Nixpkgs security tracker

Login with GitHub

Published issues

All published security issues are tracked and resolved on GitHub.

NIXPKGS-2026-2018
published 1 day, 5 hours ago
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
Permalink CVE-2026-11702
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes

Bytes-Random-Secure-Tiny
  • =<1.011
NIXPKGS-2026-2017
published 1 day, 5 hours ago
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
Permalink CVE-2026-11625
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    4 packages
    • perlPackages.BytesRandomSecureTiny
    • perl540Packages.BytesRandomSecureTiny
    • perl538Packages.BytesRandomSecureTiny
    • perl5Packages.BytesRandomSecureTiny
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes

Bytes-Random-Secure
  • =<0.29
NIXPKGS-2026-2016
published 1 day, 5 hours ago
Dragonfly: RESTORE operations may crash the server
Permalink CVE-2026-54341
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    4 packages
    • dragonfly-reverb
    • python312Packages.dragonfly
    • python313Packages.dragonfly
    • python314Packages.dragonfly
    1 day, 5 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Dragonfly: RESTORE operations may crash the server

dragonfly
  • ==< 1.39.0
NIXPKGS-2026-2015
published 1 day, 5 hours ago
libnfs through 6.0.2 before 935b8db has an xid integer underflow …
Permalink CVE-2026-57918
7.1 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

libnfs through 6.0.2 before 935b8db has an xid integer underflow …

libnfs
  • <935b8db712b3c6649bc57ddc276526c4a31680de
NIXPKGS-2026-2014
published 1 day, 5 hours ago
GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion
Permalink CVE-2026-48529
6.0 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

GitHub MCP Server: Lockdown mode singleton in HTTP server causes cross-user GraphQL client confusion

github-mcp-server
  • ==>= 0.22.0, < 1.1.2 
Needs a backport
NIXPKGS-2026-2013
published 1 day, 5 hours ago
Podman: Malformed Image can trick podman run into leaking host environment variables into the container
Permalink CVE-2026-57231
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    9 packages
    • podman-tui
    • podman-bootc
    • cockpit-podman
    • podman-compose
    • podman-desktop
    • nomad-driver-podman
    • python312Packages.podman
    • python313Packages.podman
    • python314Packages.podman
    1 day, 5 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Podman: Malformed Image can trick podman run into leaking host environment variables into the container

podman
  • ==>= 1.8.1, < 5.8.4
NIXPKGS-2026-2012
published 1 day, 5 hours ago
python3Packages.kestra: security issues < 1.3.24
Permalink CVE-2026-48129
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): Low (L)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 week, 1 day ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra task inputFiles accepts traversal filenames for worker file writes

kestra
  • ==< 1.0.43
  • ==>= 1.3.0, < 1.3.19
  • ==>= 1.2.0, < 1.2.19
  • ==>= 1.1.0, < 1.1.19
Permalink CVE-2026-49984
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.23
Permalink CVE-2026-49869
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
Permalink CVE-2026-45807
7.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file read

kestra
  • ==< 1.0.43
  • ==>= 1.1.0, < 1.3.19
Permalink CVE-2026-55069
8.7 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack

kestra
  • ==< 1.3.24
Permalink CVE-2026-53576
10.0 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
Permalink CVE-2026-53577
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

kestra
  • ==< 1.0.45
  • ==>= 1.1.0, < 1.3.21
NIXPKGS-2026-2011
published 1 day, 5 hours ago
mise: security issues < 2026.6.4
Permalink CVE-2026-55448
6.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    • python313Packages.promise
    • haskellPackages.promises
    • python312Packages.promise
    • python314Packages.promise
    1 day, 5 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

mise: Local credential_command executes untrusted config

mise
  • ==< 2026.6.4
Permalink CVE-2026-54557
5.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • haskellPackages.promises
    • python312Packages.promise
    • python313Packages.promise
    • python314Packages.promise
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    1 day, 5 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

mise HTTP backend uses raw version path for install symlink destination

mise
  • ==< 2026.6.1
Permalink CVE-2026-55441
8.6 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Local (L)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • haskellPackages.promises
    • python314Packages.promise
    • ocamlPackages.promise_jsoo
    • python312Packages.heatmiserv3
    • python313Packages.heatmiserv3
    • python314Packages.heatmiserv3
    • haskellPackages.unsafe-promises
    • ocamlPackages_latest.promise_jsoo
    • python313Packages.promise
    • python312Packages.promise
    1 day, 5 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise
  • ==< 2026.6.4
NIXPKGS-2026-2010
published 1 day, 5 hours ago
You track: security issues < 2026.2.16593
Permalink CVE-2026-49370
3.4 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 4 weeks, 1 day ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on …

YouTrack
  • <2026.1.13162
Permalink CVE-2026-57926
2.6 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57925
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57924
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57922
3.1 LOW
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 5 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57923
5.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app …

YouTrack
  • <2026.2.16593
Permalink CVE-2026-57921
4.3 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 5 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 5 hours ago

In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading …

YouTrack
  • <2026.2.16593
NIXPKGS-2026-2009
published 1 day, 6 hours ago
envoy, envoy-bin: security issues < 1.36.9, < 1.38.3, < 1.37.5
Permalink CVE-2026-47207
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy crashes if multiple unexpected ext_proc responses are packed into one gRPC message

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.34.0, < 1.35.13
  • ==>= 1.36.0, < 1.36.9
  • ==>= 1.38.0, < 1.38.3
Permalink CVE-2026-47205
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • home-assistant-component-tests.enphase_envoy
    • python314Packages.envoy-data-plane
    • python314Packages.envoy-reader
    • python313Packages.envoy-reader
    • python312Packages.envoy-reader
    • python314Packages.envoy-utils
    • python313Packages.envoy-utils
    • python312Packages.envoy-utils
    • python313Packages.envoy-data-plane
    • opa-envoy-plugin
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.36.0, < 1.36.9
  • ==>= 1.38.0, < 1.38.3
Permalink CVE-2026-47778
4.4 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • python314Packages.envoy-data-plane
    • python314Packages.envoy-utils
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)

envoy
  • ==< 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-48497
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • home-assistant-component-tests.enphase_envoy
    • python314Packages.envoy-data-plane
    • python313Packages.envoy-data-plane
    • python313Packages.envoy-utils
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: Abnormal process termination in DNS UDP filter

envoy
  • ==< 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-48042
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-reader
    • python313Packages.envoy-reader
    • python313Packages.envoy-utils
    • python312Packages.envoy-utils
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: Stack overflow in destructor of highly nested JSON

envoy
  • ==< 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-48706
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • home-assistant-component-tests.enphase_envoy
    • python314Packages.envoy-data-plane
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-reader
    • python313Packages.envoy-reader
    • python312Packages.envoy-reader
    • python314Packages.envoy-utils
    • python313Packages.envoy-utils
    • python312Packages.envoy-utils
    • opa-envoy-plugin
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy Heap Buffer Overflow in TcpStatsdSink

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.34.0, < 1.35.13
  • ==>= 1.38.0, < 1.38.3
  • ==>= 1.36.0, < 1.36.9
Permalink CVE-2026-48743
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length

envoy
  • ==>= 1.35.0, < 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-47692
4.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Adjacent (A)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Changed (C)
  • Confidentiality (C): None (N)
  • Integrity (I): Low (L)
  • Availability (A): Low (L)
  • Modified Attack Vector (MAV): Adjacent (A)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): High (H)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): Low (L)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.34.0, < 1.35.13
  • ==>= 1.36.0, < 1.36.9
  • ==>= 1.38.0, < 1.38.3
Permalink CVE-2026-47204
6.5 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): Low (L)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): Low (L)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • home-assistant-component-tests.enphase_envoy
    • python314Packages.envoy-data-plane
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-reader
    • python313Packages.envoy-reader
    • python312Packages.envoy-reader
    • python314Packages.envoy-utils
    • python313Packages.envoy-utils
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: grpc_stats filter segfault on Connect protocol requests to direct_response routes

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.26.0, < 1.35.13
  • ==>= 1.36.0, < 1.36.9
  • ==>= 1.38.0, < 1.38.3
Permalink CVE-2026-47775
6.8 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption

envoy
  • ==< 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-48044
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion

envoy
  • ==>= 1.23.0, < 1.35.11
  • ==>= 1.36.0, < 1.36.7
  • ==>= 1.38.0, < 1.38.1
  • ==>= 1.37.0, < 1.37.3
Permalink CVE-2026-47221
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 1 day, 6 hours ago by @LeSuisse Activity log
  • Created suggestion 1 day, 11 hours ago
  • @LeSuisse ignored
    10 packages
    • opa-envoy-plugin
    • python312Packages.envoy-utils
    • python313Packages.envoy-utils
    • python314Packages.envoy-utils
    • python312Packages.envoy-reader
    • python313Packages.envoy-reader
    • python314Packages.envoy-reader
    • python313Packages.envoy-data-plane
    • python314Packages.envoy-data-plane
    • home-assistant-component-tests.enphase_envoy
    1 day, 6 hours ago
  • @LeSuisse accepted 1 day, 6 hours ago
  • @LeSuisse published on GitHub 1 day, 6 hours ago

Envoy: Null pointer deref in internal redirects

envoy
  • ==>= 1.37.0, < 1.37.5
  • ==>= 1.18.0, < 1.35.13
  • ==>= 1.36.0, < 1.36.9
  • ==>= 1.38.0, < 1.38.3