6 matches found
CVE-2026-53644
CVE-2026-53644 (FOSSBilling) : Versions 0.5.3–0.7.2 allow authenticated clients to read and reset API key service secrets for orders not in an active state due to missing order-state validation in two client API endpoints, despite an isActive() helper existing in the Serviceapikey module. The iss...
EUVD-2026-38809
Apple M1 GPUs retain register file data between compute shader dispatches from different processes. A sandboxed Metal attacker app can run a GPU reader shader that reads stale register values left by a separate sandboxed victim app. In the proof of concept, GPUVictim.app generates a fresh random...
CVE-2026-6389
IBM Turbonomic prometurbo agent 8.16.0 through 8.17.6 IBM Turbonomic Application Resource Management grants excessive cluster‑wide permissions, including unrestricted read access to all secrets. An attacker that compromises the operator or its service account can exfiltrate sensitive credentials,...
PT-2026-36199
Name of the Vulnerable Software and Affected Versions IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6 Description IBM Turbonomic Application Resource Management grants excessive cluster-wide permissions, which include unrestricted read access to all secrets. An attacker who...
Improper Privilege Management
Overview Affected versions of this package are vulnerable to Improper Privilege Management via the ClickhouseUser/ServiceUser. An attacker can access sensitive information from other namespaces by supplying a crafted namespace value, causing the operator to read secrets from unauthorized location...
CVE-2025-55196 External Secrets Operator Missing Namespace Restriction in PushSecret and SecretStore List() Calls Allows Unauthorized Secret Access
External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a...