8.2

CVSS3.1

CVE-2026-28406 - kaniko has tar archive path traversal in build context extraction allows writing files outside dest…

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using `filepath.Join(dest, cleanedName)` without enforcing that the final path stays within `dest`. …

πŸ“… Published: Feb. 27, 2026, 9:20 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 9:20 p.m.

7.1

CVSS3.1

CVE-2026-28402 - nimiq/core-rs-albatross's nimiq-blockchain missing proposal body root verification

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.2.2, a malicious or compromised validator that is elected as proposer can publish a macro block proposal where `header.body_root` does not match the a…

πŸ“… Published: Feb. 27, 2026, 9:08 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 9:08 p.m.

7.6

CVSS3.1

CVE-2026-28400 - Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint

Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llam…

πŸ“… Published: Feb. 27, 2026, 9:06 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 9:06 p.m.

1.3

CVSS4.0

CVE-2026-28355 - "PWA" Canarytoken Vulnerable to Stored Self Cross-Site Scripting

Canarytokens help track activity and actions on a network. Versions prior to `sha-7ff0e12` have a Self Cross-Site Scripting vulnerability in the "PWA" Canarytoken, whereby the Canarytoken's creator can attack themselves or someone they share the link with. The creator of a PWA Canarytoken can inser…

πŸ“… Published: Feb. 27, 2026, 9:04 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 9:04 p.m.

6.5

CVSS3.1

CVE-2026-28352 - Indico missing access check in event series management API

Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. In versions prior to 3.3.11, the API endpoint used to manage event series is missing an access check, allowing unauthenticated/unauthorized access to this endpoint. The impact of this is…

πŸ“… Published: Feb. 27, 2026, 9:01 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 9:01 p.m.

6.9

CVSS4.0

CVE-2026-28351 - Manipulated RunLengthDecode streams can exhaust RAM

pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.4, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the content stream using the RunLengthDecode filter. This has been fixed in pypdf 6.7.4. As a workaround,…

πŸ“… Published: Feb. 27, 2026, 8:59 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 8:59 p.m.

6.8

CVSS3.1

CVE-2026-28338 - PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contai…

πŸ“… Published: Feb. 27, 2026, 8:28 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 8:28 p.m.

5.5

CVSS4.0

CVE-2026-28288 - Dify has a user enumeration issue

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

πŸ“… Published: Feb. 27, 2026, 8:25 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 8:25 p.m.

8.1

CVSS3.1

CVE-2026-28272 - Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface…

πŸ“… Published: Feb. 27, 2026, 8:22 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 8:22 p.m.

6.5

CVSS3.1

CVE-2026-28271 - Kiteworks Core is vulnerable to Server-Side Request Forgery (SSRF)

Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration functionality allows bypassing of SSRF protections through DNS rebinding attacks. Malicious administrators could exploit this to access internal services that should be restricted. Version …

πŸ“… Published: Feb. 27, 2026, 8:21 p.m. πŸ”„ Last Modified: Feb. 27, 2026, 8:21 p.m.
Total resulsts: 335160
Page 2 of 33,516
Β« previous page Β» next page
Filters