Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-04-01 09:22

Modified

2026-03-25 11:02

Summary

Security fixes for CVE-2025-15558, CVE-2025-47907, CVE-2025-66564, CVE-2026-1229, CVE-2026-22039, CVE-2026-22703, CVE-2026-22772, CVE-2026-23831, CVE-2026-23881, CVE-2026-24051, CVE-2026-24117, CVE-2026-24137, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-29wx-vh33-7x7r, ghsa-2x5j-vhc8-9cwm, ghsa-459x-q9hg-4gpq, ghsa-4qg8-fj49-pxjh, ghsa-4vq8-7jfc-9cvp, ghsa-6m8w-jc87-6cr7, ghsa-88jx-383q-w4qc, ghsa-95pr-fxf5-86gv, ghsa-c5q2-7r4c-mv6g, ghsa-c6gw-w398-hv78, ghsa-c77r-fh37-x2px, ghsa-f83f-xpx7-ffpw, ghsa-fv92-fjc5-jj9h, ghsa-jrr2-x33p-6hvc, ghsa-mh63-6h87-95cp, ghsa-mqqf-5wvp-8fh8, ghsa-p77j-4mvh-x3m3, ghsa-qjvc-p88j-j9rm, ghsa-r5p3-955p-5ggq, ghsa-v23v-6jw2-98fq, ghsa-v6v8-xj6m-xwqh, ghsa-xw73-rw38-6vjc applied in versions: 1.4.2-r2, 1.4.2-r4, 1.4.2-r6, 1.4.2-r7

Details

Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-15558	WEB
	https://osv.dev/vulnerability/CVE-2025-47907	WEB
	https://osv.dev/vulnerability/CVE-2025-66564	WEB
	https://osv.dev/vulnerability/CVE-2026-1229	WEB
	https://osv.dev/vulnerability/CVE-2026-22039	WEB
	https://osv.dev/vulnerability/CVE-2026-22703	WEB
	https://osv.dev/vulnerability/CVE-2026-22772	WEB
	https://osv.dev/vulnerability/CVE-2026-23831	WEB
	https://osv.dev/vulnerability/CVE-2026-23881	WEB
	https://osv.dev/vulnerability/CVE-2026-24051	WEB
	https://osv.dev/vulnerability/CVE-2026-24117	WEB
	https://osv.dev/vulnerability/CVE-2026-24137	WEB
	https://osv.dev/vulnerability/CVE-2026-25679	WEB
	https://osv.dev/vulnerability/CVE-2026-26958	WEB
	https://osv.dev/vulnerability/CVE-2026-27139	WEB
	https://osv.dev/vulnerability/CVE-2026-27142	WEB
	https://osv.dev/vulnerability/CVE-2026-33186	WEB
	https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm	WEB
	https://osv.dev/vulnerability/ghsa-29wx-vh33-7x7r	WEB
	https://osv.dev/vulnerability/ghsa-2x5j-vhc8-9cwm	WEB
	https://osv.dev/vulnerability/ghsa-459x-q9hg-4gpq	WEB
	https://osv.dev/vulnerability/ghsa-4qg8-fj49-pxjh	WEB
	https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp	WEB
	https://osv.dev/vulnerability/ghsa-6m8w-jc87-6cr7	WEB
	https://osv.dev/vulnerability/ghsa-88jx-383q-w4qc	WEB
	https://osv.dev/vulnerability/ghsa-95pr-fxf5-86gv	WEB
	https://osv.dev/vulnerability/ghsa-c5q2-7r4c-mv6g	WEB
	https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78	WEB
	https://osv.dev/vulnerability/ghsa-c77r-fh37-x2px	WEB
	https://osv.dev/vulnerability/ghsa-f83f-xpx7-ffpw	WEB
	https://osv.dev/vulnerability/ghsa-fv92-fjc5-jj9h	WEB
	https://osv.dev/vulnerability/ghsa-jrr2-x33p-6hvc	WEB
	https://osv.dev/vulnerability/ghsa-mh63-6h87-95cp	WEB
	https://osv.dev/vulnerability/ghsa-mqqf-5wvp-8fh8	WEB
	https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3	WEB
	https://osv.dev/vulnerability/ghsa-qjvc-p88j-j9rm	WEB
	https://osv.dev/vulnerability/ghsa-r5p3-955p-5ggq	WEB
	https://osv.dev/vulnerability/ghsa-v23v-6jw2-98fq	WEB
	https://osv.dev/vulnerability/ghsa-v6v8-xj6m-xwqh	WEB
	https://osv.dev/vulnerability/ghsa-xw73-rw38-6vjc	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-15558	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-47907	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-66564	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-1229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-22039	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-22703	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-22772	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-23831	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-23881	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24051	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24117	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-24137	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25679	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-26958	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27139	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27142	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33186	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "kyverno-policy-reporter-kyverno-plugin-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2-r7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the kyverno-policy-reporter-kyverno-plugin-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-GK29346",
  "modified": "2026-03-25T11:02:44Z",
  "published": "2026-04-01T09:22:17.389111Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GK29346.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-15558"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-47907"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-66564"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-22039"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-22703"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-22772"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-23831"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-23881"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24117"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-24137"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-26958"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33186"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2464-8j7c-4cjm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-29wx-vh33-7x7r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2x5j-vhc8-9cwm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-459x-q9hg-4gpq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-4qg8-fj49-pxjh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-4vq8-7jfc-9cvp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-6m8w-jc87-6cr7"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-88jx-383q-w4qc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-95pr-fxf5-86gv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c5q2-7r4c-mv6g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c6gw-w398-hv78"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c77r-fh37-x2px"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f83f-xpx7-ffpw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fv92-fjc5-jj9h"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jrr2-x33p-6hvc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-mh63-6h87-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-mqqf-5wvp-8fh8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-p77j-4mvh-x3m3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qjvc-p88j-j9rm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5p3-955p-5ggq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v23v-6jw2-98fq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v6v8-xj6m-xwqh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xw73-rw38-6vjc"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15558"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66564"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22039"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22703"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22772"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23831"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23881"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24051"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24117"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24137"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25679"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27139"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27142"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33186"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-15558, CVE-2025-47907, CVE-2025-66564, CVE-2026-1229, CVE-2026-22039, CVE-2026-22703, CVE-2026-22772, CVE-2026-23831, CVE-2026-23881, CVE-2026-24051, CVE-2026-24117, CVE-2026-24137, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-29wx-vh33-7x7r, ghsa-2x5j-vhc8-9cwm, ghsa-459x-q9hg-4gpq, ghsa-4qg8-fj49-pxjh, ghsa-4vq8-7jfc-9cvp, ghsa-6m8w-jc87-6cr7, ghsa-88jx-383q-w4qc, ghsa-95pr-fxf5-86gv, ghsa-c5q2-7r4c-mv6g, ghsa-c6gw-w398-hv78, ghsa-c77r-fh37-x2px, ghsa-f83f-xpx7-ffpw, ghsa-fv92-fjc5-jj9h, ghsa-jrr2-x33p-6hvc, ghsa-mh63-6h87-95cp, ghsa-mqqf-5wvp-8fh8, ghsa-p77j-4mvh-x3m3, ghsa-qjvc-p88j-j9rm, ghsa-r5p3-955p-5ggq, ghsa-v23v-6jw2-98fq, ghsa-v6v8-xj6m-xwqh, ghsa-xw73-rw38-6vjc applied in versions: 1.4.2-r2, 1.4.2-r4, 1.4.2-r6, 1.4.2-r7",
  "upstream": [
    "CVE-2025-15558",
    "CVE-2025-47907",
    "CVE-2025-66564",
    "CVE-2026-1229",
    "CVE-2026-22039",
    "CVE-2026-22703",
    "CVE-2026-22772",
    "CVE-2026-23831",
    "CVE-2026-23881",
    "CVE-2026-24051",
    "CVE-2026-24117",
    "CVE-2026-24137",
    "CVE-2026-25679",
    "CVE-2026-26958",
    "CVE-2026-27139",
    "CVE-2026-27142",
    "CVE-2026-33186",
    "ghsa-2464-8j7c-4cjm",
    "ghsa-29wx-vh33-7x7r",
    "ghsa-2x5j-vhc8-9cwm",
    "ghsa-459x-q9hg-4gpq",
    "ghsa-4qg8-fj49-pxjh",
    "ghsa-4vq8-7jfc-9cvp",
    "ghsa-6m8w-jc87-6cr7",
    "ghsa-88jx-383q-w4qc",
    "ghsa-95pr-fxf5-86gv",
    "ghsa-c5q2-7r4c-mv6g",
    "ghsa-c6gw-w398-hv78",
    "ghsa-c77r-fh37-x2px",
    "ghsa-f83f-xpx7-ffpw",
    "ghsa-fv92-fjc5-jj9h",
    "ghsa-jrr2-x33p-6hvc",
    "ghsa-mh63-6h87-95cp",
    "ghsa-mqqf-5wvp-8fh8",
    "ghsa-p77j-4mvh-x3m3",
    "ghsa-qjvc-p88j-j9rm",
    "ghsa-r5p3-955p-5ggq",
    "ghsa-v23v-6jw2-98fq",
    "ghsa-v6v8-xj6m-xwqh",
    "ghsa-xw73-rw38-6vjc"
  ]
}

CVE-2025-15558 (GCVE-0-2025-15558)

Vulnerability from cvelistv5 – Published: 2026-03-04 16:14 – Updated: 2026-03-05 04:55

Title

Docker Desktop Docker Plugins Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Summary

Docker CLI for Windows searches for plugin binaries in C:\ProgramData\Docker\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker CLI is executed as a privileged user. This issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager package, such as Docker Compose. This issue does not impact non-Windows binaries, and projects not using the plugin-manager code.

Severity

7 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U

CWE

CWE-427 - Uncontrolled Search Path Element

Assigner

Docker

References

3 references

URL	Tags
https://docs.docker.com/desktop/release-notes/
https://www.zerodayinitiative.com/advisories/ZDI-…	third-party-advisory
https://github.com/docker/cli/pull/6713	patch

Impacted products

2 products

Vendor	Product	Version
Docker	Docker CLI	Unaffected: 29.2.0 (semver)
Docker	Compose	Unaffected: 5.1.0 (semver)

Credits

Nitesh Surana (niteshsurana.com) of Trend Research of TrendAI

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15558",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-04T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-05T04:55:47.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "Windows"
          ],
          "product": "Docker CLI",
          "vendor": "Docker",
          "versions": [
            {
              "status": "unaffected",
              "version": "29.2.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Windows"
          ],
          "product": "Compose",
          "vendor": "Docker",
          "versions": [
            {
              "status": "unaffected",
              "version": "5.1.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nitesh Surana (niteshsurana.com) of Trend Research of TrendAI"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDocker CLI for Windows searches for plugin binaries in \u003ccode\u003eC:\\ProgramData\\Docker\\cli-plugins\u003c/code\u003e, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the \u003ccode\u003edocker\u003c/code\u003e\u0026nbsp;CLI is executed as a privileged user.\u003c/p\u003e\u003cp\u003eThis issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager\"\u003e\u003ccode\u003egithub.com/docker/cli/cli-plugins/manager\u003c/code\u003e\u003c/a\u003e\u0026nbsp;package, such as Docker Compose.\u003c/p\u003e\u003cp\u003eThis issue does not impact non-Windows binaries, and projects not using the plugin-manager code.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e"
            }
          ],
          "value": "Docker CLI for Windows searches for plugin binaries in C:\\ProgramData\\Docker\\cli-plugins, a directory that does not exist by default. A low-privileged attacker can create this directory and place malicious CLI plugin binaries (docker-compose.exe, docker-buildx.exe, etc.) that are executed when a victim user opens Docker Desktop or invokes Docker CLI plugin features, and allow privilege-escalation if the docker\u00a0CLI is executed as a privileged user.\n\nThis issue affects Docker CLI: through 29.1.5 and Windows binaries acting as a CLI-plugin manager using the  github.com/docker/cli/cli-plugins/manager https://pkg.go.dev/github.com/docker/cli@v29.1.5+incompatible/cli-plugins/manager \u00a0package, such as Docker Compose.\n\nThis issue does not impact non-Windows binaries, and projects not using the plugin-manager code."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-38",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-38 Leveraging/Manipulating Configuration File Search Paths"
            }
          ]
        },
        {
          "capecId": "CAPEC-471",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-471 Search Order Hijacking"
            }
          ]
        },
        {
          "capecId": "CAPEC-640",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-640 Inclusion of Code in Existing Process"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NO",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-427",
              "description": "CWE-427 Uncontrolled Search Path Element",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-04T16:14:32.045Z",
        "orgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e",
        "shortName": "Docker"
      },
      "references": [
        {
          "url": "https://docs.docker.com/desktop/release-notes/"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28304/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/docker/cli/pull/6713"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Docker Desktop Docker Plugins Uncontrolled Search Path Element Local Privilege Escalation Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "686469e6-3ff6-451b-ab8b-cf5b9e89401e",
    "assignerShortName": "Docker",
    "cveId": "CVE-2025-15558",
    "datePublished": "2026-03-04T16:14:32.045Z",
    "dateReserved": "2026-02-03T19:51:18.184Z",
    "dateUpdated": "2026-03-05T04:55:47.099Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-47907 (GCVE-0-2025-47907)

Vulnerability from cvelistv5 – Published: 2025-08-07 15:25 – Updated: 2025-11-04 21:10

Title

Incorrect results returned from Rows.Scan in database/sql

Summary

Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.

Severity

7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

References

4 references

URL	Tags
https://go.dev/cl/693735
https://go.dev/issue/74831
https://groups.google.com/g/golang-announce/c/x5M…
https://pkg.go.dev/vuln/GO-2025-3849

Impacted products

1 product

Vendor	Product	Version
Go standard library	database/sql	Affected: 0 , < 1.23.12 (semver) Affected: 1.24.0 , < 1.24.6 (semver)

Credits

Spike Curtis from Coder

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-47907",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-07T15:45:26.297503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-07T15:48:03.634Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T21:10:56.083Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2025/08/06/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "database/sql",
          "product": "database/sql",
          "programRoutines": [
            {
              "name": "Rows.Scan"
            },
            {
              "name": "Row.Scan"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.23.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.24.6",
              "status": "affected",
              "version": "1.24.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Spike Curtis from Coder"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-07T15:25:30.704Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        }
      ],
      "title": "Incorrect results returned from Rows.Scan in database/sql"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2025-47907",
    "datePublished": "2025-08-07T15:25:30.704Z",
    "dateReserved": "2025-05-13T23:31:29.597Z",
    "dateUpdated": "2025-11-04T21:10:56.083Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66564 (GCVE-0-2025-66564)

Vulnerability from cvelistv5 – Published: 2025-12-04 22:37 – Updated: 2025-12-05 14:55

Title

Sigstore Timestamp Authority allocates excessive memory during request parsing

Summary

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-405 - Asymmetric Resource Consumption (Amplification)

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/sigstore/timestamp-authority/s…	x_refsource_CONFIRM
https://github.com/sigstore/timestamp-authority/c…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
sigstore	timestamp-authority	Affected: < 2.0.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66564",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-05T14:55:44.658584Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-05T14:55:53.273Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "timestamp-authority",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function\u0027s argument). This vulnerability is fixed in 2.0.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-405",
              "description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-04T22:37:13.307Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh"
        },
        {
          "name": "https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421"
        }
      ],
      "source": {
        "advisory": "GHSA-4qg8-fj49-pxjh",
        "discovery": "UNKNOWN"
      },
      "title": "Sigstore Timestamp Authority allocates excessive memory during request parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66564",
    "datePublished": "2025-12-04T22:37:13.307Z",
    "dateReserved": "2025-12-04T16:05:22.975Z",
    "dateUpdated": "2025-12-05T14:55:53.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1229 (GCVE-0-2026-1229)

Vulnerability from cvelistv5 – Published: 2026-02-24 07:58 – Updated: 2026-02-24 15:10

Title

Incorrect calculation in CIRCL secp384r1 CombinedMult

Summary

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas. ECDH and ECDSA signing relying on this curve are not affected. The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .

Severity

2.9 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

CWE

CWE-682 - Incorrect Calculation

Assigner

cloudflare

References

1 reference

URL	Tags
https://github.com/cloudflare/circl

Impacted products

1 product

Vendor	Product	Version
Cloudflare	CIRCL	Affected: CIRCL up to version 1.6.2 , < 1.6.3 (custom)

Credits

Guido Vranken

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1229",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-24T15:04:09.395394Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-24T15:10:21.738Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Go"
          ],
          "product": "CIRCL",
          "repo": "https://github.com/cloudflare/circl",
          "vendor": "Cloudflare",
          "versions": [
            {
              "lessThan": "1.6.3",
              "status": "affected",
              "version": "CIRCL up to version 1.6.2",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Guido Vranken"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cp\u003eThe CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\u003cbr\u003eECDH and ECDSA signing relying on this curve are not affected.\u003c/p\u003e\u003cp\u003eThe bug was fixed in \u003cstrong\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/cloudflare/circl/releases/tag/v1.6.3\"\u003ev1.6.3\u003c/a\u003e\u003c/strong\u003e.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e"
            }
          ],
          "value": "The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.\nECDH and ECDSA signing relying on this curve are not affected.\n\nThe bug was fixed in  v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 ."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "NOT_DEFINED",
            "Safety": "NEGLIGIBLE",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-682",
              "description": "CWE-682 Incorrect Calculation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T07:58:54.406Z",
        "orgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
        "shortName": "cloudflare"
      },
      "references": [
        {
          "url": "https://github.com/cloudflare/circl"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Incorrect calculation in CIRCL secp384r1 CombinedMult",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a22f1246-ba21-4bb4-a601-ad51614c1513",
    "assignerShortName": "cloudflare",
    "cveId": "CVE-2026-1229",
    "datePublished": "2026-02-24T07:58:54.406Z",
    "dateReserved": "2026-01-20T13:09:57.206Z",
    "dateUpdated": "2026-02-24T15:10:21.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22039 (GCVE-0-2026-22039)

Vulnerability from cvelistv5 – Published: 2026-01-27 16:07 – Updated: 2026-01-27 16:42

Title

Kyverno Cross-Namespace Privilege Escalation via Policy apiCall

Summary

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Severity

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-269 - Improper Privilege Management
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/kyverno/kyverno/security/advis…	x_refsource_CONFIRM
https://github.com/kyverno/kyverno/commit/e0ba4de…	x_refsource_MISC
https://github.com/kyverno/kyverno/commit/eba60fa…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
kyverno	kyverno	Affected: < 1.15.3 Affected: >= 1.16.0, < 1.16.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22039",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T16:41:31.229138Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T16:42:49.789Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kyverno",
          "vendor": "kyverno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.15.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.16.0, \u003c 1.16.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy\u2019s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno\u2019s admission controller identity, targeting any API path allowed by that ServiceAccount\u2019s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-27T16:07:19.698Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2"
        },
        {
          "name": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b"
        },
        {
          "name": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e"
        }
      ],
      "source": {
        "advisory": "GHSA-8p9x-46gm-qfx2",
        "discovery": "UNKNOWN"
      },
      "title": "Kyverno Cross-Namespace Privilege Escalation via Policy apiCall"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22039",
    "datePublished": "2026-01-27T16:07:19.698Z",
    "dateReserved": "2026-01-05T22:30:38.719Z",
    "dateUpdated": "2026-01-27T16:42:49.789Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22703 (GCVE-0-2026-22703)

Vulnerability from cvelistv5 – Published: 2026-01-10 06:11 – Updated: 2026-01-12 16:43

Title

Cosign verification accepts any valid Rekor entry under certain conditions

Summary

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.

Severity

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-345 - Insufficient Verification of Data Authenticity

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/sigstore/cosign/security/advis…	x_refsource_CONFIRM
https://github.com/sigstore/cosign/pull/4623	x_refsource_MISC
https://github.com/sigstore/cosign/commit/6832fba…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
sigstore	cosign	Affected: < 3.0.4 Affected: < 2.6.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22703",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T16:43:50.752285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T16:43:57.302Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cosign",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.0.4"
            },
            {
              "status": "affected",
              "version": "\u003c 2.6.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact\u0027s digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact\u0027s digest, the user\u0027s public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user\u0027s identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-345",
              "description": "CWE-345: Insufficient Verification of Data Authenticity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-10T06:11:09.426Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m"
        },
        {
          "name": "https://github.com/sigstore/cosign/pull/4623",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/cosign/pull/4623"
        },
        {
          "name": "https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176"
        }
      ],
      "source": {
        "advisory": "GHSA-whqx-f9j3-ch6m",
        "discovery": "UNKNOWN"
      },
      "title": "Cosign verification accepts any valid Rekor entry under certain conditions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22703",
    "datePublished": "2026-01-10T06:11:09.426Z",
    "dateReserved": "2026-01-08T19:23:09.857Z",
    "dateUpdated": "2026-01-12T16:43:57.302Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-22772 (GCVE-0-2026-22772)

Vulnerability from cvelistv5 – Published: 2026-01-12 20:58 – Updated: 2026-01-12 21:17

Title

Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

Summary

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

Severity

5.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/sigstore/fulcio/security/advis…	x_refsource_CONFIRM
https://github.com/sigstore/fulcio/commit/eaae2f2…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
sigstore	fulcio	Affected: < 1.8.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22772",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-12T21:17:00.818861Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-12T21:17:31.478Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "fulcio",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.8.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio\u0027s metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-12T20:58:53.659Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr"
        },
        {
          "name": "https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d"
        }
      ],
      "source": {
        "advisory": "GHSA-59jp-pj84-45mr",
        "discovery": "UNKNOWN"
      },
      "title": "Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-22772",
    "datePublished": "2026-01-12T20:58:53.659Z",
    "dateReserved": "2026-01-09T18:27:19.387Z",
    "dateUpdated": "2026-01-12T21:17:31.478Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23831 (GCVE-0-2026-23831)

Vulnerability from cvelistv5 – Published: 2026-01-22 21:26 – Updated: 2026-01-23 14:32

Title

Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message

Summary

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-476 - NULL Pointer Dereference

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/sigstore/rekor/security/adviso…	x_refsource_CONFIRM
https://github.com/sigstore/rekor/commit/39bae3d1…	x_refsource_MISC
https://github.com/sigstore/rekor/releases/tag/v1.5.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
sigstore	rekor	Affected: < 1.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23831",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-23T14:32:37.244354Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-23T14:32:43.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rekor",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-22T21:26:22.183Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833"
        },
        {
          "name": "https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd"
        },
        {
          "name": "https://github.com/sigstore/rekor/releases/tag/v1.5.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/rekor/releases/tag/v1.5.0"
        }
      ],
      "source": {
        "advisory": "GHSA-273p-m2cw-6833",
        "discovery": "UNKNOWN"
      },
      "title": "Rekor COSE v0.0.1 Canonicalize crashes when passed empty Message"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23831",
    "datePublished": "2026-01-22T21:26:22.183Z",
    "dateReserved": "2026-01-16T15:46:40.841Z",
    "dateUpdated": "2026-01-23T14:32:43.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23881 (GCVE-0-2026-23881)

Vulnerability from cvelistv5 – Published: 2026-01-27 16:10 – Updated: 2026-01-27 16:33

Title

Kyverno Denial of Service via Context Variable Amplification in Policy Engine

Summary

Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.

Severity

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/kyverno/kyverno/security/advis…	x_refsource_CONFIRM
https://github.com/kyverno/kyverno/commit/7a651be…	x_refsource_MISC
https://github.com/kyverno/kyverno/commit/f5617f6…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
kyverno	kyverno	Affected: < 1.15.3 Affected: >= 1.16.0, < 1.16.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23881",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T16:32:37.256106Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T16:33:03.342Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "kyverno",
          "vendor": "kyverno",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.15.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.16.0, \u003c 1.16.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno\u0027s policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-27T16:10:44.376Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq"
        },
        {
          "name": "https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f"
        },
        {
          "name": "https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7"
        }
      ],
      "source": {
        "advisory": "GHSA-r2rj-wwm5-x6mq",
        "discovery": "UNKNOWN"
      },
      "title": "Kyverno Denial of Service via Context Variable Amplification in Policy Engine"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-23881",
    "datePublished": "2026-01-27T16:10:44.376Z",
    "dateReserved": "2026-01-16T21:02:02.900Z",
    "dateUpdated": "2026-01-27T16:33:03.342Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24051 (GCVE-0-2026-24051)

Vulnerability from cvelistv5 – Published: 2026-02-02 19:49 – Updated: 2026-02-03 14:54

Title

OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.

Severity

7 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-426 - Untrusted Search Path

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-g…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
open-telemetry	opentelemetry-go	Affected: >= 1.21.0, < 1.40.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24051",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T14:53:50.389773Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T14:54:41.668Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.21.0, \u003c 1.40.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-426",
              "description": "CWE-426: Untrusted Search Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T19:49:10.038Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq"
        },
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53"
        }
      ],
      "source": {
        "advisory": "GHSA-9h8m-3fm2-qjrq",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go Affected by Arbitrary Code Execution via PATH Hijacking"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24051",
    "datePublished": "2026-02-02T19:49:10.038Z",
    "dateReserved": "2026-01-20T22:30:11.778Z",
    "dateUpdated": "2026-02-03T14:54:41.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-15558 (GCVE-0-2025-15558)

CVE-2025-47907 (GCVE-0-2025-47907)

CVE-2025-66564 (GCVE-0-2025-66564)

CVE-2026-1229 (GCVE-0-2026-1229)

CVE-2026-22039 (GCVE-0-2026-22039)

CVE-2026-22703 (GCVE-0-2026-22703)

CVE-2026-22772 (GCVE-0-2026-22772)

CVE-2026-23831 (GCVE-0-2026-23831)

CVE-2026-23881 (GCVE-0-2026-23881)

CVE-2026-24051 (GCVE-0-2026-24051)

Tags

Sightings

Nomenclature