CVE-2026-33186
published 2026-03-20CVE-2026-33186: gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2…
PriorityP263critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.56%
72.1th percentile
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-google-grpc | — | — |
| github.com | traefik_traefik_v2 | >= 0 < 2.11.42 | 2.11.42 |
| github.com | traefik_traefik_v3 | >= 3.0.0-beta3 < 3.6.12 | 3.6.12 |
| github.com | traefik_traefik_v3 | >= 3.7.0-ea.1 < 3.7.0-ea.3 | 3.7.0-ea.3 |
| google.golang.org | grpc | >= 0 < 1.79.3 | 1.79.3 |
| grpc | grpc | < 1.79.3 | 1.79.3 |
| grpc | grpc-go | < 1.79.3 | 1.79.3 |
| msrc | azl3_grpc_1.62.3-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_grpc_1.42.0-11_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP/2 requests where the :path pseudo-header does not begin with a leading slash (e.g., `Service/Method` instead of `/Service/Method`), which is the malformed input used to exploit this authorization bypass. ↗
- →Flag or block gRPC-over-HTTP/2 requests where the raw :path value does not start with '/'; these requests should be rejected with codes.Unimplemented in patched versions but will be silently routed in vulnerable ones. ↗
- →Monitor for exploitation attempts by inspecting raw HTTP/2 frames sent directly to gRPC servers for malformed :path headers lacking a leading slash. ↗
- ·Vulnerability only affects gRPC-Go servers using path-based authorization interceptors (e.g., google.golang.org/grpc/authz RBAC, or custom interceptors relying on info.FullMethod or grpc.Method(ctx)) AND that have a policy with specific 'deny' rules for canonical paths combined with a fallback 'allow' rule. Servers without this policy pattern are not exploitable. ↗
- ·Authorization interceptors evaluate the raw, non-canonical path string, causing 'deny' rules defined with canonical paths (starting with '/') to fail to match the incoming malformed request, allowing bypass when a fallback 'allow' rule is present. ↗
- ·Affected versions are gRPC-Go prior to 1.79.3. Upgrading to 1.79.3 is the recommended fix; mitigations include a validating interceptor, infrastructure-level normalization, and/or policy hardening. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
vendor_msrc8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
grpc grpc-go up to 1.79.2 improper authorization (EUVD-2026-13830 / Nessus ID 303458)
vuldb·2026-05-04·CVSS 9.1
CVE-2026-33186 [CRITICAL] grpc grpc-go up to 1.79.2 improper authorization (EUVD-2026-13830 / Nessus ID 303458)
A vulnerability was found in grpc grpc-go up to 1.79.2. It has been declared as critical. Impacted is an unknown function. Such manipulation leads to improper authorization.
This vulnerability is listed as CVE-2026-33186. The attack may be performed from remote. There is no available exploit.
It is recommended to upgrade the affected component.
OSV
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik
osv·2026-04-02·CVSS 9.1
CVE-2026-33186 [CRITICAL] Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik
GHSA
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
ghsa·2026-03-29·CVSS 9.1
CVE-2026-33186 [CRITICAL] CWE-1395 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
## Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.42
- https://github.com/traefik/traefik/release
OSV
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
osv·2026-03-29·CVSS 9.1
CVE-2026-33186 [CRITICAL] Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186)
## Summary
There is a potential vulnerability in Traefik due to its dependency on an affected version of gRPC-Go (CVE-2026-33186).
A remote, unauthenticated attacker can send gRPC requests with a malformed HTTP/2 `:path` pseudo-header omitting the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server routes such requests correctly, path-based authorization interceptors evaluate the raw non-canonical path and fail to match "deny" rules, allowing the request to bypass the policy entirely if a fallback "allow" rule is present.
## Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.42
- https://github.com/traefik/traefik/release
OSV
Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc
osv·2026-03-27
CVE-2026-33186 Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc
Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc
Authorization bypass in gRPC-Go via missing leading slash in :path in google.golang.org/grpc
OSV
CVE-2026-33186: gRPC-Go is the Go language implementation of gRPC
osv·2026-03-20·CVSS 9.1
CVE-2026-33186 [CRITICAL] CVE-2026-33186: gRPC-Go is the Go language implementation of gRPC
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based
GHSA
gRPC-Go has an authorization bypass via missing leading slash in :path
ghsa·2026-03-18
CVE-2026-33186 [CRITICAL] CWE-285 gRPC-Go has an authorization bypass via missing leading slash in :path
gRPC-Go has an authorization bypass via missing leading slash in :path
### Impact
_What kind of vulnerability is it? Who is impacted?_
It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "all
OSV
gRPC-Go has an authorization bypass via missing leading slash in :path
osv·2026-03-18
CVE-2026-33186 [CRITICAL] gRPC-Go has an authorization bypass via missing leading slash in :path
gRPC-Go has an authorization bypass via missing leading slash in :path
### Impact
_What kind of vulnerability is it? Who is impacted?_
It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header.
The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "all
Red Hat
google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
vendor_redhat·2026-03-20·CVSS 9.1
CVE-2026-33186 [CRITICAL] CWE-551 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming
Microsoft
gRPC-Go has an authorization bypass via missing leading slash in :path
vendor_msrc·2026-03-10·CVSS 8.1
CVE-2026-33186 [CRITICAL] CWE-285 gRPC-Go has an authorization bypass via missing leading slash in :path
gRPC-Go has an authorization bypass via missing leading slash in :path
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Debian
CVE-2026-33186: golang-google-grpc - gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have...
vendor_debian·2026·CVSS 9.1
CVE-2026-33186 [CRITICAL] CVE-2026-33186: golang-google-grpc - gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have...
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-61730 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-61730 [MEDIUM] CVE-2025-61730 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61730 :
cAdvisor vulnerability analysis and mitigation
During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.
Source : NVD
## 5.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cAdvisor
Docker
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cilium-fip
Wiz
CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20883 [MEDIUM] CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20883 :
Gitea vulnerability analysis and mitigation
Gitea's stopwatch API does not re-validate repository access permissions. After a user's access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at
Wiz
CVE-2026-27139 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-27139 [LOW] CVE-2026-27139 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27139 :
cAdvisor vulnerability analysis and mitigation
On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.
Source : NVD
## 2.5
Score
Published March 6, 2026
Severity LOW
CNA Score 2.5
Affected Technologies
cAdvisor
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eks-distro-1.33
c
Wiz
CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35204 [MEDIUM] CVE-2026-35204 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35204 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and
Wiz
CVE-2025-68121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-68121 [CRITICAL] CVE-2025-68121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68121 :
cAdvisor vulnerability analysis and mitigation
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Wiz Threat Research note: This vulnerability's CVSS vector has been overridden to Privileges Required HIGH by the Wiz Research team, as exploita
Wiz
CVE-2025-61732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-61732 [HIGH] CVE-2025-61732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61732 :
cAdvisor vulnerability analysis and mitigation
A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
Source : NVD
## 8.6
Score
Published February 5, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
cAdvisor
Terraform Community
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mongodb-kubernetes-operator-fips
nats-top
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 16, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 18, 2026
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22
Wiz
CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20800 [MEDIUM] CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20800 :
Gitea vulnerability analysis and mitigation
Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, ed
Wiz
CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-47911 [MEDIUM] CVE-2025-47911 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47911 :
Terraform Community vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cri-o
kubernetes
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: M
Wiz
CVE-2026-0798 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
CVE-2026-0798 [LOW] CVE-2026-0798 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0798 :
Gitea vulnerability analysis and mitigation
Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content.
Source : NVD
## 3.5
Score
Published January 22, 2026
Severity LOW
CNA Score 3.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code.gitea.io/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14,
Wiz
CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-58190 [MEDIUM] CVE-2025-58190 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58190 :
Packer vulnerability analysis and mitigation
The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Packer
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cloud-provider-kubevirt
docker-buildx
Sources
NVD
CBL-Mariner 2.0 Severity MEDIUM Has Fix Added at: Mar 04, 2026
CBL-Mariner 3.0 Severity MEDIUM Has Fix Added at: Mar 13,
Wiz
CVE-2026-34165 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34165 [MEDIUM] CVE-2026-34165 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34165 :
Packer vulnerability analysis and mitigation
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Source : NVD
## 5
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
Packer
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-27142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-27142 [MEDIUM] CVE-2026-27142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27142 :
cAdvisor vulnerability analysis and mitigation
Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh". A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.
Source : NVD
## 6.1
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
cAdvisor
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and librari
Wiz
CVE-2026-33762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33762 [MEDIUM] CVE-2026-33762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33762 :
Packer vulnerability analysis and mitigation
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Source : NVD
## 2.8
Score
Published March 31, 2026
Severity LOW
CNA Score 2.8
Affected Technologies
Packer
Grafana
Has Public Exploit No
Has CISA KEV Exploit N
Wiz
CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35205 [MEDIUM] CVE-2026-35205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35205 :
Helm vulnerability analysis and mitigation
Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required. This vulnerability is fixed in 4.1.4.
Source : NVD
## 8.4
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
Helm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:helm:helm
helm
Sources
NVD
Chainguard No Fix Added at: Apr 10, 2026
Linux Has Fix Added at: Apr 10, 2026
Wolfi No Fix Added at: Apr 10, 2026
## Get a CVE risk assessment
Ge
Wiz
CVE-2025-61726 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-61726 [HIGH] CVE-2025-61726 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61726 :
cAdvisor vulnerability analysis and mitigation
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Source : NVD
## 7.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
cAdvisor
Docker
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gcp-compute-per
Wiz
CVE-2026-32285 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-32285 [LOW] CVE-2026-32285 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32285 :
MinIO vulnerability analysis and mitigation
The Delete function fails to properly validate offsets when processing malformed JSON input. This can lead to a negative slice index and a runtime panic, allowing a denial of service attack.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
MinIO
Rclone
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
redpanda-25.3
maru
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
E
Wiz
CVE-2026-20897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20897 [CRITICAL] CVE-2026-20897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20897 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
github.com/go-gitea/gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL No Fix Added at: Jan 30, 2026
Wiz
CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-6010 [HIGH] CVE-2025-6010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-6010 :
HashiCorp Vault vulnerability analysis and mitigation
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Source : NVD
Published February 10, 2026
Severity MEDIUM
CNA Score N/A
High-profile Vulnerability Yes
Affected Technologies
HashiCorp Vault
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:hashicorp:vault
Sources
Linux Severity MEDIUM Has Fix Added at: Aug 13, 2025
Windows Severity MEDIUM Has Fix Added at: Aug 13, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-26958 [LOW] CVE-2026-26958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26958 :
HashiCorp Vault vulnerability analysis and mitigation
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If (*Point).MultiScalarMult is called on an initialized point that is not the identity point, it returns an incorrect result. If the method is called on an uninitialized point, the behavior is undefined. In particular, if the receiver is the zero value, MultiScalarMult returns an invalid point that compares Equal to every other point. Note that MultiScalarMult is a rarely used, advanced API. For example, users who depend on filippo.io/edwards25519 o
Wiz
CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-25934 [MEDIUM] CVE-2026-25934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25934 :
Packer vulnerability analysis and mitigation
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This v
Wiz
CVE-2025-68119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2025-68119 [HIGH] CVE-2025-68119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68119 :
cAdvisor vulnerability analysis and mitigation
Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths.
Source : NVD
## 7
Sco
Wiz
CVE-2026-1229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2026-1229 [LOW] CVE-2026-1229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1229 :
Packer vulnerability analysis and mitigation
The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.
The bug was fixed in v1.6.3 https://github.com/cloudflare/circl/releases/tag/v1.6.3 .
Source : NVD
## 2.9
Score
Published February 24, 2026
Severity LOW
CNA Score 2.9
Affected Technologies
Packer
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
crossplane-2.0
terragrunt-fips
Sources
NVD
Chai
Wiz
CVE-2026-25679 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25679 [HIGH] CVE-2026-25679 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25679 :
cAdvisor vulnerability analysis and mitigation
url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
cAdvisor
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logstash-9.1
vault
Sources
NVD
AlmaLinux 9 Severity HIGH Has Fix Added at: Mar 29, 2026
Alpine 3.23 Severity HIGH Has Fix Added at: Mar 09, 2026
Alpine edge Severity HIGH Has Fix Added at: Mar 08, 2026
CBL-Mariner 3.0 Severity HIGH Has Fix Added at: Mar 29, 2026
Chainguard Has Fix A
Wiz
CVE-2026-34986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34986 [HIGH] CVE-2026-34986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34986 :
Packer vulnerability analysis and mitigation
Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, including support for JSON Web Encryption (JWE), JSON Web Signature (JWS), and JSON Web Token (JWT) standards. Prior to 4.1.4 and 3.0.5, decrypting a JSON Web Encryption (JWE) object will panic if the alg field indicates a key wrapping algorithm (one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW) and the encrypted_key field is empty. The panic happens when cipher.KeyUnwrap() in key_wrap.go attempts to allocate a slice with a zero or negative length based on the length of the encrypted_key. This code path is reachable from ParseEncrypted() / ParseEncryptedJSON() / ParseEncryptedCompact() follow
Wiz
CVE-2026-33186 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-33186 [LOW] CVE-2026-33186 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33186 :
cAdvisor vulnerability analysis and mitigation
:path
:path
Service/Method
/Service/Method
grpc/authz
/
google.golang.org/grpc/authz
info.FullMethod
grpc.Method(ctx)
:path
:path
codes.Unimplemented
Source : NVD
## 9.1
Score
Published March 20, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
cAdvisor
Terraform Community
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
milvus-2.6
vault-csi-provider-fips
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
Debian 11, 12, 13, 14 Severity CRITICAL No Fix Added at: Mar 29, 2026
Echo Severity CRITICAL No Fix Added at: Mar
Wiz
CVE-2026-34040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-34040 [LOW] CVE-2026-34040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34040 :
cAdvisor vulnerability analysis and mitigation
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
Source : NVD
## 7.8
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
cAdvisor
Docker
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/moby/moby
wolfictl
Sources
Alpine edge Severity HIGH Has Fix Added at: Mar 31, 2026
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13, 14
Wiz
CVE-2026-24051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-24051 [HIGH] CVE-2026-24051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24051 :
Packer vulnerability analysis and mitigation
OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0.
Source : NVD
## 7
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
Packer
HashiCorp Vault
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Expl
Wiz
CVE-2026-39883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-39883 [HIGH] CVE-2026-39883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39883 :
Prometheus vulnerability analysis and mitigation
OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.15.0 to 1.42.0, the fix for CVE-2026-24051 changed the Darwin ioreg command to use an absolute path but left the BSD kenv command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms. This vulnerability is fixed in 1.43.0.
Source : NVD
## 7.3
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Prometheus
Docker Compose
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cluster-api-fips-1.10
grafana-mimir-2.17
Source
Wiz
CVE-2026-32287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32287 [HIGH] CVE-2026-32287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32287 :
Amazon CloudWatch Agent vulnerability analysis and mitigation
Boolean XPath expressions that evaluate to true can cause an infinite loop in logicalQuery.Select, leading to 100% CPU usage. This can be triggered by top-level selectors such as "1=1" or "true()".
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Amazon CloudWatch Agent
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
opentelemetry-collector
tempo
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 12, 1
Wiz
CVE-2026-20736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-20736 [HIGH] CVE-2026-20736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20736 :
Gitea vulnerability analysis and mitigation
Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code.gitea.io/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.
Wiz
CVE-2026-20750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20750 [CRITICAL] CVE-2026-20750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20750 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL No Fix Added at: Jan 30, 2026
Wiz
CVE-2025-61728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-61728 [MEDIUM] CVE-2025-61728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61728 :
cAdvisor vulnerability analysis and mitigation
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Source : NVD
## 6.5
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
cAdvisor
Docker
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
timoni
kube-rbac-proxy
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 16, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 18, 2026
Alpine 3.10, 3.1
Wiz
CVE-2026-33997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33997 [MEDIUM] CVE-2026-33997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33997 :
cAdvisor vulnerability analysis and mitigation
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user. Plugins that request exactly one privilege are also affected, because no comparison is performed at all. This issue has been patched in version 29.3.1.
Source : NVD
## 8.1
Score
Published March 31, 2026
Severity HIGH
CNA Score 6.8
Affected Technologies
cAdvisor
Docker
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N
Wiz
CVE-2026-39882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.5
CVE-2026-39882 [LOW] CVE-2026-39882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39882 :
Prometheus vulnerability analysis and mitigation
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Prometheus
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affecte
Wiz
CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11065 [MEDIUM] CVE-2025-11065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11065 :
Terraform Community vulnerability analysis and mitigation
A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts.
Source : NVD
## 5.3
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Terraform Community
Packer
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-11.2
kyverno-fips-1.12
Sources
NVD
Wiz
CVE-2026-20912 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-20912 [CRITICAL] CVE-2026-20912 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20912 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:gitea:gitea
github.com/go-gitea/gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21
Wiz
CVE-2026-33809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-33809 [CRITICAL] CVE-2026-33809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33809 :
Rclone vulnerability analysis and mitigation
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Source : NVD
## 5.3
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Rclone
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
go-toolset:rhel8::golang-tests
golang-bin
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29
Wiz
CVE-2026-20904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-20904 [MEDIUM] CVE-2026-20904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20904 :
Gitea vulnerability analysis and mitigation
Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users' OpenID identities.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 30, 2026
Chainguard
Wiz
CVE-2026-20888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-20888 [MEDIUM] CVE-2026-20888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-20888 :
Gitea vulnerability analysis and mitigation
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Gitea
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/go-gitea/gitea
cpe:2.3:a:gitea:gitea
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan
Wiz
CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27138 [HIGH] CVE-2026-27138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27138 :
HashiCorp Vault vulnerability analysis and mitigation
Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.
Source : NVD
## 5.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
HashiCorp Vault
Prometheus
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aws-otel-collector
gitlab-runner-fips-18.9
Sources
NVD
Alpine edge Severity MEDIUM Has Fix Added a
Wiz
CVE-2025-61731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-61731 [HIGH] CVE-2025-61731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61731 :
cAdvisor vulnerability analysis and mitigation
Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location.
Source : NVD
## 7.8
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
cAdvisor
Terraform Community
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected
Bugzilla
CVE-2026-33186 grpc: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation [fedora-42]
bugzilla·2026-03-23·CVSS 9.1
CVE-2026-33186 [CRITICAL] CVE-2026-33186 grpc: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation [fedora-42]
CVE-2026-33186 grpc: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained vers
Bugzilla
CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
bugzilla·2026-03-20·CVSS 9.1
CVE-2026-33186 [CRITICAL] CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
CVE-2026-33186 google.golang.org/grpc/grpc-go: google.golang.org/grpc/authz: gRPC-Go: Authorization bypass due to improper HTTP/2 path validation
gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to mat
https://github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3https://access.redhat.com/errata/RHSA-2026:10093https://access.redhat.com/errata/RHSA-2026:10094https://access.redhat.com/errata/RHSA-2026:10105https://access.redhat.com/errata/RHSA-2026:10107https://access.redhat.com/errata/RHSA-2026:10125https://access.redhat.com/errata/RHSA-2026:10126https://access.redhat.com/errata/RHSA-2026:10130https://access.redhat.com/errata/RHSA-2026:10131https://access.redhat.com/errata/RHSA-2026:10153https://access.redhat.com/errata/RHSA-2026:10155https://access.redhat.com/errata/RHSA-2026:10158https://access.redhat.com/errata/RHSA-2026:10172https://access.redhat.com/errata/RHSA-2026:10175https://access.redhat.com/errata/RHSA-2026:10698https://access.redhat.com/errata/RHSA-2026:10705https://access.redhat.com/errata/RHSA-2026:10706https://access.redhat.com/errata/RHSA-2026:11070https://access.redhat.com/errata/RHSA-2026:11408https://access.redhat.com/errata/RHSA-2026:11803https://access.redhat.com/errata/RHSA-2026:11856https://access.redhat.com/errata/RHSA-2026:11916https://access.redhat.com/errata/RHSA-2026:11996https://access.redhat.com/errata/RHSA-2026:12116https://access.redhat.com/errata/RHSA-2026:12118https://access.redhat.com/errata/RHSA-2026:12119https://access.redhat.com/errata/RHSA-2026:12277https://access.redhat.com/errata/RHSA-2026:12279https://access.redhat.com/errata/RHSA-2026:12283https://access.redhat.com/errata/RHSA-2026:12337https://access.redhat.com/errata/RHSA-2026:13548https://access.redhat.com/errata/RHSA-2026:13791https://access.redhat.com/errata/RHSA-2026:13829https://access.redhat.com/errata/RHSA-2026:14775https://access.redhat.com/errata/RHSA-2026:15092https://access.redhat.com/errata/RHSA-2026:17123https://access.redhat.com/errata/RHSA-2026:17448https://access.redhat.com/errata/RHSA-2026:17459https://access.redhat.com/errata/RHSA-2026:17468https://access.redhat.com/errata/RHSA-2026:17474https://access.redhat.com/errata/RHSA-2026:17475https://access.redhat.com/errata/RHSA-2026:17598https://access.redhat.com/errata/RHSA-2026:17599https://access.redhat.com/errata/RHSA-2026:17789https://access.redhat.com/errata/RHSA-2026:18068https://access.redhat.com/errata/RHSA-2026:18585https://access.redhat.com/errata/RHSA-2026:19099https://access.redhat.com/errata/RHSA-2026:19108https://access.redhat.com/errata/RHSA-2026:19109https://access.redhat.com/errata/RHSA-2026:19135https://access.redhat.com/errata/RHSA-2026:19207https://access.redhat.com/errata/RHSA-2026:19353https://access.redhat.com/errata/RHSA-2026:19375https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:19719https://access.redhat.com/errata/RHSA-2026:19720https://access.redhat.com/errata/RHSA-2026:19721https://access.redhat.com/errata/RHSA-2026:20034https://access.redhat.com/errata/RHSA-2026:20035https://access.redhat.com/errata/RHSA-2026:20041https://access.redhat.com/errata/RHSA-2026:20042https://access.redhat.com/errata/RHSA-2026:20088https://access.redhat.com/errata/RHSA-2026:20089https://access.redhat.com/errata/RHSA-2026:20322https://access.redhat.com/errata/RHSA-2026:20436https://access.redhat.com/errata/RHSA-2026:20943https://access.redhat.com/errata/RHSA-2026:20946https://access.redhat.com/errata/RHSA-2026:21017https://access.redhat.com/errata/RHSA-2026:21657https://access.redhat.com/errata/RHSA-2026:21658https://access.redhat.com/errata/RHSA-2026:21691https://access.redhat.com/errata/RHSA-2026:21692https://access.redhat.com/errata/RHSA-2026:21696https://access.redhat.com/errata/RHSA-2026:21697https://access.redhat.com/errata/RHSA-2026:21703https://access.redhat.com/errata/RHSA-2026:21704https://access.redhat.com/errata/RHSA-2026:21709https://access.redhat.com/errata/RHSA-2026:21710https://access.redhat.com/errata/RHSA-2026:21769https://access.redhat.com/errata/RHSA-2026:21931https://access.redhat.com/errata/RHSA-2026:21932https://access.redhat.com/errata/RHSA-2026:22347https://access.redhat.com/errata/RHSA-2026:22423https://access.redhat.com/errata/RHSA-2026:22450https://access.redhat.com/errata/RHSA-2026:22465https://access.redhat.com/errata/RHSA-2026:22485https://access.redhat.com/errata/RHSA-2026:22645https://access.redhat.com/errata/RHSA-2026:22689https://access.redhat.com/errata/RHSA-2026:22714https://access.redhat.com/errata/RHSA-2026:22800https://access.redhat.com/errata/RHSA-2026:22937https://access.redhat.com/errata/RHSA-2026:22959https://access.redhat.com/errata/RHSA-2026:22961https://access.redhat.com/errata/RHSA-2026:23228https://access.redhat.com/errata/RHSA-2026:23234https://access.redhat.com/errata/RHSA-2026:23235https://access.redhat.com/errata/RHSA-2026:23241https://access.redhat.com/errata/RHSA-2026:23246https://access.redhat.com/errata/RHSA-2026:23247https://access.redhat.com/errata/RHSA-2026:23345
+ 61 more references
2026-03-20
Published