Lucene search
+L

9765 matches found

osv
osv
added 2026/07/08 9:30 p.m.4 views

CVE-2026-55878 Symfony: Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...

7.8CVSS6.2AI score0.00146EPSS
Exploits0References6
osv
osv
added 2026/07/08 8:16 p.m.3 views

DEBIAN-CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS6.1AI score0.00136EPSS
Exploits0References1
nvd
nvd
added 2026/07/08 8:16 p.m.7 views

CVE-2026-59946

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...

6.1CVSS0.00136EPSS
Exploits0References5
cve
cve
added 2026/07/08 7:33 p.m.11 views

CVE-2026-59948

CVE-2026-59948 affects Composer (PHP dependency manager). A malicious package from an untrusted repo (not Packagist.org/Private Packagist) with an invalid name could cause install/update to write attacker-controlled files outside the vendor directory and project. Root cause: failure to validate t...

7CVSS6AI score0.00132EPSS
Exploits0References5
osv
osv
added 2026/07/08 6:51 p.m.3 views

MAL-2026-7024 Malicious code in none123s (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c28e7ef260830adb9561488c487960b12e00bd6939daf8ed8e3a239ec9530699 package.json declares a prepare lifecycle script node index.js || true that auto-executes on npm install. index.js reads canonical installer-secret...

6.1AI score
Exploits0References18
ossf
ossf
added 2026/07/08 5:31 p.m.10 views

Malicious code in crypto-promiser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25594e7865a7525aebefd2f1fcc8060f144bf202b1986875e1cfd95564f66e88 [email protected] is a typosquat of the legitimate crypto-promise package that ships a dropper in its lifecycle scripts. The declared postinstall...

6.6AI score
Exploits0References3
ossf
ossf
added 2026/07/08 4:27 p.m.12 views

Malicious code in searchresults (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c7d5453a0b1576ed8880071cda901607e79f25378700d3f999ab2c9715e00635 [email protected] is a high-version dependency-confusion squat on the generic name 'searchresults'. package.json declares preinstall and...

6.4AI score
Exploits0References2
cvelist
cvelist
added 2026/07/08 1:48 p.m.33 views

CVE-2026-56284 Capgo - Unauthenticated Metrics Disclosure via get_total_metrics RPC

Capgo Cap-go/capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.gettotalmetricsorgid, which is callable by the anon role using only the public sbpublishable key. An unauthenticated attacker can probe organization existence and leak...

6.9CVSS0.00214EPSS
Exploits0References2
nvd
nvd
added 2026/07/08 6:16 a.m.10 views

CVE-2026-12153

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activat...

9.8CVSS0.00364EPSS
Exploits0References5
euvd
euvd
added 2026/07/08 4:38 a.m.6 views

EUVD-2026-42166

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with SYSTEM privilege...

8.5CVSS6.5AI score0.0011EPSS
Exploits0References2
cve
cve
added 2026/07/08 4:38 a.m.17 views

CVE-2026-57895

Pupsman before 3.9.0 has an incorrect default-permissions issue that allows an attacker to drop a malicious executable into the installation folder, enabling arbitrary code execution with SYSTEM privileges. Affected software: Pupsman, versions prior to 3.9.0. Root cause: default permissions misco...

8.5CVSS7.6AI score0.0011EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.10 views

PT-2026-56549

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.2.29 Composer versions prior to 2.10.2 Description A flaw in the binary installation flow allows a package bin entry containing .. path segments to resolve outside the package installation directory. This can lead ...

6.1CVSS6.2AI score0.00136EPSS
Exploits0References11
ptsecurity
ptsecurity
added 2026/07/08 12:0 a.m.8 views

PT-2026-56551

Name of the Vulnerable Software and Affected Versions Composer versions prior to 2.2.29 Composer versions prior to 2.10.2 Description Composer, a dependency manager for the PHP language, fails to correctly validate package names from untrusted repositories other than Packagist.org or Private...

7CVSS6.1AI score0.00132EPSS
Exploits0References12
nvd
nvd
added 2026/07/07 7:16 p.m.10 views

CVE-2026-59800

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint this route is not covered by the dashboard middleware matcher, so no authorization check is applied. The sudoPassword field from the request body is written to t...

9.8CVSS0.01372EPSS
Exploits0References2
euvd
euvd
added 2026/07/07 6:19 p.m.5 views

EUVD-2026-42073

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint this route is not covered by the dashboard middleware matcher, so no authorization check is applied. The sudoPassword field from the request body is written to t...

9.8CVSS6.3AI score0.01372EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/07/07 6:19 p.m.7 views

CVE-2026-59800

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint this route is not covered by the dashboard middleware matcher, so no authorization check is applied. The sudoPassword field from the request body is written to t...

9.8CVSS6.3AI score0.01372EPSS
Exploits0References3
osv
osv
added 2026/07/07 6:19 p.m.9 views

CVE-2026-59800 9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint this route is not covered by the dashboard middleware matcher, so no authorization check is applied. The sudoPassword field from the request body is written to t...

9.2CVSS6.3AI score0.01372EPSS
Exploits0References5
cve
cve
added 2026/07/07 6:19 p.m.25 views

CVE-2026-59800

The CVE-2026-59800 entry describes an OS command injection in 9Router

9.8CVSS6.3AI score0.01372EPSS
Exploits0References2
redhat
redhat
added 2026/07/07 4:54 p.m.8 views

Important: Red Hat Security Advisory: python3.14-pip security update

An update for python3.14-pip is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

8CVSS7.3AI score0.0032EPSS
Exploits0References2
cve
cve
added 2026/07/07 6:0 a.m.15 views

CVE-2026-4375

The CVE-2026-4375 entries describe an unauthenticated Remote Code Execution affecting WordPress plugins DoLeads Integrator &lt;= 1.2.2 and wp2epub

9CVSS5.9AI score0.00248EPSS
Exploits0References1
Rows per page
Query Builder