Lucene search
K

97 matches found

NVD
NVD
added 2026/06/30 11:17 p.m.10 views

CVE-2026-56700

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget...

9.8CVSS0.01683EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.16 views

PT-2026-54048

Name of the Vulnerable Software and Affected Versions Grav CMS versions prior to 2.0.0-beta.2 Description Multiple issues allow for code execution. Three unsafe unserialize calls within SchedulerJobQueue, FrameworkCacheAdapterFileCache, and Session deserialize untrusted data without restricting...

9.8CVSS6.5AI score0.01683EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/28 12:0 a.m.12 views

PT-2026-53164

Name of the Vulnerable Software and Affected Versions khoj-ai khoj versions prior to 2.0.0-beta.29 Description A flaw in the Conversation Sharing Handler component within the file src/khoj/routers/api chat.py allows for incorrect authorization. This occurs through the manipulation of the...

6.5CVSS6AI score0.00165EPSS
Exploits0References11
OSV
OSV
added 2026/06/12 7:16 p.m.10 views

UBUNTU-CVE-2026-42306

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary...

7.2CVSS5.3AI score0.00104EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/12 6:9 p.m.11 views

CVE-2026-42306 Moby: Race condition in docker cp allows bind mount redirection to host path

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary...

7.2CVSS5.2AI score0.00104EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 6:9 p.m.14 views

EUVD-2026-36528

Moby is an open source container framework. In Docker Engine prior to version 29.5.1, Docker Daemon versions 28.5.2 and prior, and Moby Daemon prior to version 2.0.0-beta.14, a race condition during docker cp mount setup allows a malicious container to redirect a bind mount target to an arbitrary...

7.2CVSS5.2AI score0.00104EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 6:9 p.m.71 views

CVE-2026-42306

CVE-2026-42306 affects Moby/Docker: a race condition during docker cp mount setup could redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. Affected are Docker Engine prior to 29.5.1, Docker Daemon 28.5.2 and earlier, and Moby D...

7.2CVSS5.2AI score0.00104EPSS
Exploits0References1Affected Software3
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.11 views

CVE-2026-40884

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with -b ':pass' together with -sftp, goshs accepts that configuration but does not install any SFTP...

9.8CVSS5.5AI score0.00478EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/28 6:22 p.m.16 views

EUVD-2026-32980

Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...

7.5CVSS5.8AI score0.00298EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/25 12:0 a.m.12 views

PT-2026-43064

Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0-beta.1 through 4.0.0 Description An infinite loop exists in the Alt-Svc response header parser within src/hackney altsvc.erl. When the parse token/2 function receives a byte that is not a token, whitespace, or comma such...

8.7CVSS5.9AI score0.00703EPSS
Exploits1References10
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.13 views

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions 2.0.0-beta.1 through prior to 4.0.1, which stems from the Alt-Svc response header parser's inability to guarantee forward progress, potentially leading to infinite loops and CPU exhaustion...

8.7CVSS5.8AI score0.00703EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.5 views

4house-libts-places-autocomplete (=1.0.0), @77sol-ui/atoms (>=5.1.0 <=5.4.0) +267 more potentially affected by unknown CVE via jest-canvas-mock (>=2.0.0-beta.1 <=2.5.2)

jest-canvas-mock NPM version =2.0.0-beta.1, =5.1.0, =1.0.1, =1.0.0, =1.0.0, =0.0.0, =0.0.1-react-native, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.250, =2.1.0-alpha.250, =0.0.5, =0.0.6, =0.3.113, =0.5.0 and more Source cves: unknown CVE Source advisory:...

5.7AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.29 views

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-component (>=2.0.0-beta.1 <=2.25.10) +13 more potentially affected by unknown CVE via @antv/l7-utils (>=2.0.0-beta.1 <=2.25.9)

@antv/l7-utils NPM version =2.0.0-beta.1, =2.1.13, =2.0.0-beta.1, =2.0.0-beta.1, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.10.0, =2.1.13, =2.1.13, =2.1.13, =2.0.0-beta.1, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7UTILS-16754432...

5.5AI score
Exploits0
Snyk
Snyk
added 2026/05/18 5:53 p.m.9 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during docker cp mount setup before subsequent mount syscall. An attacker can overwrite arbitrary files on the host or cause denial of service by exploiting a race condition where a symlink is create...

7.2CVSS5.9AI score0.00104EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/18 5:53 p.m.10 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during docker cp mount setup before subsequent mount syscall. An attacker can overwrite arbitrary files on the host or cause denial of service by exploiting a race condition where a symlink is create...

7.2CVSS5.9AI score0.00104EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 4:17 p.m.21 views

CVE-2026-42841

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML through Grav's Markdown media action syntax. The issue is caused by Markdown image query parameters...

6.9CVSS0.00397EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/11 3:2 p.m.6 views

CVE-2026-42608 Grav: Unauthenticated Path Traversal & Arbitrary File Write in FormFlash component.

Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the sessionid passed as form-flash-id in POST requests, an unauthenticated attacker can traverse the filesystem to create arbitrary directories an...

9.3CVSS5.9AI score0.00521EPSS
Exploits1References1
Snyk
Snyk
added 2026/05/05 9:29 p.m.10 views

Deserialization of Untrusted Data

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe handling of serialized data and improper input validation in multiple components, including...

9.8CVSS6.3AI score0.01683EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/05 9:21 p.m.9 views

Arbitrary Code Injection

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Arbitrary Code Injection in the directInstall process. An attacker can execute arbitrary code on the server by uploading a specially crafted Z...

9.1CVSS6.3AI score0.03934EPSS
Exploits4References2
OSV
OSV
added 2026/04/29 12:30 a.m.9 views

GHSA-J7RW-325J-2RMX Duplicate Advisory: Grav has Insecure Deserialization in File Cache

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-gwfr-jfjf-92vv. This link is maintained to preserve external references. Original Description A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function...

5CVSS5.1AI score0.00224EPSS
Exploits0References7
Rows per page
Query Builder