🚨 CVE-2026-57301
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
🎖@cveNotify
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-57302
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
🎖@cveNotify
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-57303
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.
🎖@cveNotify
Jenkins Assembla Plugin 1.4 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks, allowing attackers able to control the responses of the configured Assembla server to extract secrets from the Jenkins controller or perform server-side request forgery.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-57305
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.
🎖@cveNotify
A cross-site request forgery (CSRF) vulnerability in Jenkins Assembla Plugin 1.4 and earlier allows attackers to connect to an attacker-specified URL using an attacker-specified username and password.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-57306
A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
🎖@cveNotify
A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-57307
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
🎖@cveNotify
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
🎖@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins – an open source automation server which enables developers around the world to reliably build, test, and deploy their software
🚨 CVE-2026-40699
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP Configuration utility vulnerability CVE-2026-40699
Security Advisory Description A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information. (CVE-2026-40699) Impact This vulnerability may…
🚨 CVE-2026-40703
A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP Configuration utility CSRF vulnerability CVE-2026-40703
Security Advisory Description A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility. (CVE-2026-40703) Impact A remote, unauthenticated attacker may exploit this vulnerability by causing an authenticated…
🚨 CVE-2026-41217
A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges. In Appliance mode deployments, a successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP tmsh vulnerability CVE-2026-41217
Security Advisory Description A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges.…
🚨 CVE-2026-41218
When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP PEM iRules vulnerability CVE-2026-41218
Security Advisory Description When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel…
🚨 CVE-2026-41219
An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
🎖@cveNotify
An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
🎖@cveNotify
F5
BIG-IP qkview vulnerability CVE-2026-41219
Security Advisory Description An improper sanitization vulnerability exists in the BIG-IP qkview utility that allows a low-privileged attacker to read sensitive information from a QKView file. (CVE-2026-41219) Impact An attacker may exploit this vulnerability…
🚨 CVE-2026-41225
A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
iControl REST vulnerability CVE-2026-41225
Security Advisory Description A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. (CVE-2026-41225) Impact This vulnerability…
🚨 CVE-2026-41227
On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP HTTP/2 Layer 7 DoS Protection vulnerability CVE-2026-41227
Security Advisory Description On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate. (CVE-2026-41227) Impact…
🚨 CVE-2026-41953
A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP privilege escalation vulnerability CVE-2026-41953
Security Advisory Description A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation. (CVE-2026-41953) Impact…
🚨 CVE-2026-41954
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
iControl REST and tmsh vulnerability CVE-2026-41954
Security Advisory Description Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive…
🚨 CVE-2026-41956
When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
BIG-IP TMM vulnerability CVE-2026-41956
Security Advisory Description When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. (CVE-2026-41956) Impact Traffic is disrupted while the TMM process restarts.…
🚨 CVE-2026-41959
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network status of destination systems.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
🎖@cveNotify
F5
iControl REST and tmsh vulnerability CVE-2026-41959
Security Advisory Description Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated attacker to view the network…
🚨 CVE-2026-34908
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
🎖@cveNotify
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
🎖@cveNotify
🚨 CVE-2026-34909
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
🎖@cveNotify
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
🎖@cveNotify
🚨 CVE-2026-34910
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
🎖@cveNotify
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
🎖@cveNotify
🚨 CVE-2026-50637
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet.
The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.
Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
🎖@cveNotify
Metrics::Any::Adapter::Statsd versions before 0.04 for Perl does not protect against metric injections.
The statsd protocol (and extensions) allow mutiple metrics, separated by newlines, to be sent per packet.
The send method does not validate the contents of the metric names or values. If the names have newlines and statsd control characters (colon, pipe) then metric injections are possible.
Version 0.04 fixed this by modifying the _make method to block metric names with characters below ASCII 32 (which includes the newline), or colons or pipes.
🎖@cveNotify