CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

SUSE CVE•added 2026/05/30 1:59 a.m.•8 views

SUSE CVE-2026-48523

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decodecomplete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

PyPA•added 2026/05/28 4:16 p.m.•7 views

Exploits1References3

PYSEC-0000-CVE-2026-48523

Exploits1References1Affected Software1

Cvelist•added 2026/05/28 3:10 p.m.•29 views

CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

5.4CVSS0.00014EPSS

Vulnrichment•added 2026/05/28 3:10 p.m.•8 views

CVE-2026-48523 PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys

Positive Technologies•added 2026/05/28 12:0 a.m.•6 views

PT-2026-44395

PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode or jwt.decode complete are called with a PyJWK key. The token header alg is checked against the caller-supplied algorithms allow-list, but signature...

Tenable Nessus•added 2026/05/22 12:0 a.m.•8 views

Exploits1References2

Grafana Labs < 11.6.14+security-04 / 12.2.0 < 12.2.8+security-04 / 12.3.0 < 12.3.6+security-04 / 12.4.0 < 12.4.3+security-02 / 13.0.0 < 13.0.1+security-01 Multiple Vulnerabilities

The version of Grafana Labs installed on the remote host is affected by multiple vulnerabilities, including: - A broken access control flaw in the Snapshot API allows any Editor to delete dashboard snapshots, even those they have no read or write access to. CVE-2026-28380 - When using an IPv6...

7.4CVSS5.9AI score0.00019EPSS

Exploits0References20

NVD•added 2026/04/28 7:37 p.m.•2 views

CVE-2026-41380

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to...

7.3CVSS0.00028EPSS

Exploits0References2

CVE•added 2026/04/09 9:23 p.m.•7 views

CVE-2026-40149

PraisonAI’s multi-agent system is vulnerable to an unauthenticated modification of the tool approval allowlist via the gateway’s /api/approval/allow-list endpoint (pre-4.5.128). By adding dangerous tool names (e.g., shell_exec, file_write) when no auth_token is configured, an attacker can cause t...

7.9CVSS5.9AI score0.00015EPSS

Exploits1References1Affected Software1

Cvelist•added 2026/04/07 7:13 p.m.•16 views

CVE-2026-39365 Vite has a Path Traversal in Optimized Deps `.map` Handling

Vite is a frontend tooling framework for JavaScript. From 6.0.0 to before 6.4.2, 7.3.2, and 8.0.5, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the...

6.3CVSS0.01457EPSS

ATTACKERKB•added 2026/04/06 9:32 p.m.•2 views

CVE-2026-35410

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass...

6.1CVSS6.1AI score0.00016EPSS

Exploits0References2Affected Software1

EUVD•added 2026/04/06 9:32 p.m.•0 views

EUVD-2026-19518

6.1CVSS6.1AI score0.00016EPSS

Positive Technologies•added 2026/04/04 12:0 a.m.•1 views

PT-2026-30327

Name of the Vulnerable Software and Affected Versions Directus versions prior to 11.16.1 Description Directus is a real-time API and App dashboard for managing SQL database content. An open redirect exists in the login redirection logic because the isLoginRedirectAllowed function incorrectly...

6.1CVSS6AI score0.00016EPSS

Exploits0References4

CNVD•added 2026/03/24 12:0 a.m.•1 views

OpenClaw code issue vulnerability (CNVD-2026-14860)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a code issue vulnerability that can be exploited by an attacker to bypass the allow list check and execute a trojan binary...

7.8CVSS6AI score0.00017EPSS

CNVD•added 2026/03/12 12:0 a.m.•1 views

OpenClaw has an unspecified vulnerability (CNVD-2026-13596)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a security vulnerability that stems from a Webhook routing issue in the Google Chat monitor component, which can be exploited by an attacker to cause cross-account policy context misrouting that bypass...

8.2CVSS5.8AI score0.00042EPSS

Tenable Nessus•added 2026/02/06 12:0 a.m.•3 views

Linux Distros Unpatched Vulnerability : CVE-2025-68458

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack's HTTPS resolver HttpUriPlugin can be bypasse...

3.7CVSS5.7AI score0.00014EPSS

Exploits1References4

OSV•added 2026/02/05 11:15 p.m.•2 views

DEBIAN-CVE-2025-68458

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...

3.7CVSS5.3AI score0.00014EPSS

OSV•added 2026/02/05 11:15 p.m.•2 views

DEBIAN-CVE-2025-68157

Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that...

3.7CVSS5.3AI score0.00014EPSS