7 matches found
CVE-2026-46538
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...
PT-2026-45493
Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 0.20.0 through 2.0.11 Description Authenticated agents can forge service-monitor results for services belonging to other users. The system accepts TaskResult messages from an authenticated agent based solely on whethe...
CVE-2026-46538 Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer task-result injection
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...
EUVD-2026-32677
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...
CVE-2026-46538
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by sessionid only and does not verify that a TASKEND message came from the device that originally received the task...
PT-2026-44121
Name of the Vulnerable Software and Affected Versions Microsoft UFO version 3.0.1-4-ge2626659 Description The constellation client in this open-source framework for intelligent automation tracks pending task responses using only the session id and fails to verify if a TASK END message originated...
Information Disclosure
ansible is vulnerable to information disclosure. It is possible because .result attribute of an ansible.executor.taskresult.TaskResult is being sent to the callback plugins without obscuring stdout information when using a nolog directive...