Lucene search
+L

6229 matches found

Cvelist
Cvelist
added 1 hour ago4 views

CVE-2026-45260 Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling

Pimcore is an Open Source Data & Experience Management Platform. Prior to 11.5.17 LTS and 12.3.7, Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without an authentication plugin in bundles/CoreBundle/src/Controller/WebDavController.php, and...

8.1CVSS0.00141EPSS
Exploits0References4
Nuclei
Nuclei
added 16 hours ago173 views

IBM Maximo Asset Management Information Disclosure - XML External Entity Injection

IBM Maximo Asset Management is vulnerable to an XML external entity injection XXE attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. id: CVE-2020-4463 info: name: IBM Maximo Asset Management Information...

8.2CVSS7.8AI score0.3159EPSS
Exploits1References5
NVD
NVD
added 18 hours ago4 views

CVE-2026-62238

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 20 hours ago5 views

CVE-2026-62238

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS6.1AI score
Exploits0References3
Cvelist
Cvelist
added 20 hours ago13 views

CVE-2026-62238 OpenRemote < 1.26.0 SQL Injection via Crosstab Export

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS
Exploits0References2
CVE
CVE
added 20 hours ago10 views

CVE-2026-62238

OpenRemote

7.2CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 20 hours ago7 views

EUVD-2026-45084

OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint crosstab export endpoint that constructs PostgreSQL queries by concatenating asset display names into raw SQL. An authenticated attacker with asset creation or rename permissions can inject SQL through...

7.2CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-44579

An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function...

9.8CVSS6.4AI score0.00785EPSS
Exploits0References4
NVD
NVD
added 3 days ago4 views

CVE-2026-38450

An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function...

9.8CVSS0.00785EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43635

In Eclipse BaSyx Java Server SDK versions 2.0.0-milestone-05 to 2.0.0-milestone-12, deployments using the MongoDB backend are vulnerable to an unauthenticated arbitrary file write through the AAS thumbnail API. The AAS thumbnail upload path accepted a client-controlled fileName request parameter...

9CVSS6.3AI score0.00447EPSS
Exploits0References1
CVE
CVE
added 3 days ago7 views

CVE-2026-38450

CVE-2026-38450 — Aetopia DAM v1.0.0 has a remote code execution issue exploitable via the name and description parameters of the Add/Update Project function. The provided data lists a high-severity CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and notes a remote attacker with no privilege...

9.8CVSS6.4AI score0.00785EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-38450

An issue in Aetopia Digital Asset Management DAM v.1.0.0 allows a remote attacker to execute arbitrary code via the name and description parameter of the Add/Update Project function...

0.00785EPSS
Exploits0References3
OSV
OSV
added 5 days ago2 views

MINI-PJVM-XHG7-4G53

Bulletin has no description...

7.8CVSS6.1AI score0.00183EPSS
Exploits0
Snyk
Snyk
added 2026/07/10 8:31 p.m.4 views

Authorization Bypass Through User-Controlled Key

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the assetid field in the API update process. An attacker can gain unauthorized access to assets outside their company...

7.7CVSS6.1AI score0.00218EPSS
Exploits0References2
NVD
NVD
added 2026/07/10 8:16 p.m.8 views

CVE-2026-55469

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS0.00378EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 7:42 p.m.3 views

CVE-2026-55469 Snipe-IT: Path traversal vulnerability via CSV import `image` field

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/10 7:42 p.m.6 views

EUVD-2026-43000

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, an authenticated user with import and assets.update permissions can place a path traversal string in an asset image field through CSV import and then trigger image deletion, allowing deletion of arbitrary files accessible to the...

6.5CVSS6.2AI score0.00378EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/10 7:40 p.m.7 views

EUVD-2026-42998

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin...

5.3CVSS6.1AI score0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/10 7:40 p.m.8 views

EUVD-2026-42997

Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...

4.8CVSS6.2AI score0.00234EPSS
Exploits0References3
NVD
NVD
added 2026/07/10 7:17 p.m.8 views

CVE-2026-55476

Snipe-IT is an IT asset/license management system. Prior to 8.6.0, POST /account/request/itemType/itemId/cancelbyadmin?/requestingUser? accepts cancelbyadmin as a URL path segment without sufficient authorization, allowing an authenticated user to supply a victim user ID and silently cancel that...

5.3CVSS0.002EPSS
Exploits0References4
Rows per page
Query Builder