Lucene search
+L

31258 matches found

EUVD
EUVD
added 3 hours ago3 views

EUVD-2026-45437

In the Linux kernel, the following vulnerability has been resolved: selinux: fix avdcache auditing The per-task avdcache was incorrectly saving and reusing the audited vector computed by avcauditrequired rather than recomputing based on the currently requested permissions and distinguishing the...

5.4AI score
Exploits0References3
NVD
NVD
added yesterday8 views

CVE-2024-58356

SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...

2.3CVSS
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2025-210488

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 allows authenticated users with OWNER or EDITOR permissions at the root, namespace, or database level to define custom database functions via DEFINE FUNCTION using nested FOR loops. Although a single loop's iteration count is...

7.1CVSS5.4AI score
Exploits0References2
Cvelist
Cvelist
added yesterday18 views

CVE-2024-58356 SurrealDB before 2.1.4 Permission Bypass via DEFINE TABLE OVERWRITE

SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...

2.3CVSS
Exploits0References2
CVE
CVE
added yesterday8 views

CVE-2024-58356

SurrealDB prior to version 2.1.4 is affected by a permission-bypass issue. When using DEFINE TABLE ... OVERWRITE on tables defined with TYPE RELATION, the PERMISSIONS clause is not applied, so tightened permissions may not take effect and an authorized client could continue to access data. Affect...

2.3CVSS5.3AI score
Exploits0References2
Nuclei
Nuclei
added yesterday101 views

JumpServer > 3.6.4 - Information Disclosure

JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not...

8.2CVSS6.7AI score0.55861EPSS
Exploits5References5
CVE
CVE
added 2 days ago25 views

CVE-2026-54244

Statamic CMS suffers an Incorrect Authorization issue in the Live Preview feature. Before versions 5.74.0 and 6.20.3, the Live Preview endpoint in src/Http/Controllers/CP/PreviewController.php only checked view permissions and could render caller-supplied field values. A Control Panel user with v...

3.5CVSS5.3AI score0.00303EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-54244 Statamic: Incorrect authorization lets view-only users submit Live Preview content reserved for editors

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.74.0 and 6.20.3, the Live Preview endpoint for existing entries and terms in src/Http/Controllers/CP/PreviewController.php only checked view authorization, but it accepts and renders caller-supplied field values. A...

3.5CVSS0.00303EPSS
Exploits0References5
NVD
NVD
added 2 days ago5 views

CVE-2026-45703

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, the WordExport export flow in bundles/WordExportBundle/src/Controller/TranslationController.php only checks the wordexport feature permission and directly resolves attacker-controlled type/id input...

6.4CVSS0.00187EPSS
Exploits0References2
CVE
CVE
added 2 days ago23 views

CVE-2026-44739

CVE-2026-44739 (Pimcore) : SQL injection in the columnConfigAction flow of CustomReportsBundle enables an attacker with the reports_config permission to inject and execute arbitrary SELECT/UNION queries and leverage error-based exfiltration. Affected versions are prior to 11.5.17 (LTS) and 12.3.6...

8.7CVSS5.8AI score0.00279EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago35 views

CVE-2026-44739 Pimcore: SQL Injection in Custom Reports Column Configuration

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.6, the columnConfigAction endpoint in bundles/CustomReportsBundle/src/Controller/Reports/CustomReportController.php passes malicious SQL configuration through CustomReportController:columnConfigAction,...

8.7CVSS0.00279EPSS
Exploits0References4
CVE
CVE
added 2 days ago33 views

CVE-2026-45260

Pimcore WebDAV MOVE vulnerability (CVE-2026-45260) enables remote asset deletion/overwrite due to missing authentication in the WebDAV controller and Tree::move() path. The WebDAV endpoint at /asset/webdav{path} proceeds to mutate assets before validating the current user or permissions, and Asse...

8.1CVSS5.3AI score0.00427EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2 days ago9 views

Gitea has insufficient permission checks for Composer package source links

CVE Description Gitea versions up to and including 1.26.1 have insufficient permission checks for Composer package source links, which can expose private or internal package source information. Summary A critical vulnerability has been discovered in Gitea. It was already reported via...

8.2CVSS7.7AI score0.40738EPSS
Exploits1References6Affected Software1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS0.00264EPSS
Exploits0References5
OSV
OSV
added 2 days ago2 views

CVE-2026-48010 Shopware: Privilege escalation: non-admin user with user:create ACL can create admin accounts

Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, UserController::upsertUser in src/Core/Framework/Api/Controller/UserController.php writes raw user data in SYSTEMSCOPE without filtering the admin field, so a non-admin API user with user:create or user:update ACL permission...

6.5CVSS5.3AI score0.00264EPSS
Exploits0References7
NVD
NVD
added 2 days ago8 views

CVE-2026-62234

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to...

8.4CVSS0.00297EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-45080

Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated users with api.webhooks.write permission to create webhooks with file://, dict://, or gopher:// URLs. Attackers can trigger webhook events to read local files, access process information, or pivot to...

8.4CVSS6.1AI score0.00297EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago9 views

PT-2026-60807

SurrealDB before 3.1.5 fail to apply field-level SELECT permissions to ORDER BY clauses, allowing authenticated users to leak the relative ordering of restricted field values. Attackers can issue ORDER BY queries on indexed restricted fields to recover the hidden values' sort order across records...

5.3CVSS5.2AI score0.00193EPSS
Exploits0References3
NVD
NVD
added 3 days ago6 views

CVE-2026-43978

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, a gym trainer can escalate their session to any higher-privileged account gym manager, general manager by chaining two calls to the trainer-login endpoint. Once a trainer performs a legitimate switch into a...

8.1CVSS0.00213EPSS
Exploits0References1
OSV
OSV
added 3 days ago5 views

CVE-2026-43977 wger IDOR: Authenticated Users Can Read Others' Private Workout Session Data via Template Routine API

wger is a free, open-source workout and fitness manager. In versions prior to 2.6, any authenticated user can read another user's private workout session notes, exercise history, and training statistics by calling the /logs/ and /stats/ actions on a routine they do not own. The vulnerability exis...

7.5CVSS5.4AI score0.00232EPSS
Exploits0References3
Rows per page
Query Builder