Omni: Operator can traverse image-factory API paths via unsanitized `talos_version` in CreateSchematic

Summary managementServer.CreateSchematic internal/backend/grpc/schematics.go passes the caller-controlled TalosVersion field directly to imageFactoryClient.OverlaysVersions, which embeds it verbatim into a fmt.Sprintf"/version/%s/overlays/official", talosVersion path template. url.URL.JoinPath...

CVE-2026-40898 vulnerabilities

Vulnerabilities for packages: frp, ipfs-cluster, kube-metrics-adapter, kubernetes-dns-node-cache, k3s, kargo, prometheus-blackbox-exporter, q, dkron, opentelemetry-operator, traefik, kyverno-policy-reporter-ui, k8sgateway, kubo...

BIT-AIRFLOW-2026-49267 Apache Airflow: No certificate validation on SMTP STARTTLS connections

Apache Airflow's EmailOperator and the underlying airflow.utils.email helpers established SMTP STARTTLS connections without verifying the remote certificate when the deployment used email smtpstarttls=True without email smtpssl. An attacker positioned between the worker and the configured SMTP...

CVE-2026-42876 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-WV26-88M5-6H59 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-FQ7H-9X26-6J22 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-42875 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-10860 MISP CRUDComponent delete validation bypass via operator precedence error

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as $validationError === null && POST || DELETE, meaning a DELETE request...

CVE-2026-10860

In CVE-2026-10860, a logic error in the MISP CRUD component delete handler bypasses validation due to missing parentheses in the delete condition, allowing a DELETE request to proceed even when the delete validation callback rejects the operation. An authenticated attacker with access to an affec...

CVE-2026-10860 MISP CRUDComponent delete validation bypass via operator precedence error

A logic error in the MISP CRUD component delete handler allowed validation failures to be bypassed when requests used the HTTP DELETE method. Due to missing parentheses in the delete condition, the expression was evaluated as $validationError === null && POST || DELETE, meaning a DELETE request...

CVE-2026-42875 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-WV26-88M5-6H59 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-42876 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

GHSA-FQ7H-9X26-6J22 vulnerabilities

Vulnerabilities for packages: external-secrets-operator...

CVE-2026-10843

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise...

CVE-2026-10843

OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS allow operator credentials to have account-wide permissions for destructive actions, rather than being restricted to cluster-owned resources. This enables cross-scope impact after credential compromise. The CVE-2026-10843 entry do...

EUVD-2026-34249

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise...

CVE-2026-10843 Cloud-credential-operator: cco mint-mode credentialsrequest manifests grant account-wide iam access beyond cluster scope on aws

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise...

CVE-2026-10843

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise...

CVE-2026-10843 Cloud-credential-operator: cco mint-mode credentialsrequest manifests grant account-wide iam access beyond cluster scope on aws

A flaw was found in the OpenShift Cloud Credential Operator Mint-mode IAM policies for AWS. Operator credentials are provisioned with account-wide scope for destructive actions rather than being restricted to cluster-owned resources, enabling cross-scope impact after credential compromise...