CVE-2026-34976
published 2026-04-06CVE-2026-34976: Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config…
PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.45%
36.0th percentile
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dgraph-io | dgraph | < 25.3.1 | 25.3.1 |
| dgraph | dgraph | <= 25.3.0 | — |
| github.com | dgraph-io_dgraph | 0 – 1.2.8 | — |
| github.com | dgraph-io_dgraph_v24 | 0 – 24.0.5 | — |
| github.com | dgraph-io_dgraph_v25 | >= 0 < 25.3.1 | 25.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated GraphQL admin mutation calls to 'restoreTenant' — this endpoint has no authorization middleware and should never be called without authentication ↗
- →Alert on restoreTenant mutation requests that supply file:// scheme URLs as backup source, indicating local filesystem read/SSRF abuse ↗
- →Inspect Dgraph admin API traffic for restoreTenant calls originating from unauthenticated/anonymous sessions — legitimate use requires Guardian-of-Galaxy auth like the sibling restore mutation ↗
- ·Attack surface includes S3/MinIO credentials, encryption key file paths, and Vault credential file paths passed as mutation parameters — all attacker-controlled inputs with no server-side validation gate ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
ghsa·2026-04-02
CVE-2026-34976 [CRITICAL] CWE-862 Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
The `restoreTenant` admin mutation is missing from the authorization middleware config (`admin.go:499-522`), making it completely unauthenticated. Unlike the similar `restore` mutation which requires Guardian-of-Galaxy authentication, `restoreTenant` executes with zero middleware.
This mutation accepts attacker-controlled backup source URLs (including `file://` for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF.
## Authentication Bypass
Every admin mutation has middleware configured in `adminMutationMWConfig` (`admin.go:499-522`)
OSV
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
osv·2026-04-02
CVE-2026-34976 [CRITICAL] Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
Dgraph: Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization
The `restoreTenant` admin mutation is missing from the authorization middleware config (`admin.go:499-522`), making it completely unauthenticated. Unlike the similar `restore` mutation which requires Guardian-of-Galaxy authentication, `restoreTenant` executes with zero middleware.
This mutation accepts attacker-controlled backup source URLs (including `file://` for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF.
## Authentication Bypass
Every admin mutation has middleware configured in `adminMutationMWConfig` (`admin.go:499-522`)
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
blogs_hackernews·2026-04-13·CVSS 8.6
[HIGH] ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fiber Optic Spying, Windows Rootkit, AI Vulnerability Hunting and More
Monday is back, and the weekend’s backlog of chaos is officially hitting the fan. We are tracking a critical zero-day that has been quietly living in your PDFs for months, plus some aggressive state-sponsored meddling in infrastructure that is finally coming to light. It is one of those mornings where the gap between a quiet shift and a full-blown incident response is basically non-existent.
The variety this week is particularly nasty. We have AI models being turned into autonomous exploit engines, North Korean groups playing the long game
Wiz
CVE-2026-25882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-25882 [MEDIUM] CVE-2026-25882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25882 :
Wolfi vulnerability analysis and mitigation
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
Source : NVD
## 5.5
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percen
Wiz
CVE-2025-66630 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2025-66630 [CRITICAL] CVE-2025-66630 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66630 :
Wolfi vulnerability analysis and mitigation
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
Source : NVD
## 9.2
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Wolfi
Cha
Wiz
CVE-2026-33758 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33758 [CRITICAL] CVE-2026-33758 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33758 :
Wolfi vulnerability analysis and mitigation
callback_mode=direct
error_description
error_description
callback_mode
direct
Source : NVD
## 9.4
Score
Published March 27, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/openbao/openbao
openbao
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL Has Fix Added at: Mar 29, 2026
Homebrew Severity MEDIUM Has Fix Added at: Apr 02, 2026
Wolfi Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view
Wiz
CVE-2026-22731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22731 [HIGH] CVE-2026-22731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22731 :
Wolfi vulnerability analysis and mitigation
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under a specific path, already configured for a Health Group additional path.
This issue affects Spring Boot: from 4.0 before 4.0.3, from 3.5 before 3.5.11, from 3.4 before 3.4.15.
This CVE is similar but not equivalent to CVE-2026-22733, as the conditions for exploit and vulnerable versions are different.
Source : NVD
## 8.2
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-32241 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32241 [HIGH] CVE-2026-32241 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32241 :
Wolfi vulnerability analysis and mitigation
flannel.alpha.coreos.com/backend-data
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
k3s
k3s-1.32
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
GoLang Severity HIGH Has Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wolfi vulnerabilities:
CVE ID
Wiz
CVE-2026-30934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-30934 [HIGH] CVE-2026-30934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30934 :
Wolfi vulnerability analysis and mitigation
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, Stored XSS is possible via share metadata fields (e.g., title, description) that are rendered into HTML for /public/share/ without context-aware escaping. The server uses text/template instead of html/template, allowing injected scripts to execute when victims visit the share URL. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Source : NVD
## 5.4
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 8.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploit
Wiz
CVE-2026-24055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24055 [MEDIUM] CVE-2026-24055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24055 :
Wolfi vulnerability analysis and mitigation
Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and chan
Wiz
CVE-2026-33757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33757 [CRITICAL] CVE-2026-33757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33757 :
Wolfi vulnerability analysis and mitigation
callback_mode
direct
direct
direct
callback_mode=direct
Source : NVD
## 8.3
Score
Published March 27, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
openbao
github.com/openbao/openbao
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
GoLang Severity CRITICAL Has Fix Added at: Mar 29, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 02, 2026
Wolfi Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-34519 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34519 [LOW] CVE-2026-34519 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34519 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the reason parameter when creating a Response may be able to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-aiohttp
checkov
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 No Fi
Wiz
CVE-2025-14876 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-14876 [MEDIUM] CVE-2025-14876 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14876 :
Wolfi vulnerability analysis and mitigation
A flaw was found in the virtio-crypto device of QEMU. A malicious guest operating system can exploit a missing length limit in the AKCIPHER path, leading to uncontrolled memory allocation. This can result in a denial of service (DoS) on the host system by causing the QEMU process to terminate unexpectedly.
Source : NVD
## 5.5
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
qemu-chardev-baum
qemu-microvm
Sources
NVD
Chainguard No Fix Added at:
Wiz
CVE-2026-3284 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3284 [MEDIUM] CVE-2026-3284 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3284 :
Wolfi vulnerability analysis and mitigation
A vulnerability was found in libvips 8.19.0. Impacted is the function vips_extract_area_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_area results in integer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. It is advisable to implement a patch to correct this issue.
Source : NVD
## 4.8
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probabilit
Wiz
CVE-2026-22728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-22728 [MEDIUM] CVE-2026-22728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22728 :
Wolfi vulnerability analysis and mitigation
Bitnami Sealed Secrets is vulnerable to a scope-widening attack during
the secret rotation (/v1/rotate) flow. The rotation handler derives the
sealing scope for the newly encrypted output from untrusted
spec.template.metadata.annotations present in the input SealedSecret.
By submitting a victim SealedSecret to the rotate endpoint with the
annotation sealedsecrets.bitnami.com/cluster-wide=true injected into the
template metadata, a remote attacker can obtain a rotated version of the
secret that is cluster-wide. This bypasses original "strict" or
"namespace-wide" constraints, allowing the attacker to retarget and unseal
the secret in any namespace or under any name to recover the plaintext
credentials.
Source : NVD
## 4.9
Wiz
CVE-2026-28229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28229 [CRITICAL] CVE-2026-28229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28229 :
Wolfi vulnerability analysis and mitigation
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to 4.0.2 and 3.7.11, Workflow templates endpoints allow any client to retrieve WorkflowTemplates (and ClusterWorkflowTemplates). Any request with a Authorization: Bearer nothing token can leak sensitive template content, including embedded Secret manifests. This vulnerability is fixed in 4.0.2 and 3.7.11.
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 9.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS
Wiz
CVE-2026-31892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-31892 [HIGH] CVE-2026-31892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31892 :
Wolfi vulnerability analysis and mitigation
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 2.9.0 to before 4.0.2 and 3.7.11, A user who can submit Workflows can completely bypass all security settings defined in a WorkflowTemplate by including a podSpecPatch field in their Workflow submission. This works even when the controller is configured with templateReferencing: Strict, which is specifically documented as a mechanism to restrict users to admin-approved templates. The podSpecPatch field on a submitted Workflow takes precedence over the referenced WorkflowTemplate during spec merging and is applied directly to the pod spec at creation time with no security validation. This vulnerability is fixe
Wiz
CVE-2026-34976 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-34976 [CRITICAL] CVE-2026-34976 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34976 :
Wolfi vulnerability analysis and mitigation
Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config (admin.go), making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication, restoreTenant executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including file:// for local filesystem access), S3/MinIO credentials, encryption key file paths, and Vault credential file paths. An unauthenticated attacker can overwrite the entire database, read server-side files, and perform SSRF. This vulnerability is fixed in 25.3.1.
Source : NVD
## 10
Score
Published April 6, 2026
Seve
Wiz
CVE-2025-66959 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66959 [HIGH] CVE-2025-66959 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66959 :
Wolfi vulnerability analysis and mitigation
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder
Source : NVD
## 7.5
Score
Published January 21, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.8
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
ollama
cpe:2.3:a:ollama:ollama
Sources
Chainguard No Fix Added at: Feb 02, 2026
Homebrew Severity HIGH No Fix Added at: Feb 04, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 04, 2026
Linux Severity HIGH Has Fix Added at: Feb 02, 2026
Windows Severity HIGH Has Fix Added
Wiz
CVE-2026-34529 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-34529 [HIGH] CVE-2026-34529 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34529 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the EPUB preview function in File Browser is vulnerable to Stored Cross-Site Scripting (XSS). JavaScript embedded in a crafted EPUB file executes in the victim's browser when they preview the file. This issue has been patched in version 2.62.2.
Source : NVD
## 9
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 7.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2026-2243 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-2243 [MEDIUM] CVE-2026-2243 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2243 :
Wolfi vulnerability analysis and mitigation
A flaw was found in QEMU. A specially crafted VMDK image could trigger an out-of-bounds read vulnerability, potentially leading to a 12-byte leak of sensitive information or a denial of service condition (DoS).
Source : NVD
## 5.1
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcacard-tools
qemu-kvm-device-display-virtio-gpu-ccw
Sources
NVD
Chainguard No Fix Added at: Mar 03, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Feb 20, 2
Wiz
CVE-2026-4176 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2026-4176 [LOW] CVE-2026-4176 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4176 :
Wolfi vulnerability analysis and mitigation
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.
Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Source : NVD
## 9.8
Score
Published March 29, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
Wiz
CVE-2026-3146 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3146 [MEDIUM] CVE-2026-3146 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3146 :
Wolfi vulnerability analysis and mitigation
A vulnerability has been found in libvips up to 8.18.0. The impacted element is the function vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. The manipulation leads to null pointer dereference. The attack needs to be performed locally. The identifier of the patch is d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. To fix this issue, it is recommended to deploy a patch.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libr
Wiz
CVE-2026-34743 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.7
CVE-2026-34743 [LOW] CVE-2026-34743 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34743 :
Wolfi vulnerability analysis and mitigation
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
Source : NVD
## 1.7
Score
Published April 2, 2026
Severity LOW
CNA Score 1.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages and librari
Wiz
CVE-2026-0621 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-0621 [HIGH] CVE-2026-0621 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0621 :
Wolfi vulnerability analysis and mitigation
Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.
Source : NVD
## 8.7
Score
Published January 5, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV
Wiz
CVE-2026-34514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34514 [LOW] CVE-2026-34514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34514 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an attacker who controls the content_type parameter in aiohttp could use this to inject extra headers or similar exploits. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-aiohttp
checkov
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 No Fix Add
Wiz
CVE-2026-29188 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-29188 [CRITICAL] CVE-2026-29188 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29188 :
Wolfi vulnerability analysis and mitigation
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected. This issue has been patched in version 2.61.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has C
Wiz
CVE-2026-33540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33540 [HIGH] CVE-2026-33540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33540 :
Wolfi vulnerability analysis and mitigation
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0.
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Ch
Wiz
CVE-2026-29111 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-29111 [MEDIUM] CVE-2026-29111 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29111 :
Wolfi vulnerability analysis and mitigation
systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.
Source : NVD
## 5.5
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2026-5530 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-5530 [CRITICAL] CVE-2026-5530 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5530 :
Wolfi vulnerability analysis and mitigation
A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Source : NVD
## 5.3
Score
Published April 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ollama
cpe:2.3:a:ollama:ollama
Sources
NVD
Ch
Wiz
CVE-2025-14987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14987 [MEDIUM] CVE-2025-14987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14987 :
Wolfi vulnerability analysis and mitigation
When system.enableCrossNamespaceCommands is enabled (on by default), the Temporal server permits certain workflow task commands (e.g. StartChildWorkflowExecution, SignalExternalWorkflowExecution, RequestCancelExternalWorkflowExecution) to target a different namespace than the namespace authorized at the gRPC boundary. The frontend authorizes RespondWorkflowTaskCompleted based on the outer request namespace, but the history service later resolves and executes the command using the namespace embedded in command attributes without authorizing the caller for that target namespace. This can allow a worker authorized for one namespace to create, signal, or cancel workflows in another namespace.
This issue affects Temporal: through
Wiz
CVE-2025-66001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-66001 [HIGH] CVE-2025-66001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66001 :
Wolfi vulnerability analysis and mitigation
NeuVector supports login authentication through OpenID Connect. However, the TLS verification (which verifies the remote server's authenticity and integrity) for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle (MITM) attacks.
Source : NVD
## 8.8
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/neuvector/neuvector
neuvector
Sources
NVD
Chainguard No Fix Added at: Jan 11, 2026
GoLang Se
Wiz
CVE-2025-69230 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2025-69230 [LOW] CVE-2025-69230 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69230 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, reading multiple invalid cookies can lead to a logging storm. If the cookies attribute is accessed in an application, then an attacker may be able to trigger a storm of warning-level logs using a specially crafted Cookie header. This issue is fixed in 3.13.3.
Source : NVD
## 2.7
Score
Published January 6, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dask-kubernetes
k
Wiz
CVE-2026-32761 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32761 [MEDIUM] CVE-2026-32761 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32761 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.0 and below contain a permission enforcement bypass which allows users who are denied download privileges (perm.download = false) but granted share privileges (perm.share = true) to exfiltrate file content by creating public share links. While the direct raw download endpoint (/api/raw/) correctly enforces the download permission, the share creation endpoint only checks Perm.Share, and the public download handler (/api/public/dl/ ) serves file content without verifying that the original file owner has download permission. This means any authenticated user with share access can
Wiz
CVE-2026-2913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-2913 [LOW] CVE-2026-2913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2913 :
Wolfi vulnerability analysis and mitigation
A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: "[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itsel
Wiz
CVE-2025-66626 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-66626 [HIGH] CVE-2025-66626 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66626 :
Wolfi vulnerability analysis and mitigation
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
Wol
Wiz
CVE-2025-8860 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.3
CVE-2025-8860 [LOW] CVE-2025-8860 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8860 :
Wolfi vulnerability analysis and mitigation
uefi_vars_write
uefi_vars_read
Source : NVD
## 3.3
Score
Published February 18, 2026
Severity LOW
CNA Score 3.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
qemu-img
qemu-kvm
Sources
NVD
Chainguard No Fix Added at: Feb 19, 2026
Debian 11, 12 No Fix Added at: Aug 13, 2025
Debian 13 Severity MEDIUM Has Fix Added at: Aug 13, 2025
Debian 14 Severity LOW Has Fix Added at: Aug 13, 2025
Red Hat 10 Severity LOW No Fix Added at: Aug 12, 2025
Windows Severity LOW Has Fix Added at: Feb 19, 2026
Wolfi No Fix
Wiz
CVE-2026-33022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33022 [MEDIUM] CVE-2026-33022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33022 :
Wolfi vulnerability analysis and mitigation
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Versions 0.60.0 through 1.0.0, 1.1.0 through 1.3.2, 1.4.0 through 1.6.0, 1.7.0 through 1.9.0, 1.10.0, and 1.10.1 have a denial-of-service vulnerability in that allows any user who can create a TaskRun or PipelineRun to crash the controller cluster-wide by setting .spec.taskRef.resolver (or .spec.pipelineRef.resolver) to a string of 31+ characters. The crash occurs because GenerateDeterministicNameFromSpec produces a name exceeding the 63-character DNS-1123 label limit, and its truncation logic panics on a [-1] slice bound since the generated name contains no spaces. Once crashed, the controller enters a CrashLoopBackOff on restart (as
Wiz
CVE-2026-34513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34513 [LOW] CVE-2026-34513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34513 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, an unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
metaflow-service-fips
python-aiohttp
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 No Fix Added at: A
Wiz
CVE-2026-21435 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21435 [MEDIUM] CVE-2026-21435 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21435 :
Wolfi vulnerability analysis and mitigation
webtransport-go is an implementation of the WebTransport protocol. Prior to v0.10.0, an attacker can cause a denial of service in webtransport-go by preventing or indefinitely delaying WebTransport session closure. A malicious peer can withhold QUIC flow control credit on the CONNECT stream, blocking transmission of the WT_CLOSE_SESSION capsule and causing the close operation to hang. This vulnerability is fixed in v0.10.0.
Source : NVD
## 7.5
Score
Published February 12, 2026
Severity HIGH
CNA Score 5.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (E
Wiz
CVE-2026-25145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-25145 [MEDIUM] CVE-2026-25145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25145 :
Wolfi vulnerability analysis and mitigation
melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3.
Source : NVD
## 5.5
Wiz
CVE-2025-66960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66960 [HIGH] CVE-2025-66960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66960 :
Wolfi vulnerability analysis and mitigation
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata
Source : NVD
## 7.5
Score
Published January 21, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.8
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
cpe:2.3:a:ollama:ollama
ollama
Sources
Chainguard No Fix Added at: Feb 02, 2026
Homebrew Severity HIGH No Fix Added at: Feb 04, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 04, 2026
Linux S
Wiz
CVE-2025-69225 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2025-69225 [LOW] CVE-2025-69225 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69225 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below contain parser logic which allows non-ASCII decimals to be present in the Range header. There is no known impact, but there is the possibility that there's a method to exploit a request smuggling vulnerability. This issue is fixed in version 3.13.3.
Source : NVD
## 2.7
Score
Published January 6, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
python-aiohttp
authentik
Sour
Wiz
CVE-2025-67819 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-67819 [MEDIUM] CVE-2025-67819 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67819 :
Wolfi vulnerability analysis and mitigation
An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files accessible to the service process.
Source : NVD
## 4.9
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:weaviate:weaviate
weaviate
Sources
Chaing
Wiz
CVE-2025-44005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-44005 [CRITICAL] CVE-2025-44005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-44005 :
Wolfi vulnerability analysis and mitigation
An attacker can bypass authorization checks and force a Step CA ACME or SCEP provisioner to create certificates without completing certain protocol authorization checks.
Source : NVD
## 10
Score
Published December 17, 2025
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
step-certificates
github.com/smallstep/certificates
Sources
NVD
Alpine 3.22, 3.23, edge Severity CRITICAL Has Fix Added at: Dec 07, 2025
Chainguard Has Fix Added at: Dec 07, 2025
Debian 7, 8, 9, 10, 11, 1
Wiz
CVE-2026-23849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23849 [MEDIUM] CVE-2026-23849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23849 :
Wolfi vulnerability analysis and mitigation
File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a "short-circuit" evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates
Wiz
CVE-2026-26994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-26994 [MEDIUM] CVE-2026-26994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26994 :
Wolfi vulnerability analysis and mitigation
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a uTLS client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because uTLS did not check the downgrade canary in the ServerHello random field, clients wo
Wiz
CVE-2026-4427 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-4427 [HIGH] CVE-2026-4427 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4427 :
Wolfi vulnerability analysis and mitigation
Rejected reason: Duplicate of CVE-2026-32286
Source : NVD
## 7.5
Score
Published March 19, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
golang-github-jackc-pgproto3
bento
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 12, 13 Severity HIGH No Fix Added at: Mar 20, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 20, 2026
Echo Severity HIGH No Fix Added at: Mar 20, 2026
GoLang Severity HIGH No Fix Added at: Mar 20, 2026
MinimOS Severity HIGH Has Fix Add
Wiz
CVE-2025-67818 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-67818 [HIGH] CVE-2025-67818 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67818 :
Wolfi vulnerability analysis and mitigation
An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...) or use parent directory traversal (../../..) to escape the restore root when a backup is restored, potentially creating or overwriting files in arbitrary locations within the application's privilege scope.
Source : NVD
## 7.2
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54.8
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
git
Wiz
CVE-2026-21438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21438 [MEDIUM] CVE-2026-21438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21438 :
Wolfi vulnerability analysis and mitigation
webtransport-go is an implementation of the WebTransport protocol. Prior to 0.10.0, an attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources. This vulnerability is fixed in v0.10.0.
Source : NVD
## 5.3
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ipfs-cluster-fips
k3s-1.33
Sources
N
Wiz
CVE-2026-33504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-33504 [HIGH] CVE-2026-33504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33504 :
Wolfi vulnerability analysis and mitigation
secrets.pagination
secrets.system
secrets.pagination
secrets.pagination
secrets.system
secrets.pagination
Source : NVD
## 7.2
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/ory/hydra/v2
hydra-fips
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
GoLang Severity HIGH Has Fix Added at: Mar 21, 2026
Wolfi Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-3282 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.9
CVE-2026-3282 [LOW] CVE-2026-3282 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3282 :
Wolfi vulnerability analysis and mitigation
A flaw has been found in libvips 8.19.0. This vulnerability affects the function vips_unpremultiply_build of the file libvips/conversion/unpremultiply.c. Executing a manipulation of the argument alpha_band can lead to out-of-bounds read. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called 7215ead1e0cd7d3703cc4f5fca06d7d0f4c22b91. A patch should be applied to remediate this issue.
Source : NVD
## 1.9
Score
Published February 27, 2026
Severity LOW
CNA Score 1.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Pr
Wiz
CVE-2026-32760 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-32760 [CRITICAL] CVE-2026-32760 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32760 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, any unauthenticated visitor can register a full administrator account when self-registration (signup = true) is enabled and the default user permissions have perm.admin = true. The signup handler blindly applies all default settings (including Perm.Admin) to the new user without any server-side guard that strips admin from self-registered accounts. The signupHandler is supposed to create unprivileged accounts for new visitors. It contains no explicit user.Perm.Admin = false reset after applying defaults. If an administrator (intentionally or accidentally) confi
Wiz
CVE-2026-30933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-30933 [HIGH] CVE-2026-30933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30933 :
Wolfi vulnerability analysis and mitigation
FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-beta and 1.2.2-stable, the remediation for CVE-2026-27611 is incomplete. Password protected shares still disclose tokenized downloadURL via /public/api/share/info. This vulnerability is fixed in 1.3.1-beta and 1.2.2-stable.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/gtsteffaniak/filebrowser/backend
filebrowser
Sources
NVD
Chaingu
Wiz
CVE-2026-25518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-25518 [MEDIUM] CVE-2026-25518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25518 :
Wolfi vulnerability analysis and mitigation
cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if th
Wiz
CVE-2026-28492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-28492 [HIGH] CVE-2026-28492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28492 :
Wolfi vulnerability analysis and mitigation
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.0, when a user creates a public share link for a directory, the withHashFile middleware in http/public.go uses filepath.Dir(link.Path) to compute the BasePathFs root. This sets the filesystem root to the parent directory instead of the shared directory itself, allowing anyone with the share link to browse and download files from all sibling directories. This issue has been patched in version 2.61.0.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA
Wiz
CVE-2026-34520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34520 [LOW] CVE-2026-34520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34520 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, the C parser (the default for most installs) accepted null bytes and control characters in response headers. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
checkov
datahub-ingestion-fips
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 Severity CRITICA
Wiz
CVE-2026-33729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-33729 [MEDIUM] CVE-2026-33729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33729 :
Wolfi vulnerability analysis and mitigation
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. In versions prior to 1.13.1, under specific conditions, models using conditions with caching enabled can result in two different check requests producing the same cache key. This can result in OpenFGA reusing an earlier cached result for a different request. Users are affected if the model has relations which rely on condition evaluation andncaching is enabled. OpenFGA v1.13.1 contains a patch.
Source : NVD
## 5.8
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-25143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25143 [HIGH] CVE-2026-25143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25143 :
Wolfi vulnerability analysis and mitigation
melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service,
Wiz
CVE-2026-4437 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-4437 [CRITICAL] CVE-2026-4437 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4437 :
Wolfi vulnerability analysis and mitigation
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
Source : NVD
## 7.5
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
glibc-langpack-f
Wiz
CVE-2025-14986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.3
CVE-2025-14986 [LOW] CVE-2025-14986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14986 :
Wolfi vulnerability analysis and mitigation
When frontend.enableExecuteMultiOperation is enabled, the server can apply namespace-scoped validation and feature gates for the embedded StartWorkflowExecutionRequest using its Namespace field rather than the outer, authorized ExecuteMultiOperationRequest.Namespace. This allows a caller authorized for one namespace to bypass that namespace's limits/policies by setting the embedded start request's namespace to a different namespace. The workflow is still created in the outer (authorized) namespace; only validation/gating is performed under the wrong namespace context.
This issue affects Temporal: from 1.24.0 through 1.29.1. Fixed in 1.27.4, 1.28.2, 1.29.2.
Source : NVD
## 1.3
Score
Published December 30, 2025
Severity
Wiz
CVE-2026-32758 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32758 [MEDIUM] CVE-2026-32758 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32758 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Versions 2.61.2 and below are vulnerable to Path Traversal through the resourcePatchHandler (http/resource.go). The destination path in resourcePatchHandler is validated against access rules before being cleaned/normalized, while the actual file operation calls path.Clean() afterward—resolving .. sequences into a different effective path. This allows an authenticated user with Create or Rename permissions to bypass administrator-configured deny rules (both prefix-based and regex-based) by injecting .. sequences in the destination parameter of a PATCH request. As a result, the user can write
Wiz
CVE-2026-3283 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.9
CVE-2026-3283 [LOW] CVE-2026-3283 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3283 :
Wolfi vulnerability analysis and mitigation
A vulnerability has been found in libvips 8.19.0. This issue affects the function vips_extract_band_build of the file libvips/conversion/extract.c. The manipulation of the argument extract_band leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 24795bb3d19d84f7b6f5ed86451ad556c8f2fe70. To fix this issue, it is recommended to deploy a patch.
Source : NVD
## 1.9
Score
Published February 27, 2026
Severity LOW
CNA Score 1.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Wiz
CVE-2026-33252 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33252 [HIGH] CVE-2026-33252 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33252 :
Wolfi vulnerability analysis and mitigation
POST
Origin
Content-Type: application/json
Source : NVD
## 7.1
Score
Published March 24, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jaeger-2-fips
datadog-agent-7.76
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
GoLang Severity HIGH Has Fix Added at: Mar 20, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 22, 2026
Wolfi Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2026-30836 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-30836 [CRITICAL] CVE-2026-30836 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30836 :
Wolfi vulnerability analysis and mitigation
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Versions 0.30.0-rc6 and below do not safeguard against unauthenticated certificate issuance through the SCEP UpdateReq. This issue has been fixed in version 0.30.0.
Source : NVD
## 10
Score
Published March 19, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/smallstep/certificates
frankenphp-8.3
Sources
NVD
Alpine 3.23, edge Severity CRITICAL Has Fix Added at:
Wiz
CVE-2025-69223 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69223 [HIGH] CVE-2025-69223 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69223 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust the host's memory. This issue is fixed in version 3.13.3.
Source : NVD
## 7.5
Score
Published January 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-aiohttp
checkov
Sources
NVD
Alpine 3.
Wiz
CVE-2026-34515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-34515 [MEDIUM] CVE-2026-34515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34515 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, on Windows the static resource handler may expose information about a NTLMv2 remote path. This issue has been patched in version 3.13.4.
Source : NVD
## 6.6
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
datahub-ingestion-fips
keep
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
pip Severity MEDIUM Has Fix Added at: Apr 02, 2026
Wolfi
Wiz
CVE-2025-69227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2025-69227 [MEDIUM] CVE-2025-69227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69227 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled (-O or PYTHONOPTIMIZE=1), and the application includes a handler that uses the Request.post() method, then an attacker may be able to execute a DoS attack with a specially crafted message. This issue is fixed in version 3.13.3.
Source : NVD
## 6.6
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-23990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-23990 [MEDIUM] CVE-2026-23990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23990 :
Wolfi vulnerability analysis and mitigation
email
groups
username
groups
Source : NVD
## 5.3
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
flux-operator-fips
github.com/controlplaneio-fluxcd/flux-operator
Sources
NVD
Chainguard Has Fix Added at: Jan 28, 2026
GoLang Severity MEDIUM Has Fix Added at: Jan 22, 2026
Wolfi Has Fix Added at: Jan 28, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-22815 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-22815 [MEDIUM] CVE-2026-22815 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22815 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, insufficient restrictions in header/trailer handling could cause uncapped memory usage. This issue has been patched in version 3.13.4.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-aiohttp
checkov
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Apr 05, 202
Wiz
CVE-2026-27896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-27896 [HIGH] CVE-2026-27896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27896 :
Wolfi vulnerability analysis and mitigation
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v
Wiz
CVE-2025-69229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2025-69229 [MEDIUM] CVE-2025-69229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69229 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read() method in an endpoint, it may be possible for an attacker to cause the server to spend a moderate amount of blocking CPU time (e.g. 1 second) while processing the request. This could potentially lead to DoS as the server would be unable to handle other requests during that time. This issue is fixed in version 3.13.3.
Source : NVD
## 6.6
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Wolfi
Chainguard
Has Publi
Wiz
CVE-2026-34517 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34517 [LOW] CVE-2026-34517 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34517 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, for some multipart form fields, aiohttp read the entire field into memory before checking client_max_size. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
datahub-ingestion-fips
keep
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 No Fix Added at: Apr
Wiz
CVE-2026-3147 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3147 [MEDIUM] CVE-2026-3147 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3147 :
Wolfi vulnerability analysis and mitigation
A vulnerability was found in libvips up to 8.18.0. This affects the function vips_foreign_load_csv_build of the file libvips/foreign/csvload.c. The manipulation results in heap-based buffer overflow. The attack requires a local approach. The exploit has been made public and could be used. The patch is identified as b3ab458a25e0e261cbd1788474bbc763f7435780. It is advisable to implement a patch to correct this issue.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-34545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-34545 [HIGH] CVE-2026-34545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34545 :
Wolfi vulnerability analysis and mitigation
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
Source : NVD
## 8.4
Score
Published April 1, 2026
Severity HIGH
CNA
Wiz
CVE-2026-34518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-34518 [LOW] CVE-2026-34518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34518 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp drops the Authorization header, but retains the Cookie and Proxy-Authorization headers. This issue has been patched in version 3.13.4.
Source : NVD
## 2.7
Score
Published April 1, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
metaflow-service-fips
python-aiohttp
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 202
Wiz
CVE-2026-32286 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32286 [HIGH] CVE-2026-32286 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32286 :
Wolfi vulnerability analysis and mitigation
The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out of range panic.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
steampipe
osbuild-composer-core
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 12, 13 Severity HIGH No Fix Added at: Mar 29, 2026
Debian 14 Severity HIG
Wiz
CVE-2025-69228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2025-69228 [MEDIUM] CVE-2025-69228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69228 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post() method, an attacker may be able to freeze the server by exhausting the memory. This issue is fixed in version 3.13.3.
Source : NVD
## 6.6
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected
Wiz
CVE-2026-25889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25889 [MEDIUM] CVE-2026-25889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25889 :
Wolfi vulnerability analysis and mitigation
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
Source : NVD
## 5.4
Score
Published February 9, 2026
Seve
Wiz
CVE-2026-25890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25890 [HIGH] CVE-2026-25890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25890 :
Wolfi vulnerability analysis and mitigation
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.
Source : NVD
## 8.1
Score
Published February 9, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2026-22039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-22039 [CRITICAL] CVE-2026-22039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22039 :
Wolfi vulnerability analysis and mitigation
urlPath
Source : NVD
## 9.9
Score
Published January 27, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:kyverno:kyverno
github.com/kyverno/kyverno
Sources
Chainguard Has Fix Added at: Jan 28, 2026
GoLang Severity CRITICAL Has Fix Added at: Jan 27, 2026
Homebrew Severity CRITICAL Has Fix Added at: Feb 04, 2026
MinimOS Severity CRITICAL Has Fix Added at: Jan 28, 2026
Nix Severity CRITICAL Has Fix Added at: Feb 04, 2026
Linux Severity CRITICAL Has Fix Added
Wiz
CVE-2025-15514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-15514 [HIGH] CVE-2025-15514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15514 :
Wolfi vulnerability analysis and mitigation
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded data represents valid media before passing it to the mtmd_helper_bitmap_init_from_buf function. This function can return NULL for malformed input, but the code does not check this return value before dereferencing the pointer in subsequent operations. A remote attacker can exploit this by sending specially crafted base64 image data that decodes to invalid media, causing a segmentation fault and crashing the runner process. This results in a denial of ser
Wiz
CVE-2026-34525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-34525 [MEDIUM] CVE-2026-34525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34525 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, multiple Host headers were allowed in aiohttp. This issue has been patched in version 3.13.4.
Source : NVD
## 6.3
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
python-aiohttp
checkov
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
Debian 11, 12, 13, 14 No Fix Added at: Apr 02, 2026
Echo Has Fix Added at: Apr 02, 2026
pip Severity ME
Wiz
CVE-2026-4438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-4438 [CRITICAL] CVE-2026-4438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4438 :
Wolfi vulnerability analysis and mitigation
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
Source : NVD
## 5.4
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glibc-langpack-ia
glibc-langpack-rif
Sources
NVD
Chainguard Has Fix Added at: Mar 21, 2026
Debian 11, 12, 13
Wiz
CVE-2025-69226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-69226 [MEDIUM] CVE-2025-69226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69226 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below enable an attacker to ascertain the existence of absolute path components through the path normalization logic for static files meant to prevent path traversal. If an application uses web.static() (not recommended for production deployments), it may be possible for an attacker to ascertain the existence of path components. This issue is fixed in version 3.13.3.
Source : NVD
## 6.3
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percenti
Wiz
CVE-2025-63389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63389 [CRITICAL] CVE-2025-63389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63389 :
Wolfi vulnerability analysis and mitigation
A critical authentication bypass vulnerability exists in Ollama platform's API endpoints in versions prior to and including v0.12.3. The platform exposes multiple API endpoints without requiring authentication, enabling remote attackers to perform unauthorized model management operations.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 39.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
ollama-fips
github.com/ollama/ollama
Sources
Chainguard Has Fix Added at: Dec 21, 2025
Wiz
CVE-2026-35172 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-35172 [CRITICAL] CVE-2026-35172 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35172 :
Wolfi vulnerability analysis and mitigation
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, distribution can restore read access in repo a after an explicit delete when storage.cache.blobdescriptor: redis and storage.delete.enabled: true are both enabled. The delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later Stat or Get from repo b repopulates the shared descriptor and makes the deleted blob readable from repo a again. This vulnerability is fixed in 3.1.0.
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-26205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26205 [HIGH] CVE-2026-26205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26205 :
Wolfi vulnerability analysis and mitigation
input.parsed_path
//
Source : NVD
## 7.1
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/open-policy-agent/opa-envoy-plugin
opa-envoy
Sources
NVD
Chainguard Has Fix Added at: Feb 24, 2026
GoLang Severity HIGH Has Fix Added at: Feb 19, 2026
Wolfi Has Fix Added at: Feb 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wolf
Wiz
CVE-2026-3145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3145 [MEDIUM] CVE-2026-3145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3145 :
Wolfi vulnerability analysis and mitigation
A flaw has been found in libvips up to 8.18.0. The affected element is the function vips_foreign_load_matrix_file_is_a/vips_foreign_load_matrix_header of the file libvips/foreign/matrixload.c. Executing a manipulation can lead to memory corruption. The attack needs to be launched locally. This patch is called d4ce337c76bff1b278d7085c3c4f4725e3aa6ece. A patch should be applied to remediate this issue.
Source : NVD
## 4.8
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2026-32759 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32759 [MEDIUM] CVE-2026-32759 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32759 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection
Wiz
CVE-2026-24851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-24851 [MEDIUM] CVE-2026-24851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24851 :
Wolfi vulnerability analysis and mitigation
OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger
Wiz
CVE-2026-25536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25536 [HIGH] CVE-2026-25536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25536 :
Wolfi vulnerability analysis and mitigation
MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0.
Source : NVD
## 7.1
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensear
Wiz
CVE-2026-21434 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-21434 [MEDIUM] CVE-2026-21434 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21434 :
Wolfi vulnerability analysis and mitigation
webtransport-go is an implementation of the WebTransport protocol. From 0.3.0 to 0.9.0, an attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message. The implementation does not enforce the draft-mandated limit of 1024 bytes on this field, allowing a peer to send an arbitrarily large message payload that is fully read and stored in memory. This allows an attacker to consume an arbitrary amount of memory. The attacker must transmit the full payload to achieve the memory consumption, but the lack of any upper bound makes large-scale attacks feasible given sufficient bandwidth. This vulnerability is
Wiz
CVE-2026-34530 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34530 [MEDIUM] CVE-2026-34530 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34530 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the SPA index page in File Browser is vulnerable to Stored Cross-Site Scripting (XSS) via admin-controlled branding fields. An admin who sets branding.name to a malicious payload injects persistent JavaScript that executes for ALL visitors, including unauthenticated users. This issue has been patched in version 2.62.2.
Source : NVD
## 6.9
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-24844 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.9
CVE-2026-24844 [HIGH] CVE-2026-24844 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24844 :
Wolfi vulnerability analysis and mitigation
melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars. }} or ${{inputs. }} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3.
Source : NVD
## 8.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.9
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Proba
Wiz
CVE-2026-3281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3281 [MEDIUM] CVE-2026-3281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3281 :
Wolfi vulnerability analysis and mitigation
A vulnerability was detected in libvips 8.19.0. This affects the function vips_bandrank_build of the file libvips/conversion/bandrank.c. Performing a manipulation of the argument index results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit is now public and may be used. The patch is named fd28c5463697712cb0ab116a2c55e4f4d92c4088. It is suggested to install a patch to address this issue.
Source : NVD
## 4.8
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Pr
Wiz
CVE-2026-35166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-35166 [CRITICAL] CVE-2026-35166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35166 :
Wolfi vulnerability analysis and mitigation
Hugo is a static site generator. From 0.60.0 to before 0.159.2, links and image links in the default markdown to HTML renderer are not properly escaped. Hugo users who trust their Markdown content or have custom render hooks for links and images are not affected. This vulnerability is fixed in 0.159.2.
Source : NVD
## 5.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hugo
github.com/gohugoio/hugo
Sources
NVD
Chainguard No Fix Added at: Apr 06,
Wiz
CVE-2026-22733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22733 [HIGH] CVE-2026-22733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22733 :
Wolfi vulnerability analysis and mitigation
Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from 3.5.0 through 3.5.11, from 3.4.0 through 3.4.14, from 3.3.0 through 3.3.17, from 2.7.0 through 2.7.31.
Source : NVD
## 8.2
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.3
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2026-34516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.6
CVE-2026-34516 [MEDIUM] CVE-2026-34516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34516 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, a response with an excessive number of multipart headers may be allowed to use more memory than intended, potentially allowing a DoS vulnerability. This issue has been patched in version 3.13.4.
Source : NVD
## 6.6
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
metaflow-service-fips
python-aiohttp
Sources
NVD
Chainguard Has Fix Added at: Apr
Wiz
CVE-2026-23960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-23960 [HIGH] CVE-2026-23960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23960 :
Wolfi vulnerability analysis and mitigation
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue.
Source : NVD
## 7.3
Score
Published January 21, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.2
Exploitation Probability (EPSS) 0.1
Affected package
Wiz
CVE-2026-24843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-24843 [HIGH] CVE-2026-24843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24843 :
Wolfi vulnerability analysis and mitigation
melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3.
Source : NVD
## 8.4
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitatio
Wiz
CVE-2026-27017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-27017 [LOW] CVE-2026-27017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27017 :
Wolfi vulnerability analysis and mitigation
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support—for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite,
Wiz
CVE-2025-69224 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-69224 [MEDIUM] CVE-2025-69224 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69224 :
Wolfi vulnerability analysis and mitigation
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below of the Python HTTP parser may allow a request smuggling attack with the presence of non-ASCII characters. If a pure Python version of AIOHTTP is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. This issue is fixed in version 3.13.3.
Source : NVD
## 6.3
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2026-0665 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-0665 [MEDIUM] CVE-2026-0665 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0665 :
Wolfi vulnerability analysis and mitigation
An off-by-one error was found in QEMU's KVM Xen guest support. A malicious guest could use this flaw to trigger out-of-bounds heap accesses in the QEMU process via the emulated Xen physdev hypercall interface, leading to a denial of service or potential memory corruption.
Source : NVD
## 6.5
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
qemu-linux-user
qemu-ppc
Sources
NVD
Chainguard No Fix Added at: Feb 19, 2026
Debian 13, 14 Severity MEDIU
Wiz
CVE-2026-3904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-3904 [MEDIUM] CVE-2026-3904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3904 :
Wolfi vulnerability analysis and mitigation
Calling NSS-backed functions that support caching via nscd may call the
nscd client side code and in the GNU C Library version 2.36 under high
load on x86_64 systems, the client may call memcmp on inputs that are
concurrently modified by other processes or threads and crash.
The nscd client in the GNU C Library uses the memcmp function with
inputs that may be concurrently modified by another thread, potentially
resulting in spurious cache misses, which in itself is not a security
issue. However in the GNU C Library version 2.36 an optimized
implementation of memcmp was introduced for x86_64 which could crash
when invoked with such undefined behaviour, turning this into a
potential crash of the nscd client and the application
Wiz
CVE-2026-33211 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-33211 [CRITICAL] CVE-2026-33211 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33211 :
Wolfi vulnerability analysis and mitigation
pathInRepo
ResolutionRequests
TaskRuns
PipelineRuns
resolutionrequest.status.data
Source : NVD
## 9.6
Score
Published March 24, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tekton-chains-fips
tekton-pipelines-1.3
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
GoLang Severity CRITICAL Has Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-34528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-34528 [HIGH] CVE-2026-34528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34528 :
Wolfi vulnerability analysis and mitigation
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to version 2.62.2, the signupHandler in File Browser applies default user permissions via d.settings.Defaults.Apply(user), then strips only Admin. The Execute permission and Commands list from the default user template are not stripped. When an administrator has enabled signup, server-side execution, and set Execute=true in the default user template, any unauthenticated user who self-registers inherits shell execution capabilities and can run arbitrary commands on the server. This issue has been patched in version 2.62.2.
Source : NVD
## 9.8
Score
Published April 1, 2026
Severi
Wiz
CVE-2026-23881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-23881 [HIGH] CVE-2026-23881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23881 :
Wolfi vulnerability analysis and mitigation
Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno's policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability.
Source : NVD
## 6.5
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affecte
Wiz
CVE-2026-4105 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-4105 [CRITICAL] CVE-2026-4105 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4105 :
Wolfi vulnerability analysis and mitigation
A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.
Source : NVD
## 6.7
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
Wolfi
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
2026-04-06
Published