CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-13033 – Nodemailer: nodemailer: email to an unintended domain can occur due to interpretation conflict
https://notcve.org/view.php?id=CVE-2025-13033
14 Nov 2025 — A vulnerability was identified in the email parsing library due to improper handling of specially formatted recipient email addresses. An attacker can exploit this flaw by crafting a recipient address that embeds an external address within quotes. This causes the application to misdirect the email to the attacker's external address instead of the intended internal recipient. This could lead to a significant data leak of sensitive information and allow an attacker to bypass security filters and access contro... • https://access.redhat.com/security/cve/CVE-2025-13033 • CWE-436: Interpretation Conflict •
CVSS: 9.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-10894 – Nx: nx/devkit: malicious versions of nx and plugins published to npm
https://notcve.org/view.php?id=CVE-2025-10894
24 Sep 2025 — Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts. • https://access.redhat.com/security/cve/CVE-2025-10894 • CWE-506: Embedded Malicious Code •
CVSS: 5.2EPSS: 0%CPEs: 15EXPL: 0CVE-2025-7195 – Operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
https://notcve.org/view.php?id=CVE-2025-7195
07 Aug 2025 — Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is creat... • https://access.redhat.com/security/cve/CVE-2025-7195 • CWE-276: Incorrect Default Permissions •
CVSS: 3.7EPSS: 0%CPEs: 27EXPL: 0CVE-2025-8556 – Github.com/cloudflare/circl: circl-fourq: missing and wrong validation can lead to incorrect results
https://notcve.org/view.php?id=CVE-2025-8556
06 Aug 2025 — A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. Se detectó una falla en la implementación de la curva elíptica FourQ de CIRCL. Esta vulnerabilidad permite a un atacante comprometer la seguridad de la sesión mediante la inyección de puntos de orden inferior y una validación incorrecta de puntos durante el intercambio de c... • https://access.redhat.com/security/cve/CVE-2025-8556 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-6017 – Rhacm: users with clusterreader role can see credentials from managed-clusters
https://notcve.org/view.php?id=CVE-2025-6017
02 Jul 2025 — A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors. Se detectó una falla en Red Hat Advanced Cluster Management en las version... • https://access.redhat.com/security/cve/CVE-2025-6017 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-2241 – Hive: exposure of vcenter credentials via clusterprovision in hive / mce / acm
https://notcve.org/view.php?id=CVE-2025-2241
17 Mar 2025 — A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation. • https://access.redhat.com/security/cve/CVE-2025-2241 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 5.5EPSS: 1%CPEs: 45EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-9779 – Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens
https://notcve.org/view.php?id=CVE-2024-9779
17 Dec 2024 — A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token ... • https://access.redhat.com/security/cve/CVE-2024-9779 • CWE-501: Trust Boundary Violation •
CVSS: 8.3EPSS: 0%CPEs: 44EXPL: 0CVE-2024-3727 – Containers/image: digest type does not guarantee valid type
https://notcve.org/view.php?id=CVE-2024-3727
09 May 2024 — A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks. Se encontró una falla en la librería github.com/containers/image. Esta falla permite a los atacantes activar accesos inesperados al registro autenticado en nombre de un usuario víctima, lo que provoca agotamiento de recursos, path traversal local y otros ataques. This upd... • https://access.redhat.com/errata/RHSA-2024:0045 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2024-0874 – Coredns: cd bit response is cached and served later
https://notcve.org/view.php?id=CVE-2024-0874
25 Apr 2024 — A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. Se encontró una falla en coredns. Este problema podría provocar que se devuelvan entradas de caché no válidas debido a un almacenamiento en caché implementado incorrectamente. Red Hat OpenShift Container Platform release 4.15.24 is now available with updates to packages and images that fix several bugs and add enhancements. • https://access.redhat.com/errata/RHSA-2024:0041 • CWE-524: Use of Cache Containing Sensitive Information •