6 matches found
Kargo Vulnerable to SSRF in Promotion http/http-download Steps Enables Internal Network Access and Data Exfiltration
Summary Kargo's built-in http and http-download promotion steps execute outbound HTTP requests from the Kargo controller. By design, these steps do not restrict destination addresses, as there are legitimate use cases for requests to internal and private endpoints. However, this also permits...
PT-2026-26462
Name of the Vulnerable Software and Affected Versions Kargo versions 1.4.0 through 1.6.3 Kargo versions 1.7.0-rc.1 through 1.7.8 Kargo versions 1.8.0-rc.1 through 1.8.11 Kargo versions 1.9.0-rc.1 through 1.9.4 Description Kargo's built-in http and http-download promotion steps allow Server-Side...
EUVD-2025-114330
Malicious code in dotenv-safe-transport-corvus-hydra npm...
EUVD-2025-114331
Malicious code in dotenv-safe-transport-aether-miranda npm...
Malicious code in dotenv-safe-transport-corvus-hydra (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5d833eb99411857bbedad036c317ede897b63d5919e73e692817feacf64b3549 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-141779 Malicious code in dotenv-safe-transport-corvus-hydra (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5d833eb99411857bbedad036c317ede897b63d5919e73e692817feacf64b3549 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...