[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2026-49869":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-27T16:38:37.313Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":732,"aliases":733,"duplicate_of":9,"upstream":734,"downstream":735,"duplicates":736,"related":737,"reserved_at":9,"published_at":738,"modified_at":738,"state":739,"summary":740,"references_raw":749,"kevs":755,"epss":756,"epss_history":759,"metrics":767,"affected":771},"CVE-2026-49869","Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith(\"/configs\") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container.  This vulnerability is fixed in 1.0.45 and 1.3.21.",null,[11,40,76,722],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-78","Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-108","Command Line Execution through SQL Injection",[],{"id":25,"name":26,"techniques":27},"CAPEC-15","Command Delimiters",[],{"id":29,"name":30,"techniques":31},"CAPEC-43","Exploiting Multiple Input Interpretation Layers",[],{"id":33,"name":34,"techniques":35},"CAPEC-6","Argument Injection",[],{"id":37,"name":38,"techniques":39},"CAPEC-88","OS Command Injection",[],{"_key":41,"id":41,"name":42,"description":43,"type":15,"status":44,"abstraction":17,"likelihood_of_exploit":9,"capec":45},"CWE-184","Incomplete List of Disallowed Inputs","The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.","Draft",[46,50,52,56,60,62,64,68,72],{"id":47,"name":48,"techniques":49},"CAPEC-120","Double Encoding",[],{"id":25,"name":26,"techniques":51},[],{"id":53,"name":54,"techniques":55},"CAPEC-182","Flash Injection",[],{"id":57,"name":58,"techniques":59},"CAPEC-3","Using Leading 'Ghost' Character Sequences to Bypass Input Filters",[],{"id":29,"name":30,"techniques":61},[],{"id":33,"name":34,"techniques":63},[],{"id":65,"name":66,"techniques":67},"CAPEC-71","Using Unicode Encoding to Bypass Validation Logic",[],{"id":69,"name":70,"techniques":71},"CAPEC-73","User-Controlled Filename",[],{"id":73,"name":74,"techniques":75},"CAPEC-85","AJAX Footprinting",[],{"_key":77,"id":77,"name":78,"description":79,"type":15,"status":44,"abstraction":80,"likelihood_of_exploit":18,"capec":81},"CWE-287","Improper Authentication","When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.","Class",[82,244,323,327,331,335,354,543,605,689],{"id":83,"name":84,"techniques":85},"CAPEC-114","Authentication Abuse",[86],{"id":87,"name":88,"tactics":89,"countermeasures":96},"T1548","Abuse Elevation Control Mechanism",[90,93],{"id":91,"name":92},"TA0030","Defense Evasion",{"id":94,"name":95},"TA0111","Privilege Escalation",[97,102,106,110,114,119,123,127,131,135,139,143,147,151,156,160,165,170,174,178,182,187,191,195,199,203,208,212,216,220,224,228,232,236,240],{"id":98,"name":99,"tactic":100},"D3-CI","Configuration Inventory",{"name":101},"Model",{"id":103,"name":104,"tactic":105},"D3-AM","Access Modeling",{"name":101},{"id":107,"name":108,"tactic":109},"D3-DI","Data Inventory",{"name":101},{"id":111,"name":112,"tactic":113},"D3-NTPM","Network Traffic Policy Mapping",{"name":101},{"id":115,"name":116,"tactic":117},"D3-AEM","Application Exception Monitoring",{"name":118},"Detect",{"id":120,"name":121,"tactic":122},"D3-SCA","System Call Analysis",{"name":118},{"id":124,"name":125,"tactic":126},"D3-SFA","System File Analysis",{"name":118},{"id":128,"name":129,"tactic":130},"D3-FA","File Analysis",{"name":118},{"id":132,"name":133,"tactic":134},"D3-FIM","File Integrity Monitoring",{"name":118},{"id":136,"name":137,"tactic":138},"D3-OPM","Operational Process Monitoring",{"name":118},{"id":140,"name":141,"tactic":142},"D3-DA","Dynamic Analysis",{"name":118},{"id":144,"name":145,"tactic":146},"D3-EFA","Emulated File Analysis",{"name":118},{"id":148,"name":149,"tactic":150},"D3-PSA","Process Spawn Analysis",{"name":118},{"id":152,"name":153,"tactic":154},"D3-FEV","File Eviction",{"name":155},"Evict",{"id":157,"name":158,"tactic":159},"D3-AL","Account Locking",{"name":155},{"id":161,"name":162,"tactic":163},"D3-DF","Decoy File",{"name":164},"Deceive",{"id":166,"name":167,"tactic":168},"D3-FE","File Encryption",{"name":169},"Harden",{"id":171,"name":172,"tactic":173},"D3-AA","Agent Authentication",{"name":169},{"id":175,"name":176,"tactic":177},"D3-CDP","Change Default Password",{"name":169},{"id":179,"name":180,"tactic":181},"D3-SCP","System Configuration Permissions",{"name":169},{"id":183,"name":184,"tactic":185},"D3-RC","Restore Configuration",{"name":186},"Restore",{"id":188,"name":189,"tactic":190},"D3-RF","Restore File",{"name":186},{"id":192,"name":193,"tactic":194},"D3-ULA","Unlock Account",{"name":186},{"id":196,"name":197,"tactic":198},"D3-RUAA","Restore User Account Access",{"name":186},{"id":200,"name":201,"tactic":202},"D3-RD","Restore Database",{"name":186},{"id":204,"name":205,"tactic":206},"D3-SCF","System Call Filtering",{"name":207},"Isolate",{"id":209,"name":210,"tactic":211},"D3-CF","Content Filtering",{"name":207},{"id":213,"name":214,"tactic":215},"D3-LFP","Local File Permissions",{"name":207},{"id":217,"name":218,"tactic":219},"D3-RFAM","Remote File Access Mediation",{"name":207},{"id":221,"name":222,"tactic":223},"D3-CQ","Content Quarantine",{"name":207},{"id":225,"name":226,"tactic":227},"D3-CM","Content Modification",{"name":207},{"id":229,"name":230,"tactic":231},"D3-UAP","User Account Permissions",{"name":207},{"id":233,"name":234,"tactic":235},"D3-EAL","Executable Allowlisting",{"name":207},{"id":237,"name":238,"tactic":239},"D3-EDL","Executable Denylisting",{"name":207},{"id":241,"name":242,"tactic":243},"D3-HBPI","Hardware-based Process Isolation",{"name":207},{"id":245,"name":246,"techniques":247},"CAPEC-115","Authentication Bypass",[248],{"id":87,"name":88,"tactics":249,"countermeasures":252},[250,251],{"id":91,"name":92},{"id":94,"name":95},[253,255,257,259,261,263,265,267,269,271,273,275,277,279,281,283,285,287,289,291,293,295,297,299,301,303,305,307,309,311,313,315,317,319,321],{"id":98,"name":99,"tactic":254},{"name":101},{"id":103,"name":104,"tactic":256},{"name":101},{"id":107,"name":108,"tactic":258},{"name":101},{"id":111,"name":112,"tactic":260},{"name":101},{"id":115,"name":116,"tactic":262},{"name":118},{"id":120,"name":121,"tactic":264},{"name":118},{"id":124,"name":125,"tactic":266},{"name":118},{"id":128,"name":129,"tactic":268},{"name":118},{"id":132,"name":133,"tactic":270},{"name":118},{"id":136,"name":137,"tactic":272},{"name":118},{"id":140,"name":141,"tactic":274},{"name":118},{"id":144,"name":145,"tactic":276},{"name":118},{"id":148,"name":149,"tactic":278},{"name":118},{"id":152,"name":153,"tactic":280},{"name":155},{"id":157,"name":158,"tactic":282},{"name":155},{"id":161,"name":162,"tactic":284},{"name":164},{"id":166,"name":167,"tactic":286},{"name":169},{"id":171,"name":172,"tactic":288},{"name":169},{"id":175,"name":176,"tactic":290},{"name":169},{"id":179,"name":180,"tactic":292},{"name":169},{"id":183,"name":184,"tactic":294},{"name":186},{"id":188,"name":189,"tactic":296},{"name":186},{"id":192,"name":193,"tactic":298},{"name":186},{"id":196,"name":197,"tactic":300},{"name":186},{"id":200,"name":201,"tactic":302},{"name":186},{"id":204,"name":205,"tactic":304},{"name":207},{"id":209,"name":210,"tactic":306},{"name":207},{"id":213,"name":214,"tactic":308},{"name":207},{"id":217,"name":218,"tactic":310},{"name":207},{"id":221,"name":222,"tactic":312},{"name":207},{"id":225,"name":226,"tactic":314},{"name":207},{"id":229,"name":230,"tactic":316},{"name":207},{"id":233,"name":234,"tactic":318},{"name":207},{"id":237,"name":238,"tactic":320},{"name":207},{"id":241,"name":242,"tactic":322},{"name":207},{"id":324,"name":325,"techniques":326},"CAPEC-151","Identity Spoofing",[],{"id":328,"name":329,"techniques":330},"CAPEC-194","Fake the Source of Data",[],{"id":332,"name":333,"techniques":334},"CAPEC-22","Exploiting Trust in Client",[],{"id":336,"name":337,"techniques":338},"CAPEC-57","Utilizing REST's Trust in the System Resource to Obtain Sensitive Data",[339],{"id":340,"name":341,"tactics":342,"countermeasures":349},"T1040","Network Sniffing",[343,346],{"id":344,"name":345},"TA0031","Credential Access",{"id":347,"name":348},"TA0102","Discovery",[350],{"id":351,"name":352,"tactic":353},"D3-DNSTA","DNS Traffic Analysis",{"name":118},{"id":355,"name":356,"techniques":357},"CAPEC-593","Session Hijacking",[358,402,515],{"id":359,"name":360,"tactics":361,"countermeasures":365},"T1185","Browser Session Hijacking",[362],{"id":363,"name":364},"TA0100","Collection",[366,370,374,378,382,386,390,394,398],{"id":367,"name":368,"tactic":369},"D3-UGLPA","User Geolocation Logon Pattern Analysis",{"name":118},{"id":371,"name":372,"tactic":373},"D3-PMAD","Protocol Metadata Anomaly Detection",{"name":118},{"id":375,"name":376,"tactic":377},"D3-CSPP","Client-server Payload Profiling",{"name":118},{"id":379,"name":380,"tactic":381},"D3-PHDURA","Per Host Download-Upload Ratio Analysis",{"name":118},{"id":383,"name":384,"tactic":385},"D3-NTSA","Network Traffic Signature Analysis",{"name":118},{"id":387,"name":388,"tactic":389},"D3-APCA","Application Protocol Command Analysis",{"name":118},{"id":391,"name":392,"tactic":393},"D3-NTCD","Network Traffic Community Deviation",{"name":118},{"id":395,"name":396,"tactic":397},"D3-RTSD","Remote Terminal Session Detection",{"name":118},{"id":399,"name":400,"tactic":401},"D3-NTF","Network Traffic Filtering",{"name":207},{"id":403,"name":404,"tactics":405,"countermeasures":410},"T1550.001","Application Access Token",[406,407],{"id":91,"name":92},{"id":408,"name":409},"TA0109","Lateral Movement",[411,415,419,421,425,427,429,431,433,435,437,439,441,445,449,453,457,461,465,469,473,477,481,485,489,493,497,499,501,505,509,513],{"id":412,"name":413,"tactic":414},"D3-PLA","Process Lineage Analysis",{"name":118},{"id":416,"name":417,"tactic":418},"D3-PSMD","Process Self-Modification Detection",{"name":118},{"id":148,"name":149,"tactic":420},{"name":118},{"id":422,"name":423,"tactic":424},"D3-CCSA","Credential Compromise Scope Analysis",{"name":118},{"id":367,"name":368,"tactic":426},{"name":118},{"id":371,"name":372,"tactic":428},{"name":118},{"id":375,"name":376,"tactic":430},{"name":118},{"id":379,"name":380,"tactic":432},{"name":118},{"id":383,"name":384,"tactic":434},{"name":118},{"id":387,"name":388,"tactic":436},{"name":118},{"id":391,"name":392,"tactic":438},{"name":118},{"id":395,"name":396,"tactic":440},{"name":118},{"id":442,"name":443,"tactic":444},"D3-PT","Process Termination",{"name":155},{"id":446,"name":447,"tactic":448},"D3-PS","Process Suspension",{"name":155},{"id":450,"name":451,"tactic":452},"D3-HR","Host Reboot",{"name":155},{"id":454,"name":455,"tactic":456},"D3-HS","Host Shutdown",{"name":155},{"id":458,"name":459,"tactic":460},"D3-CR","Credential Revocation",{"name":155},{"id":462,"name":463,"tactic":464},"D3-ANCI","Authentication Cache Invalidation",{"name":155},{"id":466,"name":467,"tactic":468},"D3-DUC","Decoy User Credential",{"name":164},{"id":470,"name":471,"tactic":472},"D3-CH","Credential Hardening",{"name":169},{"id":474,"name":475,"tactic":476},"D3-MFA","Multi-factor Authentication",{"name":169},{"id":478,"name":479,"tactic":480},"D3-CRO","Credential Rotation",{"name":169},{"id":482,"name":483,"tactic":484},"D3-TB","Token Binding",{"name":169},{"id":486,"name":487,"tactic":488},"D3-TBA","Token-based Authentication",{"name":169},{"id":490,"name":491,"tactic":492},"D3-RIC","Reissue Credential",{"name":186},{"id":494,"name":495,"tactic":496},"D3-KBPI","Kernel-based Process Isolation",{"name":207},{"id":204,"name":205,"tactic":498},{"name":207},{"id":241,"name":242,"tactic":500},{"name":207},{"id":502,"name":503,"tactic":504},"D3-ABPI","Application-based Process Isolation",{"name":207},{"id":506,"name":507,"tactic":508},"D3-WSAM","Web Session Access Mediation",{"name":207},{"id":510,"name":511,"tactic":512},"D3-CTS","Credential Transmission Scoping",{"name":207},{"id":399,"name":400,"tactic":514},{"name":207},{"id":516,"name":517,"tactics":518,"countermeasures":520},"T1563","Remote Service Session Hijacking",[519],{"id":408,"name":409},[521,523,525,527,529,531,533,535,537,541],{"id":367,"name":368,"tactic":522},{"name":118},{"id":371,"name":372,"tactic":524},{"name":118},{"id":375,"name":376,"tactic":526},{"name":118},{"id":379,"name":380,"tactic":528},{"name":118},{"id":383,"name":384,"tactic":530},{"name":118},{"id":387,"name":388,"tactic":532},{"name":118},{"id":391,"name":392,"tactic":534},{"name":118},{"id":395,"name":396,"tactic":536},{"name":118},{"id":538,"name":539,"tactic":540},"D3-ST","Session Termination",{"name":155},{"id":399,"name":400,"tactic":542},{"name":207},{"id":544,"name":545,"techniques":546},"CAPEC-633","Token Impersonation",[547],{"id":548,"name":549,"tactics":550,"countermeasures":556},"T1134","Access Token Manipulation",[551,552,555],{"id":91,"name":92},{"id":553,"name":554},"TA0005","Stealth",{"id":94,"name":95},[557,559,561,563,565,567,569,571,573,575,577,579,581,583,585,587,589,591,593,595,597,599,601,603],{"id":98,"name":99,"tactic":558},{"name":101},{"id":111,"name":112,"tactic":560},{"name":101},{"id":103,"name":104,"tactic":562},{"name":101},{"id":115,"name":116,"tactic":564},{"name":118},{"id":120,"name":121,"tactic":566},{"name":118},{"id":422,"name":423,"tactic":568},{"name":118},{"id":136,"name":137,"tactic":570},{"name":118},{"id":148,"name":149,"tactic":572},{"name":118},{"id":538,"name":539,"tactic":574},{"name":155},{"id":458,"name":459,"tactic":576},{"name":155},{"id":462,"name":463,"tactic":578},{"name":155},{"id":466,"name":467,"tactic":580},{"name":164},{"id":470,"name":471,"tactic":582},{"name":169},{"id":474,"name":475,"tactic":584},{"name":169},{"id":478,"name":479,"tactic":586},{"name":169},{"id":482,"name":483,"tactic":588},{"name":169},{"id":486,"name":487,"tactic":590},{"name":169},{"id":183,"name":184,"tactic":592},{"name":186},{"id":490,"name":491,"tactic":594},{"name":186},{"id":204,"name":205,"tactic":596},{"name":207},{"id":510,"name":511,"tactic":598},{"name":207},{"id":233,"name":234,"tactic":600},{"name":207},{"id":237,"name":238,"tactic":602},{"name":207},{"id":241,"name":242,"tactic":604},{"name":207},{"id":606,"name":607,"techniques":608},"CAPEC-650","Upload a Web Shell to a Web Server",[609],{"id":610,"name":611,"tactics":612,"countermeasures":616},"T1505.003","Web Shell",[613],{"id":614,"name":615},"TA0110","Persistence",[617,621,625,629,633,635,637,639,641,643,645,647,649,651,653,655,657,659,661,665,667,669,671,673,675,677,679,681,683,685,687],{"id":618,"name":619,"tactic":620},"D3-NNI","Network Node Inventory",{"name":101},{"id":622,"name":623,"tactic":624},"D3-PLM","Physical Link Mapping",{"name":101},{"id":626,"name":627,"tactic":628},"D3-LLM","Logical Link Mapping",{"name":101},{"id":630,"name":631,"tactic":632},"D3-EHB","Endpoint Health Beacon",{"name":118},{"id":128,"name":129,"tactic":634},{"name":118},{"id":132,"name":133,"tactic":636},{"name":118},{"id":140,"name":141,"tactic":638},{"name":118},{"id":144,"name":145,"tactic":640},{"name":118},{"id":412,"name":413,"tactic":642},{"name":118},{"id":416,"name":417,"tactic":644},{"name":118},{"id":148,"name":149,"tactic":646},{"name":118},{"id":152,"name":153,"tactic":648},{"name":155},{"id":442,"name":443,"tactic":650},{"name":155},{"id":446,"name":447,"tactic":652},{"name":155},{"id":450,"name":451,"tactic":654},{"name":155},{"id":454,"name":455,"tactic":656},{"name":155},{"id":161,"name":162,"tactic":658},{"name":164},{"id":166,"name":167,"tactic":660},{"name":169},{"id":662,"name":663,"tactic":664},"D3-RNA","Restore Network Access",{"name":186},{"id":188,"name":189,"tactic":666},{"name":186},{"id":209,"name":210,"tactic":668},{"name":207},{"id":213,"name":214,"tactic":670},{"name":207},{"id":217,"name":218,"tactic":672},{"name":207},{"id":221,"name":222,"tactic":674},{"name":207},{"id":225,"name":226,"tactic":676},{"name":207},{"id":233,"name":234,"tactic":678},{"name":207},{"id":237,"name":238,"tactic":680},{"name":207},{"id":494,"name":495,"tactic":682},{"name":207},{"id":204,"name":205,"tactic":684},{"name":207},{"id":241,"name":242,"tactic":686},{"name":207},{"id":502,"name":503,"tactic":688},{"name":207},{"id":690,"name":691,"techniques":692},"CAPEC-94","Adversary in the Middle (AiTM)",[693],{"id":694,"name":695,"tactics":696,"countermeasures":699},"T1557","Adversary-in-the-Middle",[697,698],{"id":344,"name":345},{"id":363,"name":364},[700,702,704,706,708,710,712,714,716,720],{"id":367,"name":368,"tactic":701},{"name":118},{"id":371,"name":372,"tactic":703},{"name":118},{"id":375,"name":376,"tactic":705},{"name":118},{"id":379,"name":380,"tactic":707},{"name":118},{"id":383,"name":384,"tactic":709},{"name":118},{"id":387,"name":388,"tactic":711},{"name":118},{"id":391,"name":392,"tactic":713},{"name":118},{"id":395,"name":396,"tactic":715},{"name":118},{"id":717,"name":718,"tactic":719},"D3-CAA","Connection Attempt Analysis",{"name":118},{"id":399,"name":400,"tactic":721},{"name":207},{"_key":723,"id":723,"name":724,"description":725,"type":15,"status":726,"abstraction":17,"likelihood_of_exploit":9,"capec":727},"CWE-918","Server-Side Request Forgery (SSRF)","The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.","Incomplete",[728],{"id":729,"name":730,"techniques":731},"CAPEC-664","Server Side Request Forgery",[],[],[],[],[],[],[],"2026-06-26T20:58:19.576Z","PUBLISHED",{"cisa_kev":741,"cisa_ransomware":741,"cisa_vendor":9,"epss_severity":742,"epss_score":743,"severity":744,"severity_score":745,"severity_version":746,"severity_source":747,"severity_vector":748,"severity_status":739},false,"low",0.00362,"critical",10,"v3.1","cve.org","CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",[750],{"url":751,"sources":752,"tags":753},"https://github.com/kestra-io/kestra/security/advisories/GHSA-5vc5-wxxq-3fjx",[747],[754],"X Refsource CONFIRM",[],{"date":757,"score":743,"percentile":758},"2026-06-14",0.58803,[760,763,766],{"date":761,"score":743,"percentile":762},"2026-06-12",0.58799,{"date":764,"score":743,"percentile":765},"2026-06-13",0.58814,{"date":757,"score":743,"percentile":758},[768],{"source":747,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":769,"cvss_v4_0":9},{"baseScore":745,"baseSeverity":770,"vectorString":748,"impactScore":745,"exploitabilityScore":745},"CRITICAL",[772],{"ecosystem":9,"name":773,"vendor":774,"product":773,"cpe_part":775,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":776},"kestra","kestra-io","a",[777,782],{"version":778,"is_range":779,"range_type":747,"version_start":9,"version_start_type":9,"version_end":780,"version_end_type":781,"fixed_in":9},"\u003C 1.0.45",true,"1.0.45","excluding",{"version":783,"is_range":779,"range_type":747,"version_start":784,"version_start_type":785,"version_end":786,"version_end_type":781,"fixed_in":9},">= 1.1.0, \u003C 1.3.21","1.1.0","including","1.3.21"]