Lucene search
K

6181 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/23 10:6 p.m.6 views

CVE-2026-12163

Fortra File Integrity Monitoring FIM, formerly Tripwire Enterprise, versions prior to 9.4.0.1 contain a stored cross-site scripting XSS vulnerability in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or database configuration fields...

5.5CVSS5.7AI score0.00145EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.10 views

PT-2026-51604

Name of the Vulnerable Software and Affected Versions Fortra File Integrity Monitoring FIM versions prior to 9.4.0.1 Description A stored cross-site scripting XSS issue exists in the Asset View UI component. An authenticated user with sufficient privileges to create or modify affected node or...

5.5CVSS5.6AI score0.00145EPSS
Exploits0References7
NVD
NVD
added 2026/06/21 2:16 p.m.11 views

CVE-2026-56384

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

5.3CVSS0.00193EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/21 1:27 p.m.9 views

EUVD-2026-38179

Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...

5.3CVSS5.9AI score0.00221EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.3 views

CVE-2026-56384

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

5.3CVSS5.9AI score0.00193EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/21 1:27 p.m.6 views

EUVD-2026-38178

Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...

5.3CVSS5.9AI score0.00193EPSS
Exploits0References3
CVE
CVE
added 2026/06/21 1:27 p.m.23 views

CVE-2026-56384

Craft CMS has a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that...

5.3CVSS5.9AI score0.00193EPSS
Exploits0References3
Snyk
Snyk
added 2026/06/19 10:10 p.m.3 views

Improper Verification of Cryptographic Signature

Overview @jhb.software/payload-cloudinary-plugin is a Payload CMS storage adapter for Cloudinary Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the cloudinary-generate-signature endpoint, which forwards attacker-controlled parameters to th...

7.1CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/19 10:10 p.m.25 views

@jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing

Arbitrary Cloudinary API Parameter Signing in @jhb.software/payload-cloudinary-plugin Summary @jhb.software/payload-cloudinary-plugin v0.3.4 exposes a server-side signing endpoint POST /api/cloudinary-generate-signature that passes attacker-supplied paramsToSign directly to...

6.1AI score
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/19 8:16 p.m.12 views

CVE-2026-48089

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from a different organization with no membership or role in the affected org/project — can create,...

7.1CVSS0.00235EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 7:38 p.m.26 views

CVE-2026-48089

CVE-2026-48089 affects DevGuard. Before patch 1.4.2, an authenticated user, including from other orgs with no membership, could write and manage VEX rules and related vulnerability-triage endpoints on assets marked public. The root cause is improper authorization for public assets, enabling write...

7.1CVSS5.9AI score0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/06/19 7:16 p.m.11 views

CVE-2026-49288

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have permission to view, including entries, assets, users, roles, groups, and other configured resources...

4.3CVSS0.00162EPSS
Exploits0References1
CVE
CVE
added 2026/06/19 6:11 p.m.24 views

CVE-2026-49288

Statamic CMS patch for CVE-2026-49288 fixes a missing authorization on Control Panel fieldtype endpoints that allowed an authenticated CP user to view restricted metadata and content (entries, assets, users, roles, groups, etc.). The issue could disclose titles, custom field values, entry content...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.7 views

Siemens (CVE-2025-49794)

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's...

9.1CVSS6.6AI score0.00669EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/18 12:0 a.m.9 views

Siemens RUGGEDCOM RST2428P Stack-based Buffer Overflow (CVE-2025-6170)

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare...

2.5CVSS6.5AI score0.0019EPSS
Exploits0References3
NVD
NVD
added 2026/06/17 10:54 a.m.11 views

CVE-2026-46932

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

7.1CVSS0.0036EPSS
Exploits0References1
NVD
NVD
added 2026/06/17 10:54 a.m.10 views

CVE-2026-46931

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

8.8CVSS0.00402EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.13 views

PT-2026-50035

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

8.8CVSS5.3AI score0.00402EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.14 views

PT-2026-50036

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite component: Internal Operations. Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle...

7.1CVSS5.1AI score0.0036EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/15 4:44 p.m.26 views

Angular Service Worker Policy-Bypass & Credential-Stripping Vulnerabilities

An issue in the @angular/service-worker package compromises the integrity of request-policy enforcement during request reconstruction. When the Angular Service Worker intercepts network requests for matched assets, it reconstructs a new Request object using an internal helper function. During thi...

6.1CVSS5.5AI score0.00165EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder