CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:46 p.m.•10 views

CVE-2026-33858

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to Apache Airflow 3.2.0,...

8.8CVSS5.9AI score0.00592EPSS

OSV•added 2026/06/05 5:40 a.m.•7 views

BIT-AIRFLOW-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

8.8CVSS5.6AI score0.00592EPSS

Exploits0References4

RedhatCVE•added 2026/06/02 10:2 a.m.•14 views

CVE-2026-42359

8.8CVSS5.8AI score0.0055EPSS

Snyk•added 2026/06/01 10:29 a.m.•7 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the XCom PATCH endpoint PATCH /api/v2/xcomEntries/key that allows an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that...

8.8CVSS5.6AI score0.0055EPSS

Exploits0References2

NVD•added 2026/06/01 9:16 a.m.•15 views

CVE-2026-42359

8.8CVSS0.0055EPSS

PyPA•added 2026/06/01 9:16 a.m.•9 views

PYSEC-0000-CVE-2026-42359

8.8CVSS5.8AI score0.0055EPSS

OSV•added 2026/06/01 9:16 a.m.•6 views

PYSEC-2026-185

8.8CVSS5.8AI score0.00592EPSS

Cvelist•added 2026/06/01 7:49 a.m.•36 views

CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

0.0055EPSS

ATTACKERKB•added 2026/06/01 7:49 a.m.•10 views

CVE-2026-42359

8.8CVSS5.8AI score0.00592EPSS

Vulnrichment•added 2026/06/01 7:49 a.m.•7 views

CVE-2026-42359 Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator

5.8AI score0.0055EPSS

CVE•added 2026/06/01 7:49 a.m.•18 views

CVE-2026-42359

CVE-2026-42359 (Apache Airflow) : A bug in the XCom PATCH endpoint (PATCH /api/v2/xcomEntries/{key}) allows an authenticated UI/API user with XCom write permission on a DAG to set XCom entries under reserved keys (e.g., return_value) that bypass a prior validation on the POST path. The endpoint c...

8.8CVSS5.8AI score0.0055EPSS

OSV•added 2026/04/21 12:1 p.m.•5 views

BIT-AIRFLOW-2026-25917 Apache Airflow: API extra-links triggers XCom deserialization/class instantiation (Airflow 3.1.5)

RedhatCVE•added 2026/04/20 7:23 p.m.•5 views

Exploits0References4

CVE-2026-25917

Snyk•added 2026/04/18 9:30 a.m.•4 views

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to improper XCom value handling. An attacker that is a Dag Author who normally should not be able to execute code in the webserver context can execute arbitrary code by crafting malicious XCom...

7.2CVSS6.1AI score0.00822EPSS

Exploits0References2

OSV•added 2026/04/18 9:30 a.m.•2 views

GHSA-6FFJ-2WG2-W45J Apache Airflow allows code execution through crafted XCom payloads

NVD•added 2026/04/18 7:16 a.m.•1 views

Exploits0References6

CVE-2026-25917

7.2CVSS0.00822EPSS

OSV•added 2026/04/18 7:16 a.m.•10 views

PYSEC-2026-13

7.2CVSS6.1AI score0.00822EPSS

CVE•added 2026/04/18 6:20 a.m.•72 views

CVE-2026-25917

Apache Airflow CVE-2026-25917 involves API extra-links enabling crafted XCom payloads that can lead to webserver code execution via XCom deserialization/class instantiation. Affected component is the Airflow webserver’s handling of XCom; root cause described as deserialization/instantiation of pa...