15 matches found
CVE-2026-38743
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
BIT-AIRFLOW-2026-38743 Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
Apache Airflow's authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop (HITL) and TaskInstance record
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
CVE-2026-38743
The authenticated /ui/dags endpoint did not enforce per-DAG access control on embedded Human-in-the-Loop HITL and TaskInstance records: a logged-in Airflow user with read access to at least one DAG could retrieve HITL prompts including their request parameters and full TaskInstance details for DA...
CVE-2026-40690
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...
EUVD-2026-25419
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...
CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...
CVE-2026-40690 Apache Airflow: Assets graph view bypasses DAG level access control displaying unrelated topologies and all DAGs names to unauthorized users
The asset dependency graph did not restrict nodes by the viewer's DAG read permissions: a user with read access to at least one DAG could browse the asset graph for any other asset in the deployment and learn the existence and names of DAGs and assets outside their authorized scope. Users are...
CVE-2026-34841 Axios npm Supply Chain Incident Impacting @usebruno/cli
Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...
CVE-2026-34841
Bruno (open source IDE for APIs) was affected by a supply-chain incident prior to version 3.2.1 involving compromised axios releases that introduced a hidden dependency deploying a cross‑platform Remote Access Trojan (RAT). The affected window was npm install between 00:21 UTC and ~03:30 UTC on 3...
PT-2024-38842 · Unknown · Continew Admin
Name of the Vulnerable Software and Affected Versions: ContiNew Admin version 3.2.0 Description: A critical vulnerability was found in ContiNew Admin, affecting the function top.continew.starter.extension.crud.controller.BaseControllertree of the file...
PT-2023-11874
Name of the Vulnerable Software and Affected Versions: crypto-js versions prior to 3.2.1 Description: The issue concerns the generation of random numbers in the crypto-js package. Specifically, it concatenates the string "0." with an integer, making the output more predictable than necessary...
PT-2023-12419 · Unknown · Nyuccl Psiturk
Name of the Vulnerable Software and Affected Versions: NYUCCL psiTurk versions up to 3.2.0 Description: A critical issue has been found in NYUCCL psiTurk, affecting unknown code of the file psiturk/experiment.py. The manipulation of the mode argument leads to improper neutralization of special...
PT-2022-12436 · Nicotine+ · Nicotine+
Name of the Vulnerable Software and Affected Versions: Nicotine+ versions 3.0.3 through 3.2.0 Description: A denial of service DoS issue exists, allowing a user with a modified Soulseek client to crash Nicotine+ by sending a file download request with a file path containing a null character. This...
PT-2021-7337
Name of the Vulnerable Software and Affected Versions date gem versions prior to 3.2.1 date gem versions prior to 3.1.2 date gem versions prior to 3.0.2 date gem versions prior to 2.0.1 Description The issue is related to a ReDoS regular expression Denial of Service vulnerability in the date gem...