CVE-2026-42853 @apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command...

CVE-2026-42853

Vulnerability: CVE-2026-42853 affects ApostropheCMS CLI (@apostrophecms/cli) versions up to 3.6.0. Description: command injection in the apos create flow caused by embedding unsanitized password-prompt input directly into a shell command, enabling arbitrary command execution on the host. Root cau...

CVE-2026-46519

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which...

EUVD-2026-36286

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which...

CVE-2026-46519 mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement

mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Prior to version 3.6.0, mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which...

CVE-2025-1794

The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement

Summary mcp-server-kubernetes exposes three environment variables ALLOWONLYREADONLYTOOLS, ALLOWONLYNONDESTRUCTIVETOOLS, ALLOWEDTOOLS documented as access controls for restricting which Kubernetes operations are available. These controls are enforced at the tool discovery layer tools/list but not ...

Astra Linux - уязвимость в wireshark

An infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

The GDSDB infinite loop in Wireshark versions 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

A memory leak in the BT SDP dissector in Wireshark versions 4.0.0 to 4.0.7 and 3.6.0 to 3.6.15 allows for denial of service through packet injection or malicious capture files...

Astra Linux - уязвимость в wireshark

A memory leak occurs in the NFS dissector in Wireshark versions 4.0.0 to 4.0.2, and 3.6.0 to 3.6.10. This issue may lead to denial of service through packet injection or with specially crafted capture files...

Astra Linux - уязвимость в wireshark

A crash in the Sysdig Event dissector in Wireshark versions 3.6.0, 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

CLEANSTART-2026-VZ08395 Security fixes for CVE-2026-24051, CVE-2026-27139, CVE-2026-27141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-39883, ghsa-9h8m-3fm2-qjrq, ghsa-p77j-4mvh-x3m3 applied in versions: 3.6.0-r3, 3.6.0-r4

Multiple security vulnerabilities affect the fluent-operator-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CVE-2026-5781

An authorization vulnerability in MphRx's Minerva V3.6.0, specifically in the '/minerva/moUser/update' endpoint, could allow an authenticated user with user modification privileges to escalate their privileges by sending an HTTP request with a manipulated 'identifier' field. Successful exploitati...

CVE-2026-5781

An authorization vulnerability in MphRx’s Minerva v3.6.0 affects the /minerva/moUser/update endpoint. An authenticated user with user-modification privileges can escalate to administrator by sending an HTTP request with a manipulated 'identifier' field. The CVSS metrics indicate high impact and p...

MphRx Minerva 访问控制错误漏洞

MphRx Minerva is a medical data integration and interoperability platform developed by MphRx Corporation. Version MphRx Minerva V3.6.0 contains a security vulnerability related to access control. This vulnerability stems from an insecure direct object reference in the /minerva/moUser/show endpoin...

PT-2026-35716

Name of the Vulnerable Software and Affected Versions Minerva version 3.6.0 Description An authorization issue in the '/minerva/moUser/update' endpoint allows an authenticated user with user modification privileges to escalate their privileges to administrator. This is achieved by sending an HTTP...

GHSA-J452-XHG8-QG39 Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution...

protocol-buffers-schema 安全漏洞

protocol-buffers-schema is a Protocol Buffers pattern parser written in JavaScript by Mathias Buus. Version 3.6.0 of protocol-buffers-schema contains a security vulnerability, which stems from JavaScript prototype pollution. This vulnerability could allow attackers to alter application logic,...

PT-2026-33111

JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution...