CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade github.com/fleetdm/fleet/server/mock to...

Snyk•added 2026/05/26 10:48 p.m.•4 views

Improper Authentication

Improper Authentication

Snyk•added 2026/05/26 10:48 p.m.•4 views

Improper Authentication

Snyk•added 2026/05/26 10:48 p.m.•4 views

Improper Authentication

Improper Authentication

Snyk•added 2026/05/26 10:48 p.m.•6 views

Improper Authentication

Improper Authentication

Improper Authentication

Cvelist•added 2026/05/26 10:1 p.m.•33 views

CVE-2026-45298 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that...

8.6CVSS0.01285EPSS

Exploits1References2

IBM Security Bulletins•added 2026/05/26 9:30 p.m.•10 views

Security Bulletin: Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I)

Summary IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration CP4I 1.5.20 has addressed an authentication vulnerability that may allow access to files in the local server storage. Vulnerability Details CVEID:CVE-2026-7876 DESCRIPTION: IBM Aspera High-Speed Transfer Server for CP4i i...

9.1CVSS5.8AI score0.00284EPSS

Exploits0Affected Software1

NVD•added 2026/05/26 9:16 p.m.•14 views

CVE-2026-44847

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...

7.5CVSS0.00264EPSS

Exploits0References2

NVD•added 2026/05/26 9:16 p.m.•15 views

CVE-2026-44450

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code executi...

9.9CVSS0.00377EPSS

CVE•added 2026/05/26 9:8 p.m.•29 views

CVE-2026-44895

CVE-2026-44895 (GitLab MCP Server SSE transport) has concrete technical details in the connected documents. The MCP server’s SSE HTTP transport (USE_SSE=true) ships with no authentication and sets Access-Control-Allow-Origin: * on all responses, exposing a stateful RPC endpoint backed by the oper...

9.2CVSS5.8AI score0.00392EPSS

Cvelist•added 2026/05/26 9:8 p.m.•32 views

CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

9.2CVSS0.00392EPSS

Vulnrichment•added 2026/05/26 9:8 p.m.•10 views

CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools

9.2CVSS5.8AI score0.00392EPSS