CVE-2026-1966

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services...

CVE-2026-1966 YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services...

MAL-2025-48516 Malicious code in yugabyte_cloud (npm)

The package yugabytecloud was found to contain malicious code...

EUVD-2024-33682

Malicious code in bioql PyPI...

EUVD-2025-24153

Malicious code in bioql PyPI...

EUVD-2025-24144

Malicious code in bioql PyPI...

EUVD-2023-12615

Malicious code in bioql PyPI...

EUVD-2024-47884

Malicious code in bioql PyPI...

EUVD-2024-47897

Malicious code in bioql PyPI...

EUVD-2023-12763

Malicious code in bioql PyPI...

EUVD-2024-15809

Malicious code in bioql PyPI...

CVE-2025-8865

A null pointer dereference flaw has been discovered in YugabyteDB. An authenticated attacker could exploit this to crash the YCQL tablet server, resulting in a denial of service. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Ha...

CVE-2025-8866

YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records...

CVE-2025-8866

YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records...

CVE-2025-8865

The CVE-2025-8865 issue affects YugabyteDB’s YCQL tablet server. A flaw in YCQL query handling can trigger a null pointer dereference when processing certain malformed inputs, allowing an authenticated attacker to crash the YCQL tablet server and cause a denial of service. Exploitation is describ...

CVE-2025-8865

The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service...

CVE-2025-8865

The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service...

CVE-2025-8863

YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission...

CVE-2025-8862

CVE-2025-8862 involves YugabyteDB collecting diagnostics from servers, which may include sensitive gflag configurations. The underlying issue is that this information is not properly redacted in some versions, leading to potential exposure. The connected documents consistently state the mitigatio...

CVE-2025-8862

YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. To mitigate this, we recommend upgrading the database to a version where this information is properly redacted...