PYSEC-0000-CVE-2026-42360

A bug in Apache Airflow's rendered-template field handling caused nested sensitive-key masking e.g. nested password / token / secret / apikey keys inside a JSON template structure to be bypassed when the rendered field exceeded core maxtemplatedfieldlength: Airflow stringified the structure befor...

Apache Airflow security vulnerabilities

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 3.2.2, there were security...

CVE-2026-28697

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, an authenticated administrator can achieve Remote Code Execution RCE by injecting a Server-Side Template Injection SSTI payload into Twig template fields e.g., Email Templates. By calling the craft.app.fs.write...

PYSEC-2026-9

In Apache Airflow versions before 3.1.6, when rendered template fields in a Dag exceed core maxtemplatedfieldlength, sensitive values could be exposed in cleartext in the Rendered Templates UI. This occurred because serialization of those fields used a secrets masker instance that did not include...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the dataOptionmessage, dataOptionsubject, and dataOptiontemplatetype parameters in /apprain/information/manage/emailtemplate/add. An attacker can execute arbitrary JavaScript code in the context of a user's...

AWS data.all 代码注入漏洞

AWS data.all is an open source development framework open sourced by awslabs. A code injection vulnerability exists in AWS data.all versions 1.2.0 through 1.5.1, which stems from a code injection vulnerability that allows an authenticated attacker to inject Python commands into Template fields wh...