CVE-2026-42889 Relay Server WebSocket authentication bypass when token is omitted

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full...

GHSA-WJXP-XRPV-XPFF Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Summary The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token GitHub PAT, GitLab token, etc. by...

Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Summary The Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL when the user omits the token parameter. A tenant with TaskRun or PipelineRun create permission can exfiltrate the shared API token GitHub PAT, GitLab token, etc. by...

CVE-2026-40161

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL...

CVE-2026-40161 Tekton Pipelines: Git resolver API mode leaks system-configured API token to user-controlled serverURL

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the Tekton Pipelines git resolver in API mode sends the system-configured Git API token to a user-controlled serverURL...

CVE-2020-35223

The CSRF protection mechanism implemented in the web administration panel on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices could be bypassed by omitting the CSRF token parameter in HTTP requests...

Netgear NETGEAR JGS516PE 跨站请求伪造漏洞

The Netgear NETGEAR JGS516PE is a switch from Netgear, Inc. The NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 suffers from a cross-site request forgery vulnerability that stems from a CSRF protection mechanism implemented in the web management panel that can be bypassed by omitting the CSRF token parameter...

Pagekit CMS Cross-Site Request Forgery Vulnerability

Pagekit CMS is a modern lightweight open source CMS. Pagekit CMS suffers from a cross-site request forgery vulnerability that can be exploited by an attacker to upload arbitrary files by removing a CSRF token from the request...