OpenTofu may accidentally expose sensitive variables in module sources and backend configurations when static evaluation is enabled, even though this should be blocked.
OpenTofu, an infrastructure-as-code tool, is vulnerable to denial-of-service attacks during module installation when maliciously crafted TLS certificates or archives from untrusted sources are used, potentially causing high CPU usage or memory consumption.
OpenTofu incorrectly validates TLS certificates when excluded subdomains and wildcard certificates are combined, allowing attackers with valid but contradictory certificates to potentially establish connections to protected servers.
OpenTofu, an infrastructure-as-code tool, is vulnerable to denial-of-service attacks through maliciously crafted ZIP archives when installing modules or providers, causing high CPU usage.
OpenTofu can be crashed when installing modules from untrusted sources through malicious TLS certificates or tar archives, causing unbounded memory usage or high CPU load.
OpenTofu follows symbolic links in the .terraform/providers directory during provider installation and can write files to arbitrary directories when an attacker controls the working directory.
OpenTofu can enter an infinite loop when installing modules or providers from malicious servers, causing the installation process to hang and depleting system resources.
Keycloak has a vulnerability in its brute force protection where attackers can make more password guessing attempts than configured limits by launching parallel login attempts, making user accounts easier to compromise.
In Keycloak, users with email-like usernames can be locked out by other users when self-registration is enabled in the realm.
Keycloak allows using email addresses as usernames without checking if an account with that email already exists, which can prevent users from logging in or resetting their passwords.
A vulnerability in Keycloak allows administrators to modify LDAP connection settings and redirect configured credentials to a server they control, potentially exposing domain authentication credentials to attackers.
Keycloak's SAML adapters fail to properly change session IDs during login, allowing attackers to hijack existing sessions and impersonate legitimate users after authentication.
A misconfiguration in Keycloak allows attackers to redirect users to arbitrary websites when localhost URLs are configured as valid redirect addresses. This can lead to theft of authorization codes and hijacking of user sessions.
A vulnerability in Keycloak's SAML signature validation allows attackers to create forged authentication responses that bypass security checks, potentially leading to privilege escalation or identity impersonation attacks.
In Keycloak, an expired one-time passcode remains valid twice as long as intended when using FreeOTP, giving attackers a larger time window to compromise accounts.
Keycloak accidentally stores sensitive data like passwords in bytecode during the build process, making this information accessible at runtime and potentially exposing confidential data.
A vulnerability in Keycloak allows attackers to crash the server through complex regular expressions when untrusted data is processed, causing denial of service.
A vulnerability in Keycloak allows privileged users to read sensitive information from Vault files outside the intended context. Attackers need existing high-level access rights to the Keycloak server.
Keycloak version 26 and earlier can be subjected to denial-of-service attacks through manipulated proxy headers that cause the system to perform costly DNS operations, potentially blocking the service.
A vulnerability in Keycloak allows attackers on the local network to impersonate any user or client when mTLS authentication is used through a reverse proxy without pass-through TLS termination.
A vulnerability in Keycloak allows administrators with realm settings permissions to crash the service by inserting newlines into security headers, preventing users from accessing applications that rely on Keycloak for authentication.
Keycloak administrators can access confidential server environment variables and system properties by using special placeholders in configurable URLs, potentially exposing sensitive information.
In Keycloak, a configuration option for encrypted communication between servers doesn't work properly, causing data transmission to occur unencrypted instead of being secured as intended.
Keycloak fails to properly verify Active Directory account status after password resets, potentially allowing users with expired or disabled accounts to still authenticate successfully.
| Item | Vendor | Version | As of | |
|---|---|---|---|---|
| 1Panel | 1Panel-dev | v2.1.13 | 20.05.2026 | |
| act | nektos | v0.2.89 | 01.06.2026 | |
| AlmaLinux | AlmaLinux OS Foundation | — | — | |
| astro | withastro | @astrojs/markdown-satteri@0.2.2 | 03.06.2026 | |
| awesome-cheatsheets | LeCoupa | — | — | |
| awesome-docker | veggiemonk | v0.8 | 07.08.2015 |