CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/29 5:10 p.m.•7 views

CVE-2026-45625

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eig...

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/29 5:10 p.m.•8 views

CVE-2026-45625 Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs

EUVD•added 2026/05/29 5:10 p.m.•8 views

EUVD-2026-33373

CVE•added 2026/05/29 5:10 p.m.•19 views

CVE-2026-45625

CVE-2026-45625 (Arcane) : The huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync without admin enforcement. Eight endpoints bypass checkAdmin(ctx), allowing any authenticated user (default role: user) to list, create, modify, delete, an...

CVE•added 2026/05/29 4:58 p.m.•16 views

CVE-2026-5768

CVE-2026-5768 concerns the Frontier X2 device and Frontier X mobile app, where unauthenticated BLE read/write access to critical GATT characteristics enables attackers within BLE range to control device functions, trigger vibrations, cause DoS, and forge health telemetry by impersonating devices ...

8.8CVSS5.8AI score0.00438EPSS

Exploits0References3

EUVD•added 2026/05/29 4:53 p.m.•7 views

EUVD-2026-33367

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolv...

6.9CVSS5.8AI score0.00249EPSS

Rapid7 Blog•added 2026/05/29 4:49 p.m.•186 views

Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

Overview On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker...

9.1CVSS6.2AI score0.18583EPSS

Exploits9

OSV•added 2026/05/29 4:36 p.m.•3 views

OPENSUSE-SU-2026:20847-1 Security update for postgresql-jdbc

This update for postgresql-jdbc fixes the following issue - CVE-2026-42198: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication bsc1264174...

7.5CVSS7.1AI score0.00445EPSS

OSV•added 2026/05/29 4:3 p.m.•10 views

RLSA-2026:19149 Important: dovecot security update

Dovecot is an IMAP server for Linux and other UNIX-like systems, written primarily with security in mind. It also contains a small POP3 server, and supports e-mail in either the maildir or mbox format. The SQL drivers and authentication plug-ins are provided as subpackages. Security Fixes: doveco...

7.5CVSS5.9AI score0.00456EPSS

Exploits2References4

Vulnrichment•added 2026/05/29 3:12 p.m.•9 views

CVE-2026-33384 Session Fixation in QuickCMS

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version...

Cvelist•added 2026/05/29 3:12 p.m.•28 views

CVE-2026-33384 Session Fixation in QuickCMS

4.8CVSS0.00154EPSS

EUVD•added 2026/05/29 3:12 p.m.•8 views

EUVD-2026-33338

CVE•added 2026/05/29 3:12 p.m.•11 views

CVE-2026-33384

CVE-2026-33384 affects QuickCMS. The issue allows a user’s session identifier to be set before authentication and persist after login, enabling session hijacking of a victim. A patch in QuickCMS version 6.8 (published 15 May 2026) fixes the vulnerability; deployments not yet updated remain vulner...

ATTACKERKB•added 2026/05/29 3:12 p.m.•7 views

CVE-2026-33384

GithubExploit•added 2026/05/29 2:35 p.m.•78 views

Exploits0References3

Exploit for CVE-2026-42568

CVE-2026-42568 — YAMCS LDAP Injection in LdapAuthModule Su...

5.9AI score0.01009EPSS

Exploits3

NVD•added 2026/05/29 2:16 p.m.•14 views

CVE-2026-45610

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...

6.5CVSS0.0011EPSS

NVD•added 2026/05/29 2:16 p.m.•14 views

CVE-2026-44238

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges ar...

8.8CVSS0.00289EPSS

Snyk•added 2026/05/29 2:7 p.m.•3 views

Cross-site Scripting (XSS)

Overview @haxtheweb/haxcms-nodejs is a HAXcms nodejs backend Affected versions of this package are vulnerable to Cross-site Scripting XSS via the saveNode endpoint due to insufficient sanitization of the node.body parameter, allowing event handler attributes without whitespace to bypass the HTML...

8.7CVSS5.4AI score0.00228EPSS