CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/03/04 7:44 p.m.•5 views

CVE-2026-28518

OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or...

8.4CVSS6AI score0.00181EPSS

Exploits0References1

EUVD•added 2026/03/04 7:30 p.m.•3 views

EUVD-2026-9494

5.9CVSS6AI score0.00431EPSS

Vulnrichment•added 2026/03/04 7:30 p.m.•4 views

CVE-2026-28427 OpenDeck affected by path traversal allows arbitrary file read

5.9CVSS6AI score0.00431EPSS

ATTACKERKB•added 2026/03/04 7:30 p.m.•3 views

CVE-2026-28427

5.9CVSS6AI score0.00431EPSS

Exploits1References3Affected Software1

Cvelist•added 2026/03/04 7:30 p.m.•33 views

CVE-2026-28427 OpenDeck affected by path traversal allows arbitrary file read

5.9CVSS0.00431EPSS

CVE•added 2026/03/04 7:30 p.m.•12 views

CVE-2026-28427

CVE-2026-28427 affects OpenDeck (Linux software for the Elgato Stream Deck). Prior to version 2.8.1, the service listening on port 57118 serves static plugin files but does not sanitize path components properly. An attacker can use ../ sequences in the request path to traverse outside the intende...

7.5CVSS6AI score0.00431EPSS

Exploits1References2Affected Software1

OSV•added 2026/03/04 7:30 p.m.•1 views

CVE-2026-28427 OpenDeck affected by path traversal allows arbitrary file read

5.9CVSS5.8AI score0.00431EPSS

Exploits1References4

Snyk•added 2026/03/04 7:28 p.m.•1 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the extractToolResultMediaPaths process. An attacker can access and exfiltrate sensitive files from the system's temporary directory or other allowed local roots b...

6.9CVSS6.2AI score

Exploits0References2

Snyk•added 2026/03/04 6:25 p.m.•2 views

Directory Traversal

Overview nltk is a Natural Language Toolkit NLTK is a Python package for natural language processing. Affected versions of this package are vulnerable to Directory Traversal due to improper sanitization of file paths in the CorpusReader classes. An attacker can gain unauthorized access to sensiti...

8.7CVSS6.3AI score0.00747EPSS

Exploits3References2

IBM Security Bulletins•added 2026/03/04 3:28 p.m.•6 views

Security Bulletin: SMTP Command Injection Vulnerability in Netty SMTP Codec (Fixed in 4.1.129.Final and 4.2.8.Final) affect IBM watsonx.data

Summary Netty versions prior to 4.1.129.Final and 4.2.8.Final contains an SMTP command injection vulnerability in its SMTP codec due to improper CRLF validation. Attackers who control SMTP parameters can inject arbitrary commands, potentially forging emails that pass SPF and DKIM checks. Upgradin...

6.9CVSS7.2AI score0.01617EPSS

Exploits0Affected Software1

IBM Security Bulletins•added 2026/03/04 3:3 p.m.•6 views

Security Bulletin: SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty

Summary SPSS Collaboration and Deployment Services is affected by multiple vulnerabilities in IBM WebSphere Application Server Liberty CVE-2025-12635, CVE-2025-14914. This has been addressed in the remediation section. Vulnerability Details CVEID:CVE-2025-12635 DESCRIPTION: IBM WebSphere...

7.6CVSS6AI score0.0039EPSS

Exploits0Affected Software1

NVD•added 2026/03/04 12:16 p.m.•3 views

CVE-2026-2355

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the mycalendarupcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...

6.4CVSS0.00276EPSS

CVE•added 2026/03/04 11:22 a.m.•20 views

CVE-2026-2355

The CVE tracks a Stored XSS in The My Calendar – Accessible Event Manager plugin for WordPress. Affects all versions up to 3.7.3 via the shortcode [my_calendar_upcoming] template attribute. Root cause: stripcslashes decodes C-style hex escapes at render time, bypassing wp_kses_post at save time. ...

Cvelist•added 2026/03/04 11:22 a.m.•28 views

CVE-2026-2355 My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00276EPSS

ATTACKERKB•added 2026/03/04 11:22 a.m.•3 views

CVE-2026-2355

Vulnrichment•added 2026/03/04 11:22 a.m.•4 views

Exploits0References7

CVE-2026-2355 My Calendar – Accessible Event Manager <= 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

SUSE CVE•added 2026/03/04 12:27 a.m.•0 views

SUSE CVE-2026-25766

Echo is a Go web framework. In versions 5.0.0 through 5.0.2 on Windows, Echo's middleware.Static using the default filesystem allows path traversal via backslashes, enabling unauthenticated remote file read outside the static root. In middleware/static.go, the requested path is unescaped and...

5.3CVSS5.9AI score0.00329EPSS

Exploits1References3

SUSE CVE•added 2026/03/04 12:26 a.m.•0 views

SUSE CVE-2026-26187

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Prior to 1.77.0, the local block adapter pkg/block/local/adapter.go allows authenticated users to read and write files outside their designated storage boundaries. The verifyRelPath function used...

8.1CVSS5.8AI score0.0039EPSS

Exploits0References3

Positive Technologies•added 2026/03/04 12:0 a.m.•4 views

PT-2026-22900

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the template attribute of the my calendar upcoming shortcode in all versions up to, and including, 3.7.3. This is due to the use of stripcslashes on user-supplied shortcode attribute...