Lucene search
K

1204 matches found

EUVD
EUVD
added 2026/04/02 3:31 p.m.4 views

EUVD-2026-18225

A vulnerability was identified in Xiaopi Panel 1.0.0. This vulnerability affects unknown code of the file /demo.php of the component WAF Firewall. The manipulation of the argument param leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available...

5.1CVSS4.4AI score0.00194EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/02 3:3 p.m.7 views

EUVD-2026-18352

The OWASP core rule set CRS is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous extensions .php, .phar, .jsp, .jspx by inserting whitespace...

6.8CVSS5.7AI score0.02172EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.6 views

PT-2026-29925

Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...

3.7CVSS5.9AI score0.00253EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.8 views

Henan Xiaopi Panel 代码注入漏洞

Henan Xiaopi Panel is a Linux graphical interface developed by Henan Xiaopi in Henan, China. Version 1.0.0 of Henan Xiaopi Panel contains a code injection vulnerability. This vulnerability stems from improper handling of the parameter “param” in the file/demo.php of the component WAF Firewall,...

6.1CVSS5.6AI score0.00194EPSS
Exploits0References4
RubySec
RubySec
added 2026/04/02 12:0 a.m.36 views

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

Summary Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermedia...

5.3CVSS5.8AI score0.00253EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.9 views

CVE-2026-31382

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

6.1CVSS6AI score0.00245EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/20 3:31 p.m.6 views

EUVD-2026-13686

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

6.1CVSS5.8AI score0.00303EPSS
Exploits1References2
NVD
NVD
added 2026/03/20 2:16 p.m.4 views

CVE-2026-31382

The errordescription parameter is vulnerable to Reflected XSS. An attacker can bypass the domain's WAF using a Safari-specific onpagereveal payload...

6.1CVSS0.00245EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.4 views

PT-2026-26562

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a SQL Injection vulnerability in the getSqlFromPost method of Object.php. The $ POST'sort' array keys are used directly as SQL column identifiers inside an ORDER BY clause. Although real escape string was applied, it only escapes...

8.6CVSS5.8AI score0.00398EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/20 12:0 a.m.5 views

PT-2026-26610

Name of the Vulnerable Software and Affected Versions affected versions not specified Description The error description parameter is susceptible to Reflected Cross-Site Scripting XSS. An attacker can circumvent the website's Web Application Firewall WAF by utilizing a payload specifically designe...

6.1CVSS6AI score0.00303EPSS
Exploits1References8
Redos
Redos
added 2026/03/18 12:0 a.m.8 views

ROS-20260318-73-0001

A vulnerability in the ModSecurity web application security module exists due to insufficient input validation during URL processing. Exploitation of the vulnerability could allow an attacker acting remotely to bypass WAF rules...

8.6CVSS7.3AI score0.00682EPSS
Exploits0
CNVD
CNVD
added 2026/03/17 12:0 a.m.3 views

Fortinet FortiWeb OS Command Injection Vulnerability (CNVD-2026-14602)

Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...

7.2CVSS6.1AI score0.01667EPSS
Exploits0References1
OSV
OSV
added 2026/03/11 12:21 a.m.3 views

GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint

Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...

6.9CVSS5.8AI score0.00342EPSS
Exploits0References5
Akamai Blog
Akamai Blog
added 2026/03/10 12:0 p.m.7 views

Build Transformative Security with AI-Powered WAF Detections

...

5.8AI score
Exploits0
Snyk
Snyk
added 2026/03/10 12:57 a.m.3 views

Prototype Pollution

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Prototype Pollution via triggers.js when a prototype property name is used as the function name. An attacker can terminate t...

8.8CVSS6.2AI score0.0049EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/10 12:57 a.m.8 views

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Impact An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud...

8.8CVSS5.8AI score0.0049EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.7 views

PT-2026-24188

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.13 Parse Server versions prior to 9.5.1-alpha.2 Description An unauthenticated attacker can cause a denial of service by crashing the Parse Server process. This occurs by calling a Cloud Function endpoint wit...

8.8CVSS5.7AI score0.0049EPSS
Exploits0References13
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.7 views

Fortinet FortiWeb 操作系统命令注入漏洞

Fortinet FortiWeb is a Web application layer firewall from the U.S. company Fita Fortinet, which can block threats such as cross-site scripting, SQL injection, cookie poisoning, schema poisoning and other attacks to ensure the security of Web applications and protect sensitive database content. A...

7.2CVSS6AI score0.01667EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.7 views

Fortinet FortiWeb 安全漏洞

Fortinet FortiWeb is a Web application layer firewall developed by the American company Fortinet. It can block threats such as cross-site scripting, SQL injection, cookie poisoning, and schema poisoning, ensuring the security of web applications and protecting sensitive database content. Fortinet...

5.3CVSS5.8AI score0.00459EPSS
Exploits0References1
Hacker One
Hacker One
added 2026/03/08 7:16 a.m.13 views

AWS VDP: SQL Injection Detection Bypass in AWS WAF Managed Rules (AWSManagedRulesSQLiRuleSet)

Researchers This vulnerability was discovered through collaborative security research. Researchers: - █████ - █████████ - █████████ --- Summary AWS WAF fails to detect certain SQL injection payload variants. These payloads bypass the AWS WAF SQL injection detection rules and reach the backend...

6.1AI score
Exploits0
Rows per page
Query Builder