GHSA-JJRM-HR5F-673X Source controller: Improper path handling allows traversal

Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...

Source controller: Improper path handling allows traversal

Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...

PT-2026-47088

Name of the Vulnerable Software and Affected Versions source-controller versions prior to 1.8.5 Description Improper path handling allows for path traversal in two scenarios. First, an actor capable of influencing the contents of a bucket referenced by a Bucket resource can force the...

FlexRIC 安全漏洞

FlexRIC is an open-source RAN intelligent controller developed by Mosaic5G. The FlexRIC v2.0.0 version contains a security vulnerability. This vulnerability arises from trusting the xappid field in the trust E42 message without binding it to the sender’s SCTP association. As a result, remote...

GHSA-389R-GV7P-R3RP vulnerabilities

Vulnerabilities for packages: trivy, argo-cd, cerbos, rancher-fleet, pulumi-language-yaml, xeol, grype, syft, trufflehog, kubescape, grafana-alloy, zot, zarf, gitsign, act, gitea, kargo, kubevela, grafana, pulumi, snyk-cli, k9s, gitlab-runner, witness, pulumi-language-java, gomplate,...

CVE-2026-45022 vulnerabilities

Vulnerabilities for packages: chainctl-fips, rancher-fleet-fips, gitlab-runner, flux-fips, argocd-image-updater, chainctl, gptscript, mapotf, grype, kargo, pulumi-language-dotnet, osv-scanner, skaffold-fips, kubescape-server-fips, gitlab-rails-ce-fips, steampipe, cerbos, trivy-operator,...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: trivy, aactl, docker, rekor, falcoctl, zot, zarf, gitsign, ko, neuvector-sigstore-interface, gitlab-runner, tflint, guac, gh, tkn, trivy-operator, docker-compose, spire-server, buildkitd, policy-controller, kyverno-notation-aws, skaffold, tekton-chains, kyverno,...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: chainctl-fips, gitlab-runner, chainctl, tflint, tkn-fips, ko, skaffold-fips, kubescape-server-fips, docker-cli-buildx-fips, cosign, trivy-operator, kubescape-server, goreleaser, jfrog-cli, image-factory-fips, falcoctl-fips, image-factory, tkn, buildkitd, livekit-cli,...

GHSA-XM5M-WGH2-RRG3 vulnerabilities

Vulnerabilities for packages: trivy, aactl, docker, sigstore-scaffolding, falcoctl, zot, zarf, gitsign, ko, neuvector-sigstore-interface, tflint, witness, gh, tkn, trivy-operator, spire-server, buildkitd, policy-controller, kyverno-notation-aws, skaffold, tekton-chains, kyverno, vexctl, gorelease...

CVE-2026-39984 vulnerabilities

Vulnerabilities for packages: trivy, aactl, docker, sigstore-scaffolding, falcoctl, zot, zarf, gitsign, ko, neuvector-sigstore-interface, tflint, witness, gh, tkn, trivy-operator, spire-server, buildkitd, policy-controller, kyverno-notation-aws, skaffold, tekton-chains, kyverno, vexctl, gorelease...

GHSA-FV83-X2XW-2J55 vulnerabilities

Vulnerabilities for packages: nodetaint, pluto, flux-operator, envoy-ratelimit, smarter-device-manager, nova, grafana-operator, supercronic, karpenter, flux-notification-controller, grafana-rollout-operator, dataplaneapi, metacontroller, victoriametrics, flux-image-reflector-controller,...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: rancher-machine, crossplane-provider-keycloak, kubernetes-dashboard-api, crossplane-provider-azure-authorization, wal-g, terraform-provider-sendgrid, terraform-provider-tls, apisix-ingress-controller, dex, prometheus-operator, pulumi-language-yaml,...

CVE-2025-58181 vulnerabilities

Vulnerabilities for packages: rancher-machine, docker, kapp-controller, apisix-ingress-controller, dex, crossplane-provider-aws-iam, grafana-operator, gcsfuse, gitsign, sftpgo-plugin-pubsub, cluster-api-gcp-controller, dbmate, amass, metrics-server, promxy, crossplane-provider-aws-kms, tailscale,...

GHSA-F6X5-JH6R-WRFV vulnerabilities

Vulnerabilities for packages: rancher-machine, docker, kapp-controller, apisix-ingress-controller, dex, crossplane-provider-aws-iam, grafana-operator, gcsfuse, gitsign, sftpgo-plugin-pubsub, cluster-api-gcp-controller, dbmate, amass, metrics-server, promxy, crossplane-provider-aws-kms,...

GHSA-J5W8-Q4QC-RX2X vulnerabilities

Vulnerabilities for packages: rancher-machine, docker, kapp-controller, apisix-ingress-controller, dex, crossplane-provider-aws-iam, grafana-operator, gcsfuse, gitsign, sftpgo-plugin-pubsub, cluster-api-gcp-controller, dbmate, amass, metrics-server, promxy, crossplane-provider-aws-kms, tailscale,...

CVE-2025-47914 vulnerabilities

Vulnerabilities for packages: rancher-machine, docker, kapp-controller, apisix-ingress-controller, dex, crossplane-provider-aws-iam, grafana-operator, gcsfuse, gitsign, sftpgo-plugin-pubsub, cluster-api-gcp-controller, dbmate, amass, metrics-server, promxy, crossplane-provider-aws-kms,...

CVE-2025-9148 CodePhiliaX Chat2DB JDBC Connection DataSourceController.java sql injection

A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed...

PT-2025-33817 · Unknown · Codephiliax Chat2Db

Name of the Vulnerable Software and Affected Versions: CodePhiliaX Chat2DB versions through 0.3.7 Description: A SQL injection issue exists in the JDBC Connection Handler component of CodePhiliaX Chat2DB. The issue affects an unknown function within the...

GHSA-J5PM-7495-QMR3 vulnerabilities

Vulnerabilities for packages: prometheus-mysqld-exporter-fips, gitlab-runner, kube-logging-operator-custom-runner, kubo, argocd-image-updater, nri-mysql, verticadb-operator, pombump, karma, kaf, prometheus-postgres-exporter, grpc-health-probe, spicedb, falco-exporter-fips, otel-cli, helm-operator...

CVE-2024-31216

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to versi...