Search Vulnerabilities

Wish has SCP Path Traversal that allows arbitrary file read/write

Amazon EFS CSI Driver has mount option injection via unsanitized volumeHandle and mounttargetip fields

Nhost Vulnerable to Account Takeover via OAuth Email Verification Bypass

go-git: Credential leak via cross-host redirect in smart HTTP transport

OpenTelemetry eBPF Instrumentation: Privileged Java agent injection allows arbitrary host file overwrite via untrusted TMPDIR

Dapr: Service Invocation path traversal ACL bypass

goldmark vulnerable to Cross-site Scripting (XSS)

HashiCorp Vault Vulnerable to Denial-of-Service via Unauthenticated Root Token Generation/Rekey Operations

HashiCorp Vault May Expose Tokens to Auth Plugins Due to Incorrect Header Sanitization

HashiCorp Vault has Server-Side Request Forgery in ACME Challenge Validation via Attacker-Controlled DNS

HashiCorp Vault has a KVv2 Metadata and Secret Deletion Policy Bypass that leads to Denial-of-Service

Istio: SSRF via RequestAuthentication jwksUri

Kyverno apiCall automatically forwards ServiceAccount token to external endpoints (credential leak)

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Kyverno: Cross-Namespace Read Bypasses RBAC Isolation (CVE-2026-22039 Incomplete Fix)

ACME Lego: Arbitrary File Write via Path Traversal in Webroot HTTP-01 Provider

zrok: Broken ownership check in DELETE /api/v2/unaccess allows non-admin to delete global frontend records

zrok: Unauthenticated DoS via unbounded memory allocation in striped session cookie parsing

zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering

Dgraph: Unauthenticated /debug/pprof/cmdline discloses admin auth token, enabling unauthorized access to protected Alpha admin endpoints