Lucene search
+L

2862606 matches found

Packet Storm News
Packet Storm News
added 2026/09/10 12:0 a.m.223 views

IServ Schoolserver User Enumeration

IServ Schoolserver suffers from a user enumeration vulnerability. The vendor does not feel this is an issue...

5.8AI score
Exploits0
NVD
NVD
added 1 hour ago2 views

CVE-2025-71396

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 does not enforce a default execution-time limit on embedded JavaScript scripting functions when the scripting capability is explicitly enabled via --allow-scripting or --allow-all. An authenticated attacker can submit long-running...

2.3CVSS
Exploits0References2
NVD
NVD
added 1 hour ago3 views

CVE-2024-58367

SurrealDB versions before 2.0.4 fail to properly enforce field permissions during SELECT, UPDATE, and DELETE operations, allowing authorized users to access unauthorized field values through various query techniques. Attackers can exploit SELECT VALUE operations, field aliasing, function argument...

7.1CVSS
Exploits0References2
NVD
NVD
added 1 hour ago2 views

CVE-2024-58364

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit malformed queries that trigger a panic in the span rendering code, crashing the server and causing...

7.1CVSS
Exploits0References2
Cvelist
Cvelist
added 1 hour ago8 views

CVE-2026-16120 nextlevelbuilder GoClaw exec_approval.go extractBin name resolution

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/execapproval.go. Executing a manipulation can lead to incorrectly-resolved name. The attack may be performed from remote. The exploit has...

6.5CVSS
Exploits0References7
Cvelist
Cvelist
added 2 hours ago6 views

CVE-2025-71395 SurrealDB before 2.2.2 Memory Exhaustion via string::replace

SurrealDB versions before 2.2.2 contain a memory exhaustion vulnerability in the string::replace function that fails to restrict resulting string length when using regex patterns. An authenticated attacker can craft a malicious query to exhaust server memory through unbounded string allocations,...

7.1CVSS
Exploits0References2
CVE
CVE
added 2 hours ago4 views

CVE-2025-71392

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS5.4AI score
Exploits0References2
Cvelist
Cvelist
added 2 hours ago7 views

CVE-2025-71392 SurrealDB before 2.2.2 SurrealQL Injection via export

SurrealDB before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.2 fails to properly escape table and field names in the command-line export command. An authenticated System User with OWNER or EDITOR roles can create tables or fields with malicious names containing SurrealQL. When a...

9.4CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2025-71391

SurrealDB versions before 2.2.2 contain an uncaught exception vulnerability in the net module that allows authenticated users to crash the database. Attackers can send crafted HTTP queries containing null bytes to the /sql endpoint, causing an unhandled exception that crashes the SurrealDB instan...

7.1CVSS
Exploits0References3
CVE
CVE
added 2 hours ago4 views

CVE-2025-71390

SurrealDB before 2.2.6, 2.3.6, and 2.1.8 and 3.0.0-alpha.7 and earlier fails to validate DNS-resolved hostnames against --deny-net network access restrictions in its http:: functions. An authenticated user can invoke http:: with a hostname that resolves to a denied IP address, causing the server ...

5.8CVSS5.4AI score
Exploits0References2
CVE
CVE
added 2 hours ago4 views

CVE-2024-58370

SurrealDB versions before 1.1.0 fail to enforce recursion depth limits when parsing nested SurrealQL statements including IF, RELATE, and attribute access idioms. Authorized attackers can submit queries with excessive nesting depth to cause stack overflow and crash the server...

7.1CVSS5.4AI score
Exploits0References2
CVE
CVE
added 2 hours ago3 views

CVE-2024-58366

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throwtype function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges...

9CVSS5.6AI score
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2024-58366

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throwtype function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges...

9CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago5 views

CVE-2024-58366 SurrealDB before 1.1.1 Format String via Scripting Functions

SurrealDB before 1.1.1 contains a format string vulnerability in the rquickjs Exception::throwtype function when scripting is enabled. Attackers with scripting privileges can supply format string sequences in error inputs to read arbitrary memory or execute code with SurrealDB process privileges...

9CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2024-58364

SurrealDB versions before 1.2.1 contain an uncaught exception handling vulnerability in span rendering when parsing queries with errors on line terminator characters. Authorized clients can submit malformed queries that trigger a panic in the span rendering code, crashing the server and causing...

7.1CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2024-58363

SurrealDB before 1.5.4 fails to properly validate authentication when a scope user switches databases using the USE clause or use method. Attackers with an authenticated session can impersonate an unrelated user in a different database if a user record with an identical identifier exists, allowin...

6.3CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago4 views

CVE-2024-58356 SurrealDB before 2.1.4 Permission Bypass via DEFINE TABLE OVERWRITE

SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...

2.3CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2 hours ago2 views

CVE-2023-54366

SurrealDB before 1.0.1 sets default table permissions to FULL instead of NONE, allowing SELECT, CREATE, UPDATE, and DELETE operations on tables without explicit permissions. Attackers with database access or unauthenticated users on publicly exposed instances can perform unrestricted operations o...

8.8CVSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 hours ago3 views

CVE-2026-16117

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...

10CVSS
Exploits0References3
Cvelist
Cvelist
added 2 hours ago4 views

CVE-2026-16117 @fastify/http-proxy vulnerable to prefix escape via URL-encoded characters

Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...

10CVSS
Exploits0References2
Rows per page
Query Builder