6:["$","$L19",null,{"children":[["$","header",null,{"children":["$","$L1a",null,{"description":"Real-time alerts of vulnerabilities across monitored open-source ecosystems.","href":"/vul","indicators":[{"description":"Debian, PyPI","icon":"layer-group","indicator":"2","title":"Ecosystems covered"},{"description":"From global vulnerability databases","icon":"flag","indicator":"3","title":"Total vulnerabilities tracked"}],"section":"Vulnerabilities"}]}],["$","main",null,{"children":["$","$L1b",null,{"filterAvailability":{"ageRanges":["3m"],"cveOptions":[],"cwes":["CWE-200","CWE-201","CWE-213","CWE-319","CWE-497","CWE-668","CWE-669","CWE-829","CWE-1243"],"detectedOptions":[],"ecosystems":["debian","pypi"],"epssOptions":[],"eventsOptions":[],"exploitOptions":[],"fixOptions":[],"kevOptions":[],"originalSeverities":["high","medium"],"reachabilityOptions":[],"severities":["low","medium"],"typeOptions":["application","environment"],"weaknesses":["017","035","184"]},"vulnerabilitiesPage":{"ecosystemNames":["debian","pypi"],"totalEcosystems":2,"totalPages":1,"totalVulnerabilities":3,"vulnerabilities":[{"adv_id":"CVE-2026-42997","alternative_id":"GHSA-54w4-233h-x86g","created_at":"2026-05-05T21:31:31Z","cve_finding":"F035","cwe_ids":["CWE-669"],"details":"OpenStack Ironic has an Incorrect Resource Transfer Between Spheres\nAn issue was discovered in idrac in OpenStack Ironic before 35.0.1. During import, a user invoking molds can request authorization to be sent to a remote endpoint. The credential forwarded is a time-limited Keystone token (which provides access to all OpenStack services Ironic is authorized for); or basic credentials configured for molds storage. The fixed versions are 26.1.6, 29.0.5, 32.0.1, and 35.0.1.","ecosystem":"pypi","epss":"0.00012","flat_id":"FLAT-X1FG0","has_public_exploit":0,"has_reports":false,"kev_catalog":0,"modified_at":"2026-05-08T23:07:56Z","package_name":"ironic-python-agent","percentile":"0.01713","platform_version":"default","severity":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","severity_v4":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-54w4-233h-x86g/GHSA-54w4-233h-x86g.json","source_severity_v4":null,"vulncheck_reported_exploitation":0,"vulnerable_version":">=33.0.0 <35.0.1 || >=30.0.0 <32.0.1 || >=27.0.0 <29.0.5 || >=0 <26.1.6"},{"adv_id":"CVE-2026-43003","alternative_id":"GHSA-rmxr-45gj-889w","created_at":"2026-05-01T09:30:25Z","cve_finding":"F184","cwe_ids":["CWE-829"],"details":"OpenStack Ironic Python Agent Includes Functionality from Untrusted Control Sphere\nAn issue was discovered in OpenStack ironic-python-agent 1.0.0 through 11.5.0. Ironic Python Agent (IPA) sometimes executes grub-install from within a chroot of the deployed partition image, leading to code execution in the case of a malicious image.","ecosystem":"pypi","epss":"0.0006","flat_id":"FLAT-RDDOK","has_public_exploit":0,"has_reports":false,"kev_catalog":0,"modified_at":"2026-05-07T02:38:57Z","package_name":"ironic-python-agent","percentile":"0.19063","platform_version":"default","severity":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H","severity_v4":"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rmxr-45gj-889w/GHSA-rmxr-45gj-889w.json","source_severity_v4":null,"vulncheck_reported_exploitation":0,"vulnerable_version":">=1.0.0 <=11.5.0"},{"adv_id":"CVE-2024-44082","alternative_id":null,"created_at":"2024-09-06T01:15:11Z","cve_finding":"F017","cwe_ids":["CWE-1243","CWE-200","CWE-201","CWE-213","CWE-319","CWE-497","CWE-668","CWE-669"],"details":"In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13.1, there is a vulnerability in image processing, in which a crafted image could be used by an authenticated user to exploit undesired behaviors in qemu-img, including possible unauthorized access to potentially sensitive data. The affected/fixed version details are: Ironic: <21.4.3, >=22.0.0 <23.0.2, >=23.1.0 <24.1.2, >=25.0.0 <26.0.1; Ironic-python-agent: <9.4.2, >=9.5.0 <9.7.1, >=9.8.0 <9.11.1, >=9.12.0 <9.13.1.","ecosystem":"debian","epss":"0.00274","flat_id":"FLAT-3TQT5","has_public_exploit":0,"has_reports":false,"kev_catalog":0,"modified_at":"2026-04-28T20:28:29Z","package_name":"ironic-python-agent","percentile":"0.50745","platform_version":"13","severity":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","severity_v4":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U","source":"https://osv.dev/vulnerability/DEBIAN-CVE-2024-44082","source_severity_v4":null,"vulncheck_reported_exploitation":0,"vulnerable_version":">=0 <9.14.0-1"}]}}]}]]}]