2262 matches found
ChangeDetection.io <= v0.50.33 - Stored XSS via Watch API
changedetection.io = 0.50.34 contains a stored cross site scripting caused by insufficient security checks in the Watch update API, letting attackers execute arbitrary JavaScript when users preview malicious links, exploit requires user interaction id: CVE-2025-62780 info: name: ChangeDetection.i...
GHSA-GC3J-79F2-7VVW Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
Summary A low-privilege developer who could create a KubernetesWatchTrigger KWT in their own namespace was able to establish a persistent surveillance channel over any other namespace. Details Two independent flaws compounded: 1. pkg/kubewatcher/kubewatcher.go::createKubernetesWatch used...
CVE-2026-9219
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior have a predictable registration ID derived from IMEI. The enrollment system lacks additional authentication before assignment. If an attacker is able to obtain the registration ID, they would be able to arbitrarily...
CVE-2026-9220
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic...
CVE-2026-9220 Setracker2 Children's Smartwatch Ecosystem Use of hard-coded cryptographic key
Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior encrypts requests between the watch and its backend with static hardcoded AES keys and initialization vectors. This allows an attacker to decrypt Setracker2 watch traffic...
CVE-2026-9220
The CVE-2026-9220 entry describes a vulnerability in Setracker2 Android Companion App (package com.tgelec.setracker) affecting versions 3.1.5 and earlier. The underlying issue is that requests between the wearable and backend are encrypted with static, hardcoded AES keys and initialization vector...
CVE-2026-52795
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...
CVE-2026-52795
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...
CVE-2026-52795
CVE-2026-52795 affects Gogs (open source self-hosted Git service). In 0.14.3 and earlier, an authorization logic error in the Watch API lets any authenticated user watch a private repository they have no access to, due to an inverted access check. This exposes private repository activity in the a...
CVE-2026-52795 Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...
CVE-2026-52795 Gogs: Authorization Bypass in Watch API allows any user to monitor private repository activity
Gogs is an open source self-hosted Git service. In 0.14.3 and earlier, any authenticated user can watch a private repository they have no access to, because the access check in the Watch API handler is inverted. The code checks if repoCtx.ViewerCanRead returns 404 when the user CAN read instead o...
Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: libceph: The calctarget function should set t-paused, rather than simply clearing it. Currently, calctarget clears t-paused if the request should no longer be paused. However, it never sets t-paused, even though it can determine...
Astra Linux – Vulnerability in Linux 6.12
In the Linux kernel, the following vulnerabilities have been resolved: drm/amdkfd: Fixed the bounds checking of watchid in debug address watch v2. The address watch clear code receives watchid as an unsigned value u32, but some helper functions used a signed int and checked the bits by shifting...
PT-2026-52084
Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.4 Description An authenticated user can watch a private repository without having the necessary access permissions. This occurs because the access check in the Watch API handler is inverted, specifically within the...
Astra Linux – Vulnerability in Linux
A issue was discovered in Xen through version 4.14.x. Some operating systems, such as Linux, FreeBSD, and NetBSD, process watch events using a single thread. If these events are received faster than the thread can handle them, they will be queued up. Since the queue is unbounded, a guest system m...
CVE-2026-55225
When the Strimzi cluster operator is deployed with watchAnyNamespace=true or a multi-namespace list, any namespace editor can set Kafka.spec.entityOperator.userOperator.watchedNamespace or topicOperator.watchedNamespace to an arbitrary namespace. The cluster operator then creates a Role granting...
CVE-2026-49822
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger KWT in their own namespace was able to establish a persistent...
CVE-2026-49822 Fission: Cross-namespace event leakage via KubernetesWatchTrigger allows persistent tenant surveillance
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a low-privilege developer who could create a KubernetesWatchTrigger KWT in their own namespace was able to establish a persistent...
CVE-2026-49822
CVE-2026-49822 affects the Fission framework (Kubernetes-native serverless) prior to version 1.24.0. A low-privilege developer who could create a KubernetesWatchTrigger (KWT) in their own namespace could establish a persistent surveillance channel into other namespaces, enabling cross-namespace e...
MAL-2026-5312 Malicious code in bt-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94719a61950dd5cacc26b288c1fe8ef0d12f0e93720b4f1aa98cdf84ff148f0d Package advertises Bittensor subnet burn-rate monitoring but the compiled core module's own docstring describes itself as a 'clipboard logger +...