CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

251 matches found

mooSocial 3.1.8 - External Service Interaction

mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function. id: CVE-2023-43323 info: name: mooSocial 3.1.8 - External Service Interaction author: ritikchaddha severity: medium description: | mooSocial 3.1.8 is vulnerable to external service...

6.5CVSS6.6AI score0.80804EPSS

Exploits2References3

OSV•added 2026/04/27 2:14 p.m.•6 views

JLSEC-2026-211

libmariadb/mariadblib.c in MariaDB Connector/C before 3.1.8 does not properly validate the content of an OK packet received from a server. NOTE: although mariadblib.c was originally based on code shipped for MySQL, this issue does not affect any MySQL components supported by Oracle...

8.8CVSS7.2AI score0.00702EPSS

Exploits0References12

OSV•added 2026/04/15 3:31 p.m.•2 views

GHSA-4G48-54Q2-FG7Q Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access

The accesskey and connectionstring connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azure...

6.5CVSS5.8AI score0.00032EPSS

Exploits0References6

vulnersOsv•added 2026/04/15 3:31 p.m.•2 views

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-25219 via apache-airflow-core (>=3.0.0 <=3.1.8)

apache-airflow-core PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0a1, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-25219 Source advisory: SNYK:PYTHON-APACHEAIRFLOWCORE-16094862...

6.5CVSS5.8AI score0.00032EPSS

Exploits0

vulnersOsv•added 2026/04/13 3:17 p.m.•1 views

airflow-clickhouse-plug (=1.6.2), airflow-clickhouse-plugin (=1.6.0) +18 more potentially affected by CVE-2026-33858 via apache-airflow (>=3.1.8 <=3.1.8rc2)

apache-airflow PYPI version =3.1.8, =0.6.0a1, =3.1.8, =1.0.2, =0.0.13, =10.13.0, =0.0.4, =0.1.0, =12.9.0, =7.1.0, =1.15.20, =1.2.4, =1.9.17, =1.10.13 and more Source cves: CVE-2026-33858 Source advisory: OSV:PYSEC-2026-20...

8.8CVSS5.8AI score0.002EPSS

Exploits0

OSV•added 2026/04/09 12:31 p.m.•2 views

GHSA-R7VR-M4JW-R794 Apache Airflow has an authorization bypass in DagRun wait endpoint

Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security mode...

6.5CVSS6AI score0.00013EPSS

Exploits0References6

OSV•added 2026/04/01 10:4 a.m.•0 views

CLEANSTART-2026-FF20499 Security fixes for CVE-2025-55190, CVE-2025-55191, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-59537, CVE-2025-59538, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2026-25934, ghsa-2v5j-vhc3-9cwm, ghsa-2vgg-9h3w-qbr4, ghsa-2xsj-vh29-9cwm, ghsa-37cx-329c-33x3, ghsa-3wgm-2mw2-vh5m, ghsa-4x4m-3c2p-qppc, ghsa-6v2p-p543-phr9, ghsa-92cp-5422-2m47, ghsa-93mq-9ffx-83m2, ghsa-f6x5-jh6r-wrfv, ghsa-hj2p-8wj8-pfq4, ghsa-j5w8-q4qc-rx2x, ghsa-mh63-6h87-95cp, ghsa-mw99-9chc-xw7r applied in versions: 2.13.9-r0, 2.14.20-r0, 3.0.16-r0, 3.0.19-r0, 3.1.4-r0, 3.1.8.-r0, 3.1.9-r4, 3.2.7-r0

Multiple security vulnerabilities affect the argo-cd-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

9.9CVSS6.8AI score0.05376EPSS

Exploits3References41

OSV•added 2026/04/01 10:0 a.m.•0 views

CLEANSTART-2026-JW58725 Security fixes for CVE-2025-55190, CVE-2025-55191, CVE-2025-58183, CVE-2025-58185, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-59537, CVE-2025-59538, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2026-1229, CVE-2026-24051, CVE-2026-25934, ghsa-2v5j-vhc3-9cwm, ghsa-2vgg-9h3w-qbr4, ghsa-2x5j-vhc8-9cwm, ghsa-2xsj-vh29-9cwm, ghsa-3wgm-2mw2-vh5m, ghsa-4x4m-3c2p-qppc, ghsa-6v2p-p543-phr9, ghsa-92cp-5422-2m47, ghsa-93mq-9ffx-83m2, ghsa-f6x5-jh6r-wrfv, ghsa-hj2p-8wj8-pfq4, ghsa-j5w8-q4qc-rx2x, ghsa-mh63-6h87-95cp, ghsa-mw99-9chc-xw7r, ghsa-r6j8-c6r2-37rr applied in versions: 2.13.9-r0, 2.14.20-r0, 3.0.16-r0, 3.0.19-r0, 3.0.22-r0, 3.0.23-r0, 3.0.23-r1, 3.1.4-r0, 3.1.8.-r0, 3.1.9-r4

Multiple security vulnerabilities affect the argo-cd package. These issues are resolved in later releases. See references for individual vulnerability details...

9.9CVSS7.1AI score0.05376EPSS

Exploits3References46

RedhatCVE•added 2026/03/26 3:16 p.m.•2 views

CVE-2026-28779

Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

7.5CVSS5.7AI score0.00031EPSS

Exploits0References1

RedhatCVE•added 2026/03/26 3:14 p.m.•2 views

CVE-2026-26929

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...

6.5CVSS5.7AI score0.00054EPSS

Exploits0References1

OSV•added 2026/03/18 8:39 a.m.•2 views

BIT-AIRFLOW-2026-28779 Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

7.5CVSS5.8AI score0.00031EPSS

Exploits0References4

OSV•added 2026/03/18 8:39 a.m.•2 views

BIT-AIRFLOW-2026-28563 Apache Airflow: DAG authorization bypass

Apache Airflow versions 3.1.0 through 3.1.7 /ui/dependencies endpoint returns the full DAG dependency graph without filtering by authorized DAG IDs. This allows an authenticated user with only DAG Dependencies permission to enumerate DAGs they are not authorized to view. Users are recommended to...

4.3CVSS5.7AI score0.00036EPSS

Exploits0References4

OSV•added 2026/03/18 8:39 a.m.•1 views

BIT-AIRFLOW-2026-26929 Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

6.5CVSS5.7AI score0.00054EPSS

Exploits0References4

OSV•added 2026/03/17 12:30 p.m.•2 views

GHSA-4FHM-P86V-HWPX Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

7.5CVSS5.8AI score0.00031EPSS

Exploits0References5

Github Security Blog•added 2026/03/17 12:30 p.m.•6 views

Apache Airflow: Path of session token in cookie does not consider base_url - session hijacking via co-hosted applications

7.5CVSS5.8AI score0.00031EPSS

Exploits0References5Affected Software1

EUVD•added 2026/03/17 12:30 p.m.•2 views

EUVD-2026-12566

Apache Airflow versions 3.1.0 through 3.1.7 missing authorization vulnerability in the Execution API's Human-in-the-Loop HITL endpoints that allows any authenticated task instance to read, approve, or reject HITL workflows belonging to any other task instance. Users are recommended to upgrade to...

8.1CVSS5.8AI score0.00043EPSS

Exploits0References3

Github Security Blog•added 2026/03/17 12:30 p.m.•3 views

Apache Airflow: Execution API HITL Endpoints Missing Per-Task Authorization

8.1CVSS5.8AI score0.00043EPSS

Exploits0References5Affected Software1

EUVD•added 2026/03/17 12:30 p.m.•3 views

EUVD-2026-12558

7.5CVSS5.8AI score0.00031EPSS

Exploits0References3

EUVD•added 2026/03/17 12:30 p.m.•2 views

EUVD-2026-12564