35125 matches found
CVE-2026-7871
IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity...
EUVD-2026-40404
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally...
CVE-2026-10134 Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally...
CVE-2026-10134
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally...
EUVD-2026-40382
IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity...
CVE-2026-58370 Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name
Woodpecker before 3.15.0 matches the ApprovalAllowedUsers bypass list against pipeline.Author. For the GitLab forge driver, pipeline.Author is populated from the git commit author name commit.author.name carried in the webhook payload, which is attacker-controlled and not verified by GitLab. A us...
Pre-Auth Takeover of Build Pipelines in GoCD
GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys. id: CVE-2021-43287 info: name: Pre-Auth Takeover of Build Pipelines in GoCD author: dhiyaneshDk severity...
Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-url` Annotation
A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the auth-url Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...
Kubernetes Dashboard <1.10.1 - Authentication Bypass
Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. id: CVE-2018-18264 info: name: Kubernetes Dashboard 1.10.1 - Authentication Bypass author: edoardottt severity: high description: | Kubernetes...
Linux Distros Unpatched Vulnerability : CVE-2026-11625
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the...
EUVD-2026-39498
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run...
CVE-2026-55069
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...
CVE-2026-55069 Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. An attacker who gains read access to the PostgreSQL database can exploit SHA-512's high computatio...
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-rds, kueue-fips, crossplane-provider-aws-secretsmanager, crossplane-provider-aws-s3-fips, agentbeat-fips, crossplane-provider-azure-storagesync, crossplane-provider-aws-dynamodb, crossplane-provider-aws-route53resolver,...
GHSA-Q4H4-GMJ2-QVW2 vulnerabilities
Vulnerabilities for packages: crossplane-provider-aws-rds, kueue-fips, crossplane-provider-aws-secretsmanager, crossplane-provider-aws-s3-fips, agentbeat-fips, crossplane-provider-azure-storagesync, crossplane-provider-aws-dynamodb, crossplane-provider-aws-route53resolver,...
GHSA-45GG-VH54-H5M9 vulnerabilities
Vulnerabilities for packages: kine, zot, istio, tekton-pipelines, gitlab-kas, argo-workflows-fips, frankenphp-8.5, trivy-operator, rancher-agent, trivy-fips, seaweedfs-rocksdb, kyverno-fips, seaweedfs-rocksdb-fips, zarf, frankenphp-8.4, containerd, skaffold-fips, coder, backup-restore-operator,...
GHSA-W879-237Q-WC7R vulnerabilities
Vulnerabilities for packages: gomplate, chisel, k8sgpt, argo-events, k9s, mods, guac, nerdctl, podman, cilium-cli, falcoctl, osv-scanner, act, crossplane-provider-azure-storage, eksctl, docker-cli-buildx, pulumi-kubernetes-operator, cloud-provider-aws, kubescape, flux-source-controller,...
GHSA-RM3J-F69W-WQMQ vulnerabilities
Vulnerabilities for packages: gomplate, chisel, k8sgpt, argo-events, k9s, sealed-secrets, mods, guac, crossplane-provider-aws-firehose, nerdctl, podman, cilium-cli, falcoctl, osv-scanner, act, crossplane-provider-azure-storage, eksctl, docker-cli-buildx, pulumi-kubernetes-operator,...
GHSA-F5WC-C3C7-36MC vulnerabilities
Vulnerabilities for packages: gomplate, k9s, argo-events, guac, nerdctl, podman, cilium-cli, osv-scanner, act, docker-cli-buildx, pulumi-kubernetes-operator, cloud-provider-aws, kubescape, flux-source-controller, prometheus-operator, external-secrets-operator, scorecard, kubernetes,...
CVE-2026-11702
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess...