Lucene search
K

2274 matches found

OSV
OSV
added yesterday3 views

BIT-PILLOW-2026-59199 Pillow: Heap out-of-bounds write `Image.paste()` / `Image.crop()` via signed coordinate overflow

Pillow is a Python imaging library. Prior to 12.3.0, Pillow public image coordinate APIs can trigger a native heap out-of-bounds write when given coordinates near the signed 32-bit integer limits in Image.paste, Image.crop, or Image.alphacomposite. This issue is fixed in version 12.3.0...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References5
OSV
OSV
added 2 days ago3 views

CVE-2026-59199 Pillow: Heap out-of-bounds write `Image.paste()` / `Image.crop()` via signed coordinate overflow

Pillow is a Python imaging library. Prior to 12.3.0, Pillow public image coordinate APIs can trigger a native heap out-of-bounds write when given coordinates near the signed 32-bit integer limits in Image.paste, Image.crop, or Image.alphacomposite. This issue is fixed in version 12.3.0...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References6
CVE
CVE
added 2 days ago9 views

CVE-2026-59199

Pillow (Python imaging library) prior to 12.3.0 is affected by a heap out-of-bounds write in public image coordinate APIs when coordinates near signed 32-bit limits are provided to Image.paste(), Image.crop(), or Image.alpha_composite(). The issue is fixed in 12.3.0. Affected component: Pillow’s ...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-58090

Name of the Vulnerable Software and Affected Versions Pillow versions prior to 12.3.0 Description Public image coordinate APIs in the Pillow Python imaging library can trigger a native heap out-of-bounds write. This occurs when coordinates near the signed 32-bit integer limits are provided to the...

7.5CVSS6.1AI score0.0039EPSS
Exploits1References8
NVD
NVD
added last week10 views

CVE-2026-44342

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...

5.3CVSS0.00187EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added last week6 views

CVE-2026-44342

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added last week34 views

CVE-2026-44342 New API CSRF in email and WeChat account binding endpoints

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...

5.3CVSS0.00187EPSS
Exploits0References3
CVE
CVE
added last week20 views

CVE-2026-44342

CVE-2026-44342 describes a CSRF vulnerability in the New API where GET requests on state-changing endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind could allow an attacker to bind an email or OAuth identity for a logged-in user when session cookies are susceptible to cross-site n...

5.3CVSS5.8AI score0.00187EPSS
Exploits0References3
OSV
OSV
added last week4 views

CVE-2026-44342 New API CSRF in email and WeChat account binding endpoints

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...

5.3CVSS6AI score0.00187EPSS
Exploits0References5
Cvelist
Cvelist
added last week35 views

CVE-2026-33655 New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...

7.7CVSS0.00437EPSS
Exploits0References3
OSV
OSV
added last week4 views

CVE-2026-33655 New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...

7.7CVSS6.1AI score0.00437EPSS
Exploits0References5
NVD
NVD
added 2026/07/08 9:16 p.m.7 views

CVE-2026-57481

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS0.00386EPSS
Exploits0References7
CVE
CVE
added 2026/07/08 8:54 p.m.8 views

CVE-2026-57481

Parse Server LiveQuery vulnerability: a subscriber could receive object field values the reader is not authorized to read when a single save changed both the object field and the subscriber’s ACL read access, due to leave/enter events using the wrong object state. Affected versions before 9.9.1-a...

2.3CVSS6AI score0.00386EPSS
Exploits0References7
OSV
OSV
added 2026/07/08 8:54 p.m.2 views

CVE-2026-57481 Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...

2.3CVSS6.1AI score0.00386EPSS
Exploits0References9
OSV
OSV
added 2026/07/08 8:50 p.m.2 views

CVE-2026-55778 Parse Server: Stored XSS via non-standard file extension bypassing file upload extension blocklist

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.11 and 8.6.81, the default fileUpload.fileExtensions blocklist could be bypassed by uploading a file with a non-standard or compound extension and dangerous content type,...

2.1CVSS5.8AI score0.00406EPSS
Exploits0References9
NVD
NVD
added 2026/07/08 2:17 p.m.10 views

CVE-2026-54061

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS0.00388EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/08 1:23 p.m.30 views

CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS0.00388EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 1:23 p.m.4 views

CVE-2026-54061 Dgraph Alpha group stores can be replaced via unauthenticated external snapshot import

Dgraph is an open source distributed GraphQL database. Prior to version 25.3.5, Dgraph Alpha exposes the RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. As a result, an unauthenticated network client can open StreamExtSnapshot and send...

9.1CVSS6.1AI score0.00388EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/08 12:0 a.m.8 views

PT-2026-56423

Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.5 Description Dgraph Alpha exposes privileged RPCs used for external snapshot import on the public gRPC port :9080 without authentication or authorization. An unauthenticated network client can access the...

9.1CVSS6.1AI score0.00388EPSS
Exploits0References7
Snyk
Snyk
added 2026/07/07 1:1 p.m.4 views

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...

7.7CVSS6AI score0.00437EPSS
Exploits0References2
Rows per page
Query Builder