News & Sicurezza
Aggiornamenti da ENISA, NVD e le principali fonti di cybersecurity europee. Tutto quello che un Responsabile Tecnico deve sapere.
24751 risultati
CVE ID :CVE-2026-42129 Published : June 22, 2026, 1:18 p.m. | 2 hours, 25 minutes ago Description :The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints (e.g. /config, /services, /ready) to extract sensitive backend configuration and internal service information. Severity: 7.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-54178 Published : June 22, 2026, 1:15 p.m. | 2 hours, 28 minutes ago Description :IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data versions 4.8,5.0,5.1,5.2,5.3 could allow an authenticated user to cause a denial of service when creating new databases due to improper allocation of resources. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12888 Published : June 22, 2026, 1:05 p.m. | 2 hours, 38 minutes ago Description :An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90 before sha-8ab4dccd, from Git commit 4aef1db90 before 8ab4dccd. Severity: 2.0 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56450 Published : June 22, 2026, 1:02 p.m. | 2 hours, 41 minutes ago Description :AIL did not restrict repeated failed attempts to verify a two-factor authentication (OTP) code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable brute-force guessing of a valid code and bypass the intended second authentication factor, resulting in unauthorized account access. The patch introduces per-user failed-OTP tracking, blocks verification after 30 failed attempts for one hour, clears the counter after a successful OTP verification, and provides administrator recovery actions to purge affected lockouts. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56448 Published : June 22, 2026, 12:54 p.m. | 2 hours, 49 minutes ago Description :A path traversal vulnerability exists in AIL Framework before the release containing commit 0041456af25da0cdea1c1c4624e46baff2731d8f. An authenticated AIL user can supply crafted object identifiers through the investigation workflow to cause file paths to resolve outside the intended image, favicon, or screenshot storage directories. This may allow the attacker to download and read arbitrary files that are accessible to the AIL process. The issue occurs because user-controlled path components were joined with application storage paths without verifying that the resolved path remained within the expected directory. The affected download functionality could then include the contents of such files in a generated archive. Severity: 8.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7167 Published : June 22, 2026, 12:50 p.m. | 2 hours, 53 minutes ago Description :The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass creation of fraudulent accounts. Successful exploitation of this vulnerability could allow an authenticated attacker to carry out various attacks, such as mass spam distribution, system abuse, or bypassing user controls, thereby compromising the security and integrity of the system. Severity: 6.9 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7166 Published : June 22, 2026, 12:47 p.m. | 2 hours, 56 minutes ago Description :Vulnerability involving the exposure of sensitive data provided without adequate protection. The API exposes email and phone number data from the ‘email’ and ‘telefon’ fields. This vulnerability is also present in the local database, as it contains accessible sensitive information such as data on minors and municipal users. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to gain access to sensitive information and data. Severity: 9.2 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7165 Published : June 22, 2026, 12:46 p.m. | 2 hours, 57 minutes ago Description :The vulnerability is present in the ‘/addJugador’ endpoint: * The 'keyJugador' and 'keyJugadorObjectiu' parameters allow the modification of other users’ information without requiring prior authorization validation. This could enable an authenticated attacker to alter any user’s ID and change their information. * The ‘punts’ and ‘numObjectiusEliminats’ fields allow arbitrary data to be added because user input is not properly validated. This makes it possible to obtain authentic prizes, awarded by city councils, by falsifying game scores. * In the ‘tokens’ field, administrative privileges can be self-assigned without server validation or prior authentication. This vulnerability could allow an authenticated attacker to grant themselves administrator permissions and thus escalate privileges. * Numeric fields allow the entry of extremely long values, which can cause the system to crash. Successful exploitation of this vulnerability could allow an authenticated attacker to launch a denial-of-service (DoS) attack, preventing created games from being playable. * The ‘urlImatge’ parameter allows server-side requests to arbitrary URLs, enabling the retrieval of users’ internal IP addresses, access to internal services, reading of local files, and unauthorized interaction with third-party APIs. An authenticated attacker could gain access to sensitive data. Severity: 9.4 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54100 Published : June 22, 2026, 12:46 p.m. | 2 hours, 57 minutes ago Description :A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes SSH connections to Windows worker nodes without verifying the remote server host key. An adjacent-network attacker who can intercept or redirect WMCO's SSH session can capture WICD and kubelet bootstrap credentials transferred during node configuration, enabling compromise of Windows node identities in the cluster. Severity: 8.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-54099 Published : June 22, 2026, 12:46 p.m. | 2 hours, 57 minutes ago Description :A flaw was found in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. The WICD CSR auto-approver validates that a Certificate Signing Request contains the organization system:wicd-nodes but does not reject additional organization values such as system:masters. A compromised Windows worker node that holds WICD credentials can submit a CSR that is auto-approved and signed by the cluster, yielding a client certificate that grants cluster-administrator privileges and enabling full cluster takeover. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6653 Published : June 22, 2026, 12:40 p.m. | 3 hours, 3 minutes ago Description :Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling. Severity: 7.0 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-56447 Published : June 22, 2026, 12:39 p.m. | 3 hours, 4 minutes ago Description :MISP allowed an authenticated site administrator to set the Kafka_rdkafka_config setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as plugin.library.paths to load an external library, resulting in arbitrary code execution with the privileges of the MISP process. An attacker could leverage a MISP-writable location, such as an uploaded file or administrative image, to host the malicious configuration file. The issue is fixed by restricting the setting to absolute .ini files located only in approved configuration directories outside the webroot and MISP upload targets. Severity: 9.3 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Pagina 157 di 2063