Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

12 matches found

CVE
CVEadded last week10 views

CVE-2026-10107

MoviePilot v2 is affected by an SSRF flaw in the image proxy endpoint /api/v1/system/img/{proxy}. Authentication is required, and an attacker can supply a resource_token cookie and a URL whose domain matches the allowlist to fetch arbitrary URLs. The root cause is that Safe URL checking (Security...

7.7CVSS5.9AI score0.00031EPSS
Exploits0References4
CNNVD
CNNVDadded 2026/04/10 12:0 a.m.3 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.24 contained security vulnerabilities. These vulnerabilities stemmed from the /allowlist command not revalidating the gateway client scope for internal callers. This could allow...

7.1CVSS5.8AI score0.00038EPSS
Exploits1References2
Cvelist
Cvelistadded 2026/02/26 9:16 p.m.19 views

CVE-2026-27153 Discourse doesn't prevent moderators from exporting user Chat DMs

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in canexportentity?. The method allowed moderators to export any entity not explicit...

5.3CVSS0.00049EPSS
Exploits0References1
Veracode
Veracodeadded 2026/02/10 12:36 p.m.3 views

Improper Origin Validation

Bokeh is vulnerable to improper origin validation. The vulnerability is due to flawed allowlist matching of the WebSocket Origin header, which allows an attacker to register a look-alike domain or subdomain that bypasses origin checks and establish a WebSocket connection to the Bokeh server...

7.4CVSS5.5AI score0.00008EPSS
Exploits1References4Affected Software1
SUSE CVE
SUSE CVEadded 2026/01/09 12:23 a.m.3 views

SUSE CVE-2026-21883

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

7.4CVSS6.8AI score0.00008EPSS
Exploits1References3
NVD
NVDadded 2026/01/08 2:15 a.m.1 views

CVE-2026-21883

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

7.4CVSS0.00008EPSS
Exploits1References3
Vulnrichment
Vulnrichmentadded 2026/01/08 1:20 a.m.2 views

CVE-2026-21883 Bokeh server applications have Incomplete Origin Validation in WebSockets

Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist e.g., dashboard.corp, an attacker can register a domain like dashboard.corp.attacker.com or use a subdomain if applicable and lure a victim to visit it. The...

7.4CVSS6.3AI score0.00008EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2026/01/08 12:0 a.m.2 views

PT-2026-2119

Name of the Vulnerable Software and Affected Versions Bokeh versions 3.8.1 and below Description Bokeh is an interactive visualization library written in Python. If a server is configured with an allowlist, an attacker can register a domain and lure a victim to visit it. The malicious site can th...

7.4CVSS6.5AI score0.00008EPSS
Exploits1References8
Github Security Blog
Github Security Blogadded 2026/01/06 5:53 p.m.8 views

Bokeh server applications have Incomplete Origin Validation in WebSockets

This vulnerability allows for Cross-Site WebSocket Hijacking CSWSH of a deployed Bokeh server instance. Scope This vulnerability is only relevant to deployed Bokeh server instances. There is no impact on static HTML output, standalone embedded plots, or Jupyter notebook usage. This vulnerability...

7.4CVSS7.1AI score0.00008EPSS
Exploits1References5Affected Software1
OSV
OSVadded 2025/08/18 6:46 p.m.2 views

GHSA-X5GV-JW7F-J6XJ Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code

Due to an overly broad allowlist of safe commands, it was possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation. Reliably exploiting this requires the ability to add untrusted content into a Claude Code contex...

7.1CVSS7.2AI score0.00137EPSS
Exploits0References3
Snyk
Snykadded 2025/06/30 8:42 p.m.1 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the erroneous implementation of the allowlist process. An attacker can gain unauthorized access to execute arbitrary shell commands by bypassing configured restrictions. This may result in exposure or...

9.3CVSS8.1AI score0.00498EPSS
Exploits1References2
Snyk
Snykadded 2025/06/30 8:42 p.m.1 views

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the erroneous implementation of the allowlist process. An attacker can gain unauthorized access to execute arbitrary shell commands by bypassing configured restrictions. This may result in exposure or...

9.3CVSS8.1AI score0.00498EPSS
Exploits1References2
Rows per page
Query Builder