557 Apache Storm Prometheus Reporter: Disabling TLS verification for Prometheus Reporter also disables it for all other connections
Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...