Lucene search
K

1107 matches found

Nuclei
Nuclei
added 5 hours ago17 views

MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.1AI score0.01502EPSS
Exploits1References2
Nuclei
Nuclei
added 5 hours ago153 views

Wazuh - Unsafe Deserialization Remote Code Execution

A critical Remote Code Execution RCE vulnerability exists in Wazuh server versions = 4.4.0 and = 4.4.0 and 4.9.1. The vulnerability occurs due to unsafe deserialization in the wazuh-manager package, specifically in the DistributedAPI where parameters are serialized as JSON and deserialized using...

9.9CVSS7.4AI score0.93027EPSS
Exploits10References3
Nuclei
Nuclei
added yesterday83 views

Wipro Holmes Orchestrator 20.4.1 - Information Disclosure

Wipro Holmes Orchestrator 20.4.1 20.4.102112020 allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/DomainCredentialReportExcel,...

7.5CVSS7.1AI score0.53008EPSS
Exploits3References3
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-39125

SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist...

9.2CVSS6.1AI score0.00607EPSS
Exploits0References2
CVE
CVE
added 4 days ago9 views

CVE-2026-57476

CVE-2026-57476 describes a vulnerability in Deloitte AI Assist for Customer where unauthenticated API endpoints allowed an attacker knowing specific parameters to read from or inject content into the retrieval-augmented generation (RAG) corpus. The issue was mitigated on 2026-03-25 by restricting...

6.3CVSS6.1AI score0.00238EPSS
Exploits0References4
CVE
CVE
added 4 days ago9 views

CVE-2026-38059

The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...

8.7CVSS6.1AI score0.00592EPSS
Exploits0References3
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-38059 ST Engineering iDirect iQ-Series Terminals Missing authentication for critical function

The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...

8.7CVSS0.00592EPSS
Exploits0References3
NVD
NVD
added last week8 views

CVE-2026-13019

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS0.0041EPSS
Exploits0References1
EUVD
EUVD
added last week7 views

EUVD-2026-42058

Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...

9.8CVSS6AI score0.0041EPSS
Exploits0References1
NVD
NVD
added 2026/07/04 8:16 a.m.6 views

CVE-2026-12194

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations...

2.3CVSS0.00378EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/04 6:54 a.m.41 views

CVE-2026-12194 PHPIPAM Authenticated LFI

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations...

2.3CVSS0.00378EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/04 6:54 a.m.9 views

EUVD-2026-41659

PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations...

2.3CVSS6.1AI score0.00378EPSS
Exploits0References2
CVE
CVE
added 2026/07/04 6:54 a.m.27 views

CVE-2026-12194

PHPIPAM is affected by an authenticated local file inclusion vulnerability that can allow API-authenticated users to include arbitrary PHP files on the server filesystem. The API is not enabled by default on installations. The CVSS metrics indicate a low-severity issue with network access, low ef...

2.3CVSS6.1AI score0.00378EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.10 views

PT-2026-54039

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.8.0 Description An authentication bypass exists that allows authenticated Single Sign-On SSO users to disable SSO enforcement via the API. This allows attackers to create local password credentials to authenticate...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/29 5:19 p.m.13 views

CVE-2026-44727

A flaw was found in Jupyter Server. The nbconvert HTTP handlers in Jupyter Server render user-authored notebook HTML without a sandbox directive in their Content-Security-Policy. This, combined with nbconvert.HTMLExporter's default non-sanitizing behavior, allows a notebook containing an HTML...

9.3CVSS6AI score0.00227EPSS
Exploits0References5
NVD
NVD
added 2026/06/25 10:16 p.m.8 views

CVE-2025-71327

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS0.0046EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/25 9:41 p.m.7 views

CVE-2025-71327

Flowise contains an authentication bypass vulnerability in the unprotected /api/v1/account/register endpoint that allows unauthenticated attackers to create user accounts. Remote attackers can exploit this endpoint to register arbitrary accounts and authenticate to the system, gaining full API...

9.3CVSS6AI score0.0046EPSS
Exploits1References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/06/25 6:47 p.m.7 views

keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/25 4:17 p.m.6 views

CVE-2026-9705

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/25 4:17 p.m.39 views

CVE-2026-9705 Keycloak: keycloak: attacker can re-enable and take over disabled clients via registration access token

A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...

6.5CVSS0.00267EPSS
Exploits0References6
Rows per page
Query Builder