6.5
CVE-2026-33459 - Uncontrolled Resource Consumption in Kibana Leading to Denial of Service
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sentβ¦
4.3
CVE-2026-33460 - Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoβ¦
5.3
CVE-2025-14243 - Mirror-registry: openshift mirror registry: user enumeration via authentication error messages
A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.
7.7
CVE-2026-33461 - Incorrect Authorization in Kibana Fleet Leading to Information Disclosure
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be aβ¦
7.7
CVE-2026-4498 - Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Eβ¦
Execution with Unnecessary Privileges (CWE-250) in Kibanaβs Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122). This requires an authenticated Kibana user with Fleet sub-feature privileges (such as agents, agentβ¦
6.5
CVE-2026-2377 - Mirror-registry: quay: quay: server-side request forgery via log export functionality
A flaw was found in mirror-registry. Authenticated users can exploit the log export feature by providing a specially crafted web address (URL). This allows the application's backend to make arbitrary requests to internal network resources, a vulnerability known as Server-Side Request Forgery (SSRF)β¦
6.6
CVE-2026-4837 - Eval Injection in Rapid7 Insight Agent
An eval() injection vulnerability in the Rapid7 Insight Agent beaconing logic for Linux versions could theoretically allow an attacker to achieve remote code execution as root via a crafted beacon response. Because the Agent uses mutual TLS (mTLS) to verify commands from the Rapid7 Platform, it is β¦
6.2
CVE-2026-33753 - Improper Certificate Validation in rfc3161-client
rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client's signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flawβ¦
8.6
CVE-2026-33229 - XWiki Platform affected by remote code execution with script right through unprotected Velocity scrβ¦
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scβ¦
4.8
CVE-2026-39410 - Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to thβ¦