CVE-2026-1123
published 2026-01-18CVE-2026-1123: A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter…
PriorityP358critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.41%
33.1th percentile
A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | tektoncd_pipeline | >= 0.60.0 < 1.0.1 | 1.0.1 |
| github.com | tektoncd_pipeline | >= 1.1.0 < 1.3.3 | 1.3.3 |
| github.com | tektoncd_pipeline | >= 1.10.0 < 1.10.2 | 1.10.2 |
| github.com | tektoncd_pipeline | >= 1.4.0 < 1.6.1 | 1.6.1 |
| github.com | tektoncd_pipeline | >= 1.7.0 < 1.9.2 | 1.9.2 |
| yonyou | ksoa | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
ghsa·2026-04-22
CVE-2026-41240 [MEDIUM] CWE-183 DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
There is an inconsistency between FORBID_TAGS and FORBID_ATTR handling when function-based ADD_TAGS is used.
Commit [c361baa](https://github.com/cure53/DOMPurify/commit/c361baa18dbdcb3344a41110f4c48ad85bf48f80) added an early exit for FORBID_ATTR at line 1214:
/* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it */
if (FORBID_ATTR[lcName]) {
return false;
}
The same fix was not applied to FORBID_TAGS. At line 1118-1123, when EXTRA_ELEMENT_HANDLING.tagCheck returns true, the short-circuit evaluation skips the FORBID_TAGS check entirely:
if (
!(
EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function &&
EXTRA_ELEMENT_HANDLING.tagCheck(tagName) // true -> short-circuits
GHSA
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
ghsa·2026-03-17
CVE-2026-33022 [MEDIUM] CWE-129 Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
Tekton Pipelines controller panic via long resolver name in TaskRun/PipelineRun
### Summary
A user with permission to create or update a TaskRun or PipelineRun can crash the Tekton Pipelines controller by setting `.spec.taskRef.resolver` (or `.spec.pipelineRef.resolver`) to a string of 31 characters or more, causing a denial of service for all reconciliation.
### Details
The controller panics in `GenerateDeterministicNameFromSpec` when building a deterministic `ResolutionRequest` name. The generated name has the format `{resolver}-{hash}` and, when the resolver name is long enough, the result exceeds the DNS-1123 label limit of 63 characters.
The truncation logic attempts to find a word boundary using `strings.LastIndex(name, " ")`. Since the generated name never contains spaces (it i
GHSA
GHSA-gwm8-8jq9-c7h5: A vulnerability was identified in Yonyou KSOA 9
ghsa_unreviewed·2026-01-18
CVE-2026-1123 [MEDIUM] CWE-74 GHSA-gwm8-8jq9-c7h5: A vulnerability was identified in Yonyou KSOA 9
A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Red Hat
virt-controller-rhel9: kubevirt: kubevirt: Multus default-network annotation injection via unvalidated tenant networkName when ExternalNetResourceInjection is enabled
vendor_redhat·2026-06-26·CVSS 4.9
CVE-2026-13434 [MEDIUM] CWE-20 virt-controller-rhel9: kubevirt: kubevirt: Multus default-network annotation injection via unvalidated tenant networkName when ExternalNetResourceInjection is enabled
virt-controller-rhel9: kubevirt: kubevirt: Multus default-network annotation injection via unvalidated tenant networkName when ExternalNetResourceInjection is enabled
A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design.
No detection rules found.
No public exploits indexed.
2026-01-18
Published