Lucene search
K
AlpinelinuxRecent

12983 matches found

AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•6 views

CVE-2026-57289

Jenkins Bitbucket Push and Pull Request Plugin 3.3.8 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections sending Bearer token authenticated requests to the configured Bitbucket Server endpoint, allowing attackers able to intercept network traffic to...

4.8CVSS5.8AI score0.00108EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•6 views

CVE-2026-57287

Jenkins Job Configuration History Plugin 1356.ve360da6c523a and earlier does not redact the encrypted values of secrets when displaying historical job and agent configurations, allowing attackers with Extended Read permission to view encrypted secret values that would otherwise be redacted...

4.3CVSS5.8AI score0.0013EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•5 views

CVE-2026-57286

A missing permission check in Jenkins Git Parameter Plugin 462.vdcf3df2ed2ca and earlier allows attackers with Item/Read permission to obtain information about the SCM repository used by a job, such as branch names, tag names, and revision metadata...

4.3CVSS5.8AI score0.00216EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•7 views

CVE-2026-57285

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration...

4.3CVSS5.8AI score0.00216EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•6 views

CVE-2026-57284

Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps...

4.3CVSS5.8AI score0.00275EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•5 views

CVE-2026-57283

A cross-site request forgery CSRF vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to instantiate types related to job or system configuration other than Pipeline steps through the Pipeline Snippet Generator...

4.3CVSS5.7AI score0.00158EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•6 views

CVE-2026-57282

Jenkins Git client Plugin 6.6.0 and earlier does not correctly escape the workspace directory name when it is embedded into a generated SSH wrapper script, allowing attackers able to control the name of a build's working directory to execute arbitrary operating system commands on the agent...

5CVSS6.1AI score0.00207EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•6 views

CVE-2026-57280

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection...

8.8CVSS5.9AI score0.00372EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/24 1:20 p.m.•7 views

CVE-2026-57281

Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the...

8.5CVSS5.8AI score0.00594EPSS
Exploits0References4
AlpineLinux
AlpineLinux
•added 2026/06/24 11:53 a.m.•6 views

CVE-2026-56370

ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of...

7.8CVSS5.9AI score0.00121EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/24 11:53 a.m.•5 views

CVE-2026-56368

ImageMagick before 7.1.2-15 contains a memory leak vulnerability in multiple coders that write raw pixel data where allocated objects are not properly freed. Attackers can trigger this leak by processing specially crafted images, causing memory exhaustion and denial of service...

7.5CVSS5.8AI score0.0026EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 7:17 p.m.•6 views

CVE-2026-54762

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0-ea.1 until 3.7.5, there is a medium severity vulnerability in Traefik's Kubernetes Ingress NGINX provider that causes affected routes to fail open. When an Ingress explicitly enables BasicAuth or DigestAuth through the supported...

8.6CVSS5.8AI score0.0036EPSS
Exploits1References2
AlpineLinux
AlpineLinux
•added 2026/06/23 7:15 p.m.•7 views

CVE-2026-54761

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.6.21 and 3.7.5, there is a high severity vulnerability in Traefik's Kubernetes Gateway provider affecting the crossProviderNamespaces allowlist. For HTTPRoute rules that declare multiple WRR backendRefs, Traefik evaluates the allowlis...

7.1CVSS5.8AI score0.00318EPSS
Exploits2References3
AlpineLinux
AlpineLinux
•added 2026/06/23 7:13 p.m.•7 views

CVE-2026-53622

Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake...

10CVSS5.8AI score0.0024EPSS
Exploits1References5
AlpineLinux
AlpineLinux
•added 2026/06/23 7:12 p.m.•5 views

CVE-2026-48491

Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in Traefik's domain-fronting protection SNICheck that allows an unauthenticated client to bypass mutual TLS enforced through wildcard router TLSOptions. When a router uses a wildcard...

10CVSS5.8AI score0.00245EPSS
Exploits1References5
AlpineLinux
AlpineLinux
•added 2026/06/23 7:10 p.m.•5 views

CVE-2026-48020

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity vulnerability in Traefik's StripPrefix middleware that allows an unauthenticated attacker to bypass route-level authentication and authorization. When a public router matches on a...

10CVSS5.8AI score0.00591EPSS
Exploits2References7
AlpineLinux
AlpineLinux
•added 2026/06/23 5:56 p.m.•10 views

CVE-2026-45135

Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct fla...

8.1CVSS6.5AI score0.00399EPSS
Exploits1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:55 p.m.•7 views

CVE-2026-45692

Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different...

5.4CVSS5.9AI score0.00144EPSS
Exploits1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:24 p.m.•7 views

CVE-2026-55517

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.5, a Deno program that opens a client WebSocket connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the Sec-WebSocket-Protocol and Sec-WebSocket-Extensions response...

4.3CVSS5.8AI score0.00183EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:24 p.m.•5 views

CVE-2026-44726

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When autoSelectFamily was enabled and the first address-family attempt...

9.1CVSS5.8AI score0.00142EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:22 p.m.•8 views

CVE-2026-49401

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.14, Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done...

8.4CVSS5.9AI score0.00144EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:20 p.m.•5 views

CVE-2026-49402

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.10, Deno's node:childprocess implementation provided an escapeShellArg helper used when callers passed shell: true to spawn / spawnSync / exec and friends. On Windows, the helper failed to quote arguments that contained cmd.e...

8.1CVSS5.9AI score0.00283EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:19 p.m.•5 views

CVE-2026-49406

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.7.12, when Deno was run in BYONM mode nodeModulesDir: "manual", the module resolver did not validate that a package's resolved entrypoint stayed within its nodemodules// directory. A malicious package.json whose main field...

5.5CVSS5.9AI score0.00135EPSS
Exploits1References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:16 p.m.•7 views

CVE-2026-49983

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot...

5.2CVSS5.8AI score0.00098EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:15 p.m.•6 views

CVE-2026-49860

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially...

5.2CVSS5.8AI score0.00101EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:14 p.m.•6 views

CVE-2026-49859

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name...

5.2CVSS5.8AI score0.00101EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/23 5:13 p.m.•5 views

CVE-2026-49440

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, node:crypto.checkPrimecandidate, options, callback and crypto.checkPrimeSynccandidate, options ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied ...

7.4CVSS5.8AI score0.00149EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 4:40 p.m.•6 views

CVE-2026-57053

GNU libidn before 1.44 is prone to out-of-bounds reads of uninitialized memory in the ToUnicode APIs because of mishandling in idnatounicodeinternal. The affected code is not present in libidn2...

4CVSS5.8AI score0.0011EPSS
Exploits1References2
AlpineLinux
AlpineLinux
•added 2026/06/23 4:14 p.m.•16 views

CVE-2026-56117

dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket...

5.7CVSS5.8AI score0.00093EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 4:11 p.m.•5 views

CVE-2026-56116

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send...

7.1CVSS5.8AI score0.00187EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 4:8 p.m.•4 views

CVE-2026-56115

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but...

8.8CVSS5.8AI score0.00307EPSS
Exploits1References4
AlpineLinux
AlpineLinux
•added 2026/06/23 4:8 p.m.•7 views

CVE-2026-56114

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6makemessage in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTIONPDEXCLUDE option body...

6.5CVSS5.9AI score0.00175EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 4:5 p.m.•7 views

CVE-2026-56113

dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTIONPDEXCLUDE and both preferred and valid lifetimes set to zero. Attackers actin...

6.5CVSS5.8AI score0.00175EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 12:13 p.m.•11 views

CVE-2026-56379

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a command injection vulnerability in the SVG decoder that allows attackers to inject arbitrary MVG drawing commands. Attackers can craft malicious SVG files with injected Magick Vector Graphics commands that execute during rendering...

9.2CVSS6.1AI score0.00895EPSS
Exploits0References6
AlpineLinux
AlpineLinux
•added 2026/06/23 12:13 p.m.•5 views

CVE-2026-56371

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a memory leak in coders/txt.c when processing TXT files with texture attributes: the texture object allocated via ReadImage is not released when GetTypeMetrics fails, leaking memory each time a crafted TXT file with a texture attribute is process...

6.9CVSS5.8AI score0.00257EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/23 12:13 p.m.•9 views

CVE-2026-56376

ImageMagick before 7.1.2-15 and 6.9.13-40 contains a heap use-after-free in the meta coder: when memory allocation fails, a single byte is written to a stale pointer. Remote attackers can trigger it by processing specially crafted image files, causing a denial of service...

6.3CVSS5.8AI score0.00184EPSS
Exploits0References2
AlpineLinux
AlpineLinux
•added 2026/06/22 6:59 p.m.•6 views

CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.7CVSS5.8AI score0.00371EPSS
Exploits1
AlpineLinux
AlpineLinux
•added 2026/06/22 4:46 p.m.•5 views

CVE-2026-54283

Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form accepts maxfields and maxpartsize to bound resource consumption while parsing form data. These limits are enforced for multipart/form-data, but silently ignored for application/x-www-form-urlencoded. An...

7.5CVSS5.8AI score0.00275EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/22 4:45 p.m.•8 views

CVE-2026-54282

Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating scheme://hostpath and re-parsing the result, a path that does not begin with / for example...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References1
AlpineLinux
AlpineLinux
•added 2026/06/22 4:31 p.m.•13 views

CVE-2026-42127

The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON payloads. This can lead to denial of service through memory exhaustion. No valid dashboard access tok...

7.5CVSS5.9AI score0.00432EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/22 4:30 p.m.•6 views

CVE-2026-50269

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to 3.14.0, attacker-controlled input included into multipart/payload headers can be used to modify a request to inject additional headers or similar. In the unlikely situation that an application is passing...

7.5CVSS5.8AI score0.00301EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/22 1:18 p.m.•6 views

CVE-2026-9029

A user with Editor permissions can place a malicious script in the attribution field of a Geomap panel's XYZ tile layer via a template variable. The script then executes in the browser of any user who views the affected dashboard stored cross-site scripting...

7.3CVSS6AI score0.0025EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/22 1:18 p.m.•5 views

CVE-2026-10601

A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...

5.4CVSS6.1AI score0.00258EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/22 1:18 p.m.•5 views

CVE-2026-42129

A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...

7.7CVSS6.1AI score0.00394EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:58 p.m.•5 views

CVE-2026-56412

libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...

5.9CVSS5.8AI score0.00105EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:56 p.m.•5 views

CVE-2026-56411

xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations...

6.9CVSS5.8AI score0.0011EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:55 p.m.•6 views

CVE-2026-56410

xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId...

6.9CVSS5.8AI score0.0011EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:52 p.m.•8 views

CVE-2026-56409

xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used...

6.5CVSS5.8AI score0.00098EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:51 p.m.•7 views

CVE-2026-56408

libexpat before 2.8.2 has an integer overflow in copyString...

6.9CVSS5.8AI score0.00102EPSS
Exploits0
AlpineLinux
AlpineLinux
•added 2026/06/21 3:49 p.m.•6 views

CVE-2026-56407

libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen...

6.9CVSS5.8AI score0.00102EPSS
Exploits0
Total number of security vulnerabilities12983