Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-55882 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.
A blank import of net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.
An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.
>= 0.19.5, <= 0.37.3.tilt up --host 0.0.0.0, or TILT_HOST set).10350).Use the default loopback bind (omit --host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.