CVE-2026-46617

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted...

Malicious code in events-runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...

MAL-2026-5528 Malicious code in events-runtime (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aac4806dc5c887c91db1f2570abcae5b98d62dfae36bea2ddb9e2449efd62eca Package name and description impersonate the popular events package Node's event emitter for all engines. The vendored events.js adds an undocumented...

CVE-2026-50566 Fission: Environment Runtime.Container and Builder.Container SecurityContext bypass allows privileged pod creation

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability...

CVE-2026-50566

Fission prior to v1.24.0 is affected: a tenant with environments.fission.io create/update RBAC could run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor’s high-privilege service account. This enable...

CVE-2026-46617 Fission runtime pods automount the fission-fetcher service-account token into the user function container, granting function code namespace-wide secret / configmap read

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, Fission runtime pods were created with ServiceAccountName: fission-fetcher, and the fission-fetcher ServiceAccount was granted...

CVE-2026-46617

CVE-2026-46617 (Fission) affects Fission runtimes prior to v1.23.0. The runtime pod was created with ServiceAccountName: fission-fetcher, which had namespace-wide get permissions on secrets and configmaps. The automounted token was accessible inside user function containers at /var/run/secrets/ku...

CVE-2026-49760

Stack-based Buffer Overflow vulnerability in Erlang OTP erlinterface allows Stack-based Buffer Overflow. This vulnerability is associated with program file lib/erlinterface/src/misc/eiprintterm.c and program routine eisprintterm. The C function eisprintterm uses an internal 2000-character stack...

CVE-2026-49759

Stack-based Buffer Overflow vulnerability in Erlang OTP erts inetdrv allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctpparseerrorchunk function in erts/emulator/drivers/common/inetdrv.c parses SCTP ERROR chunks and writes cause codes int...

CVE-2026-48858 ftp client PASV response IP not validated against control peer, enabling SSRF and FTP bounce attacks

Server-Side Request Forgery SSRF vulnerability in Erlang/OTP ftp ftpinternal module allows FTP bounce attacks and SSRF via an unvalidated PASV response IP address. The ftpinternal:handlectrlresult/2 PASV handler mode=passive, ipfamily=inet, ftpextension=false extracts the IP address from the...

CVE-2026-48858

The CVE-2026-48858 entry describes a Server-Side Request Forgery (SSRF) flaw in Erlang/OTP ftp’s PASV path: the ftp_internal PASV handler accepts the server’s 227 response IP and passes it to gen_tcp:connect without validating it against the control connection peer, unlike EPSV handlers. This ena...

EUVD-2026-36053

Stack-based Buffer Overflow vulnerability in Erlang OTP erts inetdrv allows an unauthenticated remote attacker to crash the BEAM VM by sending a crafted SCTP ERROR chunk. The sctpparseerrorchunk function in erts/emulator/drivers/common/inetdrv.c parses SCTP ERROR chunks and writes cause codes int...

CVE-2026-24349

A vulnerability has been identified in SIMATIC WinCC Unified PC Runtime V16 All versions, SIMATIC WinCC Unified PC Runtime V17 All versions, SIMATIC WinCC Unified PC Runtime V18 All versions, SIMATIC WinCC Unified PC Runtime V19 All versions, SIMATIC WinCC Unified PC Runtime V20 All versions,...

EUVD-2026-35863

Adding fromRouter:true and runtimeConstants.userRoles could cause aggregations to crash mongodb server...

EUVD-2026-35867

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

CVE-2026-41856: Spring GraphQL Annotation Detection Vulnerability

The Spring GraphQL annotation detection mechanism for @Controller data fetchers may not correctly resolve annotations on methods within type hierarchies. This can be an issue if such annotations are used for authorization decisions. Spring for GraphQL application are vulnerable when all the...

ALSA-2026:25114 Important: .NET 10.0 security update

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 10.0.109 and .NET Runtime...

Runtime Skill Audit: Targeted Runtime Probing for Agent Skill Security

Agent skills let LLM agents reuse instructions, resources, tools, and workflows, but they also create a new place for malicious behavior to hide. A skill may look benign in its documentation or code while becoming harmful only when it is invoked with particular user requests, local assets,...

Fission 安全漏洞

Fission is an open-source function deployment framework based on Kubernetes. Versions of Fission prior to 1.23.0 contain security vulnerabilities. These vulnerabilities stem from the runtime Pod using the fission-fetcher ServiceAccount and automatically mounting tokens. User function code can rea...

Important: .NET 10.0 security update

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 10.0.109 and .NET Runtime...