Lucene search
K

809 matches found

NVD
NVD
added 7 hours ago6 views

CVE-2026-55113

A malicious actor with access to the network could exploit a Server-Side Request Forgery SSRF vulnerability found in UniFi Talk Application to execute a Denial of Service DoS attack and bypass authentication in certain UniFi Talk API endpoints...

7.5CVSS
Exploits0References1
NVD
NVD
added 7 hours ago5 views

CVE-2026-54407

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Protect Application to bypass authentication in certain UniFi Protect Application API endpoints...

8.6CVSS
Exploits0References1
EUVD
EUVD
added 8 hours ago3 views

EUVD-2026-41394

A malicious actor with access to the network could exploit a Server-Side Request Forgery SSRF vulnerability found in UniFi Talk Application to execute a Denial of Service DoS attack and bypass authentication in certain UniFi Talk API endpoints...

7.5CVSS5.8AI score
Exploits0References1
Nuclei
Nuclei
added 13 hours ago23 views

WordPress AI Engine Plugin - Token Exposure

Unauthenticated sensitive information exposure in AI Engine WordPress plugin = 3.1.3 exposes bearer tokens via REST API endpoints when No-Auth URL is enabled. id: CVE-2025-11749 info: name: WordPress AI Engine Plugin - Token Exposure author: 4m3rr0r severity: critical description: | Unauthenticat...

9.8CVSS7.3AI score0.75759EPSS
Exploits5References2
Nuclei
Nuclei
added 13 hours ago90 views

NestJS DevTools Integration - Remote Code Execution

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

9.4CVSS8.1AI score0.4617EPSS
Exploits4References3
Nuclei
Nuclei
added 13 hours ago15 views

CodeChecker <= 6.24.1 - Authentication Bypass

Authentication bypass occurs when the API URL ends with Authentication, Configuration or ServerInfo. This bypass allows superuser access to all API endpoints other than Authentication. These endpoints include the ability to add, edit, and remove products, among others. id: CVE-2024-10081 info:...

10CVSS5.8AI score0.40058EPSS
Exploits0References3
Nuclei
Nuclei
added 13 hours ago65 views

Frigate < 0.13.0 Beta 3 - Cross-Site Scripting

Frigate is an open source network video recorder. Before version 0.13.0 Beta 3, there is a reflected cross-site scripting vulnerability in any API endpoints reliant on the / base path as values provided for the path are not sanitized. Exploiting this vulnerability requires the attacker to both kn...

4.7CVSS5.9AI score0.01425EPSS
Exploits1References3
OSV
OSV
added 3 days ago5 views

PYSEC-2026-418 MLflow: Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim's local machine. ...

9.6CVSS7.7AI score0.00371EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 3 days ago8 views

PT-2026-53659

Name of the Vulnerable Software and Affected Versions Gorse versions prior to 0.5.10 Description An authentication bypass exists in the HTTP API when the admin api key is left empty, which is the default configuration. This occurs because improper input validation treats an empty key as a disabli...

9.8CVSS5.8AI score0.00896EPSS
Exploits1References6
NVD
NVD
added 6 days ago10 views

CVE-2026-45807

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...

7.7CVSS0.00366EPSS
Exploits1References1
OSV
OSV
added 2026/06/25 8:40 p.m.7 views

MAL-2026-6474 Malicious code in ref-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1 On npm install, the package's postinstall hook runs node test.js which invokes index.js to perform multi-stage installer compromise. 1 Credential...

5.8AI score
Exploits0References2
NVD
NVD
added 2026/06/24 9:16 p.m.8 views

CVE-2026-52808

Gogs is an open source self-hosted Git service. Prior to 0.14.3, three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent...

7.1CVSS0.00478EPSS
Exploits0References4
CVE
CVE
added 2026/06/24 11:53 a.m.9 views

CVE-2026-56256

CVE-2026-56256 affects Capgo prior to 12.128.2, where 2FA is enforced only at the UI level. The backend ORG management API endpoints (e.g., editing organization details, inviting users) do not require 2FA, allowing an authenticated admin without 2FA to replay/modify a captured ORG API request to ...

7.1CVSS5.9AI score0.00238EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 5:17 p.m.8 views

CVE-2026-54307

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to...

9.6CVSS0.00315EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 5:16 p.m.7 views

CVE-2026-13007

Tenable Identity Exposure contains multiple unauthenticated API endpoints under /w/api/ that expose sensitive application configuration data including cleartext LDAP credentials, SAML configuration, user accounts, and directory settings to unauthenticated remote attackers. Affected responses are...

8.7CVSS0.00432EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 7:18 p.m.11 views

CVE-2026-53869

Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling...

8.7CVSS0.006EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.16 views

PT-2026-50444

Name of the Vulnerable Software and Affected Versions Azuriom CMS versions prior to 1.2.11 Description Missing authorization in the server management routes allows an authenticated attacker with the admin.access permission to create AzLink server tokens. This can lead to the takeover of non-admin...

8.6CVSS5.2AI score0.00348EPSS
Exploits0References5
NVD
NVD
added 2026/06/16 3:16 p.m.9 views

CVE-2025-14272

A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions...

8.3CVSS0.00235EPSS
Exploits0References1
Nuclei
Nuclei
added 2026/06/16 7:13 a.m.62 views

Atlassian Bitbucket - Remote Command Injection

Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain...

8.8CVSS9AI score0.99174EPSS
Exploits24References5
OSV
OSV
added 2026/06/11 5:10 p.m.3 views

GHSA-4MJ9-PF4R-CQRC Kolibri has Unauthenticated Server-Side Request Forgery (SSRF) in RemoteFacilityUserViewset

Summary Several Kolibri API endpoints accept an unvalidated baseurl parameter and fetch attacker-controlled URLs from the Kolibri server, reflecting the response body back to the caller. The original report identified two endpoints on the RemoteFacilityUser viewsets; remediation review found two...

5.8CVSS5.8AI score0.00047EPSS
Exploits0References3
Rows per page
Query Builder