CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST — in English
CISA KEV catalog updated: (v2026.07.01)
Vulnerability in the Oracle PeopleSoft PeopleTools product related to Updates Environment Management. Versions 8.61 and 8.62 are susceptible to easily exploitable attacks that can lead to system takeover.
Boxlite is a sandbox service that allows users to create lightweight virtual machines and run OCI containers. In versions prior to 0.9.0, Boxlite does not account for the possibility that tar entries in OCI images may be symlinks pointing to absolute paths, allowing an attacker to execute malicious code on the host.
Boxlite is a sandbox service that allows users to create lightweight virtual machines and launch OCI containers. Prior to version 0.9.0, Boxlite does not restrict kernel capabilities inside the container, allowing malicious code to gain write access to directories that should be read-only.
Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol allows multiple metrics to be sent per packet, creating a risk of injecting malicious data.
Fission is a serverless framework, native to Kubernetes, that simplifies the deployment of functions and applications. In versions prior to 1.24.0, a user with appropriate RBAC permissions could run privileged containers, leading to container-sandbox escape and access to the host's filesystem and network.
Fission is a serverless framework, native to Kubernetes, which prior to version 1.24.0 had a security issue related to the Environment CRD. The pod specs for runtime and builder lacked filtering for critical fields, potentially allowing unauthorized access to system resources.
Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications. In versions prior to 1.24.0, the Container Executor path allowed users to supply pod specifications directly, which could lead to unauthorized access to resources.
Fission is a serverless framework, native to Kubernetes, that simplifies the deployment of functions and applications. Prior to version 1.24.0, the lack of validation in Environment.spec.runtime.podSpec / spec.builder.podSpec led to the propagation of dangerous fields into generated pods.
Fission, a serverless framework for Kubernetes, prior to version 1.23.0 registered internal routes for function objects, allowing them to be invoked without proper permissions. This enabled attackers to call functions by guessing their names and namespaces.
In Splunk Enterprise versions 10.2 below 10.2.4 and 10 below 10.0.7, an unauthenticated user can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists due to a lack of authentication controls at this endpoint.
A flaw was found in assisted-migration-agent that allows an unauthenticated attacker on the same local area network to exploit a path traversal vulnerability. By crafting a specially designed gzipped tarball, the attacker can bypass security checks and write arbitrary files to the system.
A flaw was found in assisted-migration-agent that hardcodes insecure TLS connections when communicating with vCenter. This vulnerability allows a Man-in-the-Middle (MITM) attacker to intercept and harvest vCenter administrator credentials.
A flaw was found in migration-planner that allows a remote authenticated attacker to upload a specially crafted RVTools .xlsx file. Due to improper input sanitization, malicious SQL embedded within spreadsheet cells is executed when processing cluster names.
A flaw exists in the migration-planner where the agent-API middleware fails to properly validate the source_id claim in JWTs. This allows an authenticated attacker to manipulate data across different tenants, leading to a complete collapse of tenant isolation.
A flaw was found in migration-planner that allows an authenticated attacker to bypass access control in the `/api/v1/sources/{id}/image-url` endpoint. This flaw enables the attacker to obtain presigned S3 URLs for OVA images belonging to other users.
A flaw was found in migration-planner that allows an authenticated user to send a DELETE request to the /api/v1/sources route, which lacks proper authorization and filtering. This enables the destruction of all customer data, including sources, agents, and assessments.
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints accept an unvalidated JSON option field, allowing arbitrary HAProxy directives to be injected into the configuration.
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the config_file_name field in the POST request /waf/<service>/<server_ip>/rule/<rule_id>/save is not properly validated, allowing an attacker to write files to any location on the load balancer's filesystem.
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the lack of proper decorators in certain endpoints allows any logged-in user, including the default guest role, to install and reconfigure exporters, WAF, and GeoIP databases on all servers in the Roxy-WI database.
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the PUT /smon/check functionality does not verify if the check_id belongs to the user's group, allowing unauthorized modifications to other users' monitoring settings.

