Lucene search
+L
VeracodeRecent

38467 matches found

Veracode
Veracode
•added 2026/05/16 5:31 a.m.•13 views

Exposure Of Sensitive Information

io.github.davidalmeidac, sealed-env-core is vulnerable to Exposure of Sensitive Information. The vulnerability is due to embedding the operator’s plaintext TOTP secret in the base64-encoded JWS payload of minted unseal tokens, which allows an attacker to decode observed tokens from logs,...

9.1CVSS5.8AI score0.00326EPSS
Exploits1References1Affected Software2
Veracode
Veracode
•added 2026/05/16 5:31 a.m.•17 views

Improper Authorization

Fleet is vulnerable to Improper Authorization. The vulnerability is due to incomplete application of ServiceAccount impersonation in certain Helm deployer code paths, which allows an attacker with git push access to read secrets from arbitrary namespaces on downstream clusters...

9.9CVSS6AI score0.00379EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:31 a.m.•7 views

Missing Authorization

github.com/portainer/portainer is vulnerable to Missing Authorization. The vulnerability is due to missing authorization handlers for the Docker plugin management endpoints, which allows a non-admin user with endpoint-level access to perform privileged plugin operations directly against the...

9.4CVSS5.8AI score0.00328EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:30 a.m.•12 views

Improper Access Control

github.com/free5gc/udr is vulnerable to Improper Access Control. The vulnerability is due to improper request handling in the Traffic Influence Subscription deletion endpoint, which allows an attacker to bypass validation and delete arbitrary subscriptions despite receiving a misleading 404...

8.7CVSS5.9AI score0.0038EPSS
Exploits1References1Affected Software1
Veracode
Veracode
•added 2026/05/16 5:30 a.m.•9 views

Missing Authentication For Critical Function

Sliver is vulnerable to Missing Authentication For Critical Function. The vulnerability is due to the DNS C2 listener allocating server-side sessions without validating TOTP values and lacking session cleanup, which allows an attacker to create excessive sessions and exhaust server memory...

7.5CVSS5.8AI score0.00407EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:30 a.m.•9 views

SQL Injection

Focalboard is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of category IDs before they are incorporated into dynamic SQL statements, which allows an attacker to inject malicious SQL that is later executed and used to extract sensitive data from the database...

8.1CVSS5.9AI score0.00309EPSS
Exploits0References1Affected Software1
Veracode
Veracode
•added 2026/05/16 5:30 a.m.•11 views

Command Injection

uniget is vulnerable to Command Injection. The vulnerability is due to unsafe execution of the untrusted check field from metadata files through /bin/bash -c without proper validation or sanitization, which allows an attacker to execute arbitrary shell commands on the victim's system...

7.8CVSS6.2AI score0.00715EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:30 a.m.•6 views

SQL Injection

github.com/jackc/pgx is vulnerable to SQL Injection. The vulnerability is due to improper handling of dollar-quoted string literals when using the non-default simple protocol, which allows an attacker to inject malicious SQL queries by controlling placeholder values interpreted outside the string...

9.8CVSS5.8AI score0.00356EPSS
Exploits0References3Affected Software3
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•6 views

Origin Validation Error

Dozzle is vulnerable to Origin Validation Error. The vulnerability is due to improper origin validation in the WebSocket upgrader, where connections from any origin are accepted and authenticated with the victim's JWT cookie, allowing attackers to hijack authenticated sessions and gain unauthoriz...

9.6CVSS5.8AI score0.00195EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•16 views

Sensitive Information Exposure

com.ritense.valtimo, web is vulnerable to sensitive information exposure. The vulnerability is due to the LoggingRestClientCustomizer automatically logging full HTTP request and response details, including headers and bodies, in error messages, which allows an attacker to access sensitive...

7.6CVSS5.8AI score0.002EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•10 views

OS Command Injection

File Browser is vulnerable to OS command injection. The vulnerability is due to unsanitized variable substitution in the hook system, where attacker-controlled filenames containing shell metacharacters are expanded into administrator-defined shell commands, allowing attackers to execute arbitrary...

7.5CVSS6.2AI score0.01922EPSS
Exploits2References3Affected Software2
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•5 views

Denial Of Service (DoS)

volcano.sh/volcano is vulnerable to Denial of Service DoS. The vulnerability is due to the webhook server not enforcing a size limit on incoming HTTP request bodies, which allows an attacker with access to the in-cluster webhook endpoint to send arbitrarily large requests and cause the webhook...

7.4CVSS5.8AI score0.00173EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•12 views

Authorization Bypass

Netmaker is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization logic in the Authorize middleware, where a valid host JWT token is accepted when hostAllowed=true without verifying that the host is authorized to access the specific target resource, allowing acces...

8.6CVSS7.3AI score0.00366EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•17 views

Sensitive Information Exposure

Harvester is vulnerable to Sensitive Information Exposure. The vulnerability is due to the interactive installer exposing the operating system’s default SSH login password during cluster creation or host addition, potentially allowing unauthorized access to affected systems...

9.8CVSS5.8AI score0.00473EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:29 a.m.•14 views

Improper Access Control

Rancher is vulnerable to Improper Access Control. The vulnerability is due to missing authorization checks when handling cloud-credential IDs, which allows an attacker to make unauthorized requests to cloud providers using attached credentials...

9.9CVSS7.2AI score0.00832EPSS
Exploits0References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:28 a.m.•12 views

Path Traversal

lakeFS is vulnerable to Path Traversal. The vulnerability is due to insufficient path validation in verifyRelPath within pkg/block/local/adapter.go, where strings.HasPrefix is used to validate storage paths without enforcing path boundaries. This allows authenticated users to use path traversal...

8.1CVSS5.8AI score0.0039EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:27 a.m.•14 views

Cross-site Scripting (XSS)

FileBrowser Quantum is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper escaping of user-controlled share metadata fields when rendered in HTML using text/template, which allows an attacker to inject and execute malicious scripts when users visit a shared URL...

8.9CVSS7.3AI score0.00347EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/05/16 5:27 a.m.•15 views

Improper Access Control

kcp is vulnerable to Improper Access Control. The vulnerability is due to the cache server being exposed without authentication or authorization controls, which allows an attacker to read from and write to the cache server if they can access the root shard...

9.1CVSS5.8AI score0.00436EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:27 a.m.•12 views

Use Of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Cloudreve is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator PRNG. The vulnerability is due to the generation of security-sensitive secrets using math/rand seeded with predictable timestamps, which allows an attacker to recover the secret key, forge JWTs, and gain...

9.8CVSS5.9AI score0.00376EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:27 a.m.•16 views

Command Injection

Arcane is vulnerable to Command Injection. The vulnerability is due to lifecycle label values such as com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update being passed directly to /bin/sh -c without sanitization, allowing authenticated users to inject...

9CVSS5.9AI score0.01643EPSS
Exploits6References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:27 a.m.•6 views

Privilege Escalation

CloudNativePG is vulnerable to Privilege Escalation. The vulnerability is due to the metrics exporter establishing PostgreSQL sessions as the postgres superuser and relying on SET ROLE for privilege reduction, which allows an attacker to restore superuser privileges using RESET ROLE and execute...

9.9CVSS6AI score0.0048EPSS
Exploits0References9Affected Software1
Veracode
Veracode
•added 2026/05/16 5:26 a.m.•16 views

Server-Side Request Forgery (SSRF)

github.com/centrifugal/centrifug is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper handling of dynamic JWKS endpoint template variables, which allows an unauthenticated attacker to craft a malicious JWT with manipulated iss or aud claims to force Centrifugo t...

9.3CVSS6.4AI score0.00258EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•12 views

Authorization Bypass

Moby is vulnerable to Authorization Bypass. The vulnerability is due to a flaw in the authorization plugin AuthZ enforcement mechanism, allowing attackers to bypass configured authorization controls and perform actions that should have been restricted by authorization policies...

8.8CVSS7.3AI score0.08123EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•9 views

Denial Of Service (DoS)

GoBGP is vulnerable to Denial of Service DoS. The vulnerability is due to improper validation of malformed BGP UPDATE messages during processing of 4-byte AS attributes, where an internal slice index shift can trigger an index out of range panic, causing the GoBGP process to crash...

7.5CVSS7.1AI score0.00503EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•11 views

Server-Side Request Forgery

Arcane is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the /api/templates/fetch endpoint accepting a user-controlled url parameter and performing server-side HTTP requests without authentication or validation of the URL scheme and destination host, allowing...

7.2CVSS5.9AI score0.00621EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•12 views

OS Command Injection

Fleet is vulnerable to Command Injection. The vulnerability is due to improper sanitization of software package metadata used in auto-generated uninstall scripts, allowing specially crafted package metadata to inject and execute arbitrary commands with elevated privileges root on macOS/Linux or...

9.8CVSS6AI score0.00773EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•7 views

Path Traversal

github.com/ctfer-io/monitoring is vulnerable to a Path Traversal. The vulnerability is due to a missing trailing path separator in the strings.HasPrefix check within the sanitizeArchivePath function, which allows an attacker to perform arbitrary file writes via a crafted archive, potentially...

9.8CVSS7.1AI score0.00655EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•17 views

Denial Of Service (DoS)

Mattermost is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of excessively long passwords during authentication, which allows an attacker to consume excessive CPU and memory resources by submitting login attempts with multi-megabyte passwords...

7.5CVSS5.2AI score0.00263EPSS
Exploits0References3Affected Software2
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•12 views

Missing Authorization

github.com/argoproj/argo-workflows is vulnerable to Missing Authorization. The vulnerability is due to missing authorization checks in the Sync Service's ConfigMap-backed provider, which allows an attacker to create, read, update, and delete synchronization-related Kubernetes ConfigMaps without...

8.5CVSS5.2AI score0.00515EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•12 views

Authentication Bypass

MinIO is vulnerable to Authentication Bypass. The vulnerability is due to missing signature verification for authTypeStreamingUnsignedTrailer requests in the Snowball auto-extract handler, which allows an attacker with knowledge of a valid access key to upload arbitrary objects without providing ...

8.8CVSS5.4AI score0.00418EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•10 views

Improper Access Control

Traefik is vulnerable to Improper Access Control. The vulnerability is due to insufficient validation of TraefikService backend references ending with @internal, which allows an attacker with HTTPRoute creation permissions to access the internal REST provider and perform unauthorized configuratio...

9.9CVSS5.4AI score0.00468EPSS
Exploits1References10Affected Software3
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•5 views

Out-of-bounds Read

github.com/gomarkdown/markdown is vulnerable to an Out-of-Bounds Read. The vulnerability is due to improper handling of malformed Markdown input containing a character when processed by the SmartypantsRenderer, which allows an attacker to trigger an out-of-bounds read or cause the application to...

7.5CVSS5.9AI score0.00346EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•5 views

Improper Authorization

Kyverno is vulnerable to Improper Authorization. The vulnerability is due to missing validation of the configMap.namespace field in the ConfigMap context loader, which allows a namespace administrator to bypass RBAC restrictions and read ConfigMaps from arbitrary namespaces using Kyverno's...

7.7CVSS6AI score0.00266EPSS
Exploits2References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•6 views

Insufficient Verification Of Data Authenticity

go-git is vulnerable to Insufficient Verification of Data Authenticity. The vulnerability is due to improper handling of malformed or ambiguous Git object headers and reconstructing commit data for signing and verification instead of using the original raw object bytes, which allows an attacker t...

7.5CVSS5.9AI score0.00159EPSS
Exploits0References2Affected Software3
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•5 views

Server-Side Request Forgery (SSRF)

github.com/kyverno/kyvern is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to the apiCall feature in ClusterPolicy automatically attaching the admission controller's ServiceAccount token to outbound HTTP requests without validating the destination URL, which allows an...

9.1CVSS5.8AI score0.0056EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:25 a.m.•6 views

Improper Input Validation

github.com/filebrowser/filebrowser/v2 is vulnerable to an improper input validation. The vulnerability is due to the Upload-Length header being parsed as a signed 64-bit integer without validating that the value is non-negative, which allows an authenticated attacker with upload permissions to...

8.1CVSS6.7AI score0.01903EPSS
Exploits1References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•8 views

Server-Side Request Forgery (SSRF)

github.com/apache/skywalking-mcp is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of the SW-URL header, which allows an attacker to supply arbitrary URLs and force the server to send requests to unintended internal or external resources...

7.1CVSS6AI score0.00346EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•6 views

Improper Input Validation

ingress-nginx is vulnerable to Improper Input Validation. The vulnerability is due to improper validation of the nginx.ingress.kubernetes.io/auth-method Ingress annotation, which allows an attacker to inject malicious NGINX configuration, achieve arbitrary code execution in the ingress-nginx...

8.8CVSS6.5AI score0.00485EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•5 views

Exposure Of Sensitive Information

Portainer Community Edition is vulnerable to Exposure of Sensitive Information. The vulnerability is due to the authentication middleware accepting JWT bearer tokens through the ?token= URL query parameter, which allows an attacker to obtain authentication tokens from browser history, proxy logs,...

7.5CVSS5.8AI score0.0041EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•5 views

Arbitrary File Read

go-getter is vulnerable to Arbitrary File Read. The vulnerability is due to improper validation of maliciously crafted Git URLs during certain Git operations, where specially crafted URLs can access unintended file system paths, allowing attackers to read arbitrary files on the host system...

7.5CVSS6.1AI score0.00583EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•4 views

Denial Of Service

github.com/hashicorp/boundary is vulnerable to denial of service. The vulnerability is due to improper handling of TLS handshakes during worker node enrollment, where an attacker can delay or withhold the client certificate to block connection handling, allowing legitimate worker connections to b...

7.5CVSS5.7AI score0.002EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:24 a.m.•5 views

OS Command Injection

PicoClaw is vulnerable to OS Command Injection. The vulnerability is due to insufficient validation and sanitization of input in the /api/gateway/restart endpoint of the Web Launcher Management Plane, which allows a remote attacker to inject and execute arbitrary system commands on the underlying...

9.8CVSS7.5AI score0.03132EPSS
Exploits1References5Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•5 views

Local File Inclusion (LFI)

github.com/esm-dev/esm.sh is vulnerable to Local File Inclusion. The vulnerability is due to improper handling of the browser field in package.json by the esbuild plugin, which allows an attacker to publish a malicious npm package that causes the server to read and return arbitrary files from the...

7.5CVSS6AI score0.00321EPSS
Exploits0References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•5 views

Improper Access Control

Kata Containers is vulnerable to Improper Access Control. The vulnerability is due to an oversight in the CopyFile policy and/or handler, which allows an untrusted host to write files to arbitrary locations within the guest workload image, enabling an attacker to overwrite binaries, compromise...

8.8CVSS6AI score0.00269EPSS
Exploits0References9Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•5 views

Server-Side Request Forgery (SSRF)

github.com/zalando/skipper is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient restrictions on Kubernetes ExternalName services when Skipper is used as an Ingress controller, which allows an attacker with permissions to create an Ingress and an ExternalName...

8.1CVSS5.8AI score0.00267EPSS
Exploits0References3Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•8 views

Denial Of Service (DoS)

github.com/hashicorp/vault is vulnerable to Denial of ServiceDoS. The vulnerability is due to insufficient access controls on root token generation and rekey operations, which allows an unauthenticated attacker to repeatedly initiate or cancel these operations, occupying the single available...

7.5CVSS5.9AI score0.00718EPSS
Exploits0References6Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•7 views

Improper Enforcement Of Security Restrictions

github.com/portainer/portainer is vulnerable to improper enforcement of security restrictions. The vulnerability is due to inconsistent enforcement of configured EndpointSecuritySettings on the Docker Swarm service API, which allows an attacker to bypass administrator-defined container security...

9.4CVSS5.8AI score0.00347EPSS
Exploits1References7Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•6 views

Sensitive Information Exposure

Portainer Community Edition is vulnerable to Exposure of Sensitive Information. The vulnerability is due to the authentication middleware accepting JWT bearer tokens through the ?token= URL query parameter, which allows an attacker to obtain authentication tokens from browser history, proxy logs,...

7.7CVSS5.8AI score0.00316EPSS
Exploits1References4Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•19 views

Improper Privilege Management

OpenClaude is vulnerable to improper privilege management. The vulnerability is due to the dangerouslyDisableSandbox parameter being exposed in the BashTool input schema, which allows an attacker to use a prompt-injected LLM to disable the sandbox and execute arbitrary commands on the host system...

9.8CVSS6.1AI score0.00544EPSS
Exploits1References2Affected Software1
Veracode
Veracode
•added 2026/05/16 5:23 a.m.•7 views

Improper Input Validation

github.com/free5gc/udm is vulnerable to improper input validation. The vulnerability is due to the UDM component failing to validate the SUPI path parameter in multiple nudm-sdm GET handlers, which allows an unauthenticated attacker to inject control characters, forward malformed requests to the...

8.7CVSS5.8AI score0.00324EPSS
Exploits1References1Affected Software1
Total number of security vulnerabilities38467