Lucene search
K

4 matches found

OSV
OSV
added 2026/06/19 1:58 p.m.5 views

GHSA-C73Q-8XXR-RGQM Tilt: Missing authentication on the network-exposed Tilt HUD server

Summary The Tilt HUD HTTP server exposes state-changing and sensitive-read endpoints with no authentication. When the HUD is bound to a non-loopback address, a network attacker can trigger the developer's pre-defined Tiltfile resources, tamper with Tiltfile arguments, read full engine state...

9.2CVSS6AI score
Exploits0References4
OSV
OSV
added 2026/06/19 1:53 p.m.7 views

GHSA-6M68-R693-78QX Tilt: Cross-site WebSocket hijacking of the Tilt HUD stream

Summary The Tilt HUD WebSocket /ws/view is gated by a CSRF token, but the token is served by an unauthenticated endpoint and the upgrader accepts any client that omits an Origin header. When the HUD is network-exposed, an attacker can open the HUD stream and read the developer's session state...

8.3CVSS5.8AI score
Exploits0References4
OSV
OSV
added 2026/06/19 1:52 p.m.6 views

GHSA-P749-9W62-W533 Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Summary The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling. Details A blank import of net/http/pprof...

8.3CVSS6AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.17 views

PT-2026-50978

Name of the Vulnerable Software and Affected Versions Tilt versions 0.19.5 through 0.37.3 Description The Tilt HUD server mounts Go's net/http/pprof handlers under the '/debug' endpoint without access control. When the HUD is network-exposed, an unauthenticated caller can read process memory via...

8.3CVSS6AI score
Exploits0References6
Rows per page
Query Builder