CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/04/01 12:0 a.m.•2 views

PT-2026-29540

Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request. This issue affects Server: from 2026.1.6 through 2026.1.11...

5.9AI score0.00042EPSS

RedhatCVE•added 2026/03/27 2:23 p.m.•5 views

CVE-2021-27931

LumisXP aka Lumis Experience Platform before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service...

9.1CVSS6.8AI score0.89416EPSS

Cvelist•added 2026/02/16 12:25 p.m.•25 views

CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

3.8CVSS0.0003EPSS

OSV•added 2026/02/02 6:52 a.m.•2 views

MAL-2026-640 Malicious code in connections-api-request (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 cbd9a8004eda10de0059f97712efe95c76e4302c5da5ff83e7fe3bdd3abd381b Importing the module downloads and starts remote executable identified as malware --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

5.4AI score

OSSF Malicious Packages•added 2026/02/02 6:52 a.m.•5 views

Malicious code in connections-api-request (PyPI)

5.4AI score

RedhatCVE•added 2026/01/31 3:19 a.m.•4 views

CVE-2026-25040

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or Ap...

8.8CVSS5.9AI score0.0003EPSS

Packet Storm•added 2026/01/27 12:0 a.m.•140 views

📄 Ivanti Connect Secure 9.x / 22.x Command Injection

The provided PHP script targets CVE‑2024‑21887, a command injection vulnerability in Ivanti Connect Secure versions 9.x and 22.x It is designed to identify and exploit vulnerable systems through a crafted API request. It initializes a reusable cURL session to send malicious JSON payloads to a...

9.1CVSS5.9AI score0.94412EPSS

Exploits18

OSV•added 2026/01/13 5:15 p.m.•2 views

CVE-2025-65784

Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request...

6.5CVSS5.8AI score0.0004EPSS

Exploits1References3

NVD•added 2026/01/12 7:16 p.m.•6 views

CVE-2026-22252

LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbitrary commands without validation, allowing any authenticated user to execute shell commands as root inside the container through a single API request. This vulnerability is fix...

9.9CVSS0.001EPSS

Exploits4References2

RedhatCVE•added 2026/01/09 10:31 a.m.•8 views

CVE-2017-18890

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. It allows an attacker to create a button that, when pressed by a user, launches an API request...

4.3CVSS6.8AI score0.00138EPSS

RedhatCVE•added 2026/01/09 9:53 a.m.•8 views

CVE-2020-10574

An issue was discovered in Janus through 0.9.1. janus.c tries to use a string that doesn't actually exist during a "querylogger" Admin API request, because of a typo in the JSON validation...

9.8CVSS6.7AI score0.00418EPSS

RedhatCVE•added 2026/01/09 8:46 a.m.•6 views

CVE-2025-23202

Bible Module is a tool designed for ROBLOX developers to integrate Bible functionality into their games. The FetchVerse and FetchPassage functions in the Bible Module are susceptible to injection attacks due to the absence of input validation. This vulnerability could allow an attacker to...

10CVSS7.1AI score0.00279EPSS

Cvelist•added 2025/12/30 10:41 p.m.•22 views

CVE-2023-54327 Tinycontrol LAN Controller 1.58a Authentication Bypass via Admin Password Change

Tinycontrol LAN Controller 1.58a contains an authentication bypass vulnerability that allows unauthenticated attackers to change admin passwords through a crafted API request. Attackers can exploit the /stm.cgi endpoint with a specially crafted authentication parameter to disable access controls...

9.8CVSS0.01918EPSS

Exploits2References4

RedhatCVE•added 2025/12/20 5:12 p.m.•2 views

CVE-2025-68477

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, an...

7.7CVSS6.6AI score0.00027EPSS

Github Security Blog•added 2025/12/19 10:52 p.m.•4 views

Langflow vulnerable to Server-Side Request Forgery

Vulnerability Overview Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block...

7.7CVSS6.5AI score0.00027EPSS

Exploits1References3Affected Software1

Cvelist•added 2025/12/19 4:43 p.m.•18 views

CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery

7.7CVSS0.00027EPSS

Vulnrichment•added 2025/12/19 4:43 p.m.•1 views

CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery

7.7CVSS6.3AI score0.00027EPSS