CVE-2026-50136

Budibase prior to version 3.39.3 exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The /api/attachments/:datasourceId/url route is protected only by recaptcha, allowing a caller with workspace and S3 datasource IDs t...

Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

Summary The Budibase server route POST /api/attachments/:datasourceId/url packages/server/src/api/routes/static.ts is registered with only the recaptcha middleware. There is no authorized... middleware in the chain. The controller...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: util: Avoid accessing a ringbuffer that is not initialized yet. If the KVP or VSS daemon starts before the VMBus channel’s ringbuffer is fully initialized, we can encounter a panic as follows: hvutils: Registering th...

CVE-2025-10560

The CVE-CWE entry documents a vulnerability in Worksnaps before version 1.6.20260201 where hardcoded cloud credentials and related secret material were embedded in Worksnaps client binaries. The exposed data included AWS access keys and S3 bucket information, and the credentials authenticated as ...

CVE-2026-48768

TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any...

CVE-2026-46612 Fission StorageSvc /v1/archive endpoint exposes unauthenticated CRUD over all function archives

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers /v1/archive GET / POST / DELETE and /v1/archives list directly on...

EUVD-2026-36091

Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.23.0, the Fission storagesvc component registers archive CRUD handlers /v1/archive GET / POST / DELETE and /v1/archives list directly on...

CVE-2026-42336

MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery SSRF bypass in the OSS file service URL fetch functionality due to inconsistent DNS resolution between validation and actual request execution, allowing attackers to access...

CVE-2026-49193 Publicly Readable AWS S3 Telemetry Buckets

Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet...

PT-2026-43396

Name of the Vulnerable Software and Affected Versions MaxKB versions prior to 2.8.1 Description An issue exists in the OSS file service URL fetch endpoint "chat/api/oss/get url" where inconsistent URL parsing between the urlparse validation function and the requests HTTP client allows for a...

CVE-2026-9291 Insecure Deserialization in Amazon Braket SDK Job Results Processing

Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to...

CVE-2026-9291

Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to...

PT-2026-42823

Name of the Vulnerable Software and Affected Versions Amazon Braket SDK versions prior to 1.117.0 Description Insecure deserialization in the job results processing component may allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on...

Improper Validation of Integrity Check Value

Overview sagemaker is an Open source library for training and deploying models on Amazon SageMaker. Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value in the Triton inference handler. An attacker can execute arbitrary code with the SageMaker execution...

CVE-2026-28733 filemanagement_storage_service has an use after free vulnerability

in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code execution...

CVE-2026-28733 filemanagement_storage_service has an use after free vulnerability

in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code execution...

CVE-2026-25850

CVE-2026-25850 concerns OpenHarmony, affecting v6.0 and earlier, where the component filemanagement_storage_service improperly preserves permissions. The result is a local attacker can cause an information leak. The CVSS score is 5.5 (Medium); vectors: Local access, low attack complexity, low pri...

CVE-2026-25850 filemanagement_storage_service has an improper preservation of permissions vulnerability

in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak...

CVE-2026-25850 filemanagement_storage_service has an improper preservation of permissions vulnerability

in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak...

CVE-2026-28751

Technical details about CVE-2026-28751 are not publicly provided in the supplied documents; please monitor for updates.