Lucene search
K

2007 matches found

Nuclei
Nuclei
added 7 hours ago34 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/account-owner.php Owner name field. id: CVE-2018-19749 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.11.01 contains a cross-site scripting...

4.8CVSS6.2AI score0.03316EPSS
Exploits6References5
Nuclei
Nuclei
added 7 hours ago39 views

DomainMOD 4.11.01 - Cross-Site Scripting

DomainMOD 4.11.01 contains a cross-site scripting vulnerability via assets/add/dns.php Profile Name or notes field. id: CVE-2018-19914 info: name: DomainMOD 4.11.01 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.11.01 contains a cross-site scripting...

4.8CVSS6.2AI score0.03316EPSS
Exploits5References5
Nuclei
Nuclei
added 7 hours ago187 views

Chuanhu Chat - Directory Traversal

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...

9.8CVSS7.1AI score0.03757EPSS
Exploits1
IBM Security Bulletins
IBM Security Bulletins
added 3 days ago3 views

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in uuid.

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in uuid. CVE-2026-41988 The vulnerability have been addressed. Vulnerability Details CVEID:CVE-2026-41988 DESCRIPTION: uuid before 14.0.0 can make unexpected writes when external outp...

3.2CVSS5.9AI score0.00181EPSS
Exploits1Affected Software2
OSV
OSV
added 4 days ago4 views

GHSA-X76W-8C62-48MG Craft CMS: Authenticated "assets/preview-thumb" discloses signed fallback transform preview link to CP users without asset-view permission

Summary A user with Control Panel access but without permission to view a target private asset can call assets/preview-thumb and receive preview HTML that contains a signed fallback transform link for that private asset. Details Root-cause analysis: 1. The endpoint accepts an attacker-controlled...

5.3CVSS6AI score0.00193EPSS
Exploits0References3
NVD
NVD
added last week5 views

CVE-2026-28705

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

5.3CVSS0.00369EPSS
Exploits0References4
Cvelist
Cvelist
added last week34 views

CVE-2026-28705 Gitea repository dumps write release assets using unsafe path names

Gitea versions before 1.25.5 use release tag names and asset names as filesystem path components when dumping release assets, allowing specially crafted names to affect dump output paths...

0.00369EPSS
Exploits0References4
CVE
CVE
added last week10 views

CVE-2026-28705

CVE-2026-28705 affects Gitea before 1.25.5, where dump of release assets uses release tag names and asset names as filesystem path components. This allows a crafted tag or asset name to influence dump output paths, enabling a directory traversal-like issue (path traversal) that can impact how fil...

5.3CVSS6AI score0.00369EPSS
Exploits0References4
EUVD
EUVD
added 2026/07/02 6:49 p.m.8 views

EUVD-2026-41208

Craft CMS: Missing peer-permission check in AssetsController::actionDeleteFolder allows deletion of other users' assets...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3
NVD
NVD
added 2026/07/01 11:16 p.m.7 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS0.00249EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/01 10:37 p.m.25 views

CVE-2026-50284 Craft CMS: Missing peer-permission check in `AssetsController::actionDeleteFolder` allows deletion of other users' assets

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS0.00249EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 10:37 p.m.4 views

CVE-2026-50284

Craft CMS is a content management system CMS. In versions 5.0.0-RC1 through 5.9.21 and 4.0.0-RC1 through 4.17.14, theAssetsController::actionDeleteFolder only requires the deleteAssets: permission for the target folder. It never enforces deletePeerAssets:, even though Assets::deleteFoldersByIds...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/07/01 10:37 p.m.17 views

CVE-2026-50284

Craft CMS (versions 5.0.0-RC1–5.9.21 and 4.0.0-RC1–4.17.14) has a privilege check flaw in AssetsController::actionDeleteFolder: it only enforces deleteAssets: for the target folder and does not enforce deletePeerAssets:, allowing a low-privilege user with folder-management rights on a shared volu...

7.1CVSS5.8AI score0.00249EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 10:20 p.m.11 views

CVE-2026-50283

Craft CMS versions 5.0.0-RC1–5.9.20 and 4.0.0-RC1–4.17.13 contain an authorization issue in AssetsController::actionReplaceFile that can delete a source asset without source delete permission when both assetId and sourceAssetId are supplied. The runtime loads assetId ($assetToReplace) and sourceA...

5.3CVSS5.8AI score0.00265EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/26 10:12 p.m.9 views

EUVD-2026-38059

Statamic CMS: Missing authorization on Control Panel fieldtype endpoints allows disclosure of restricted resources...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References2
NVD
NVD
added 2026/06/24 10:16 p.m.9 views

CVE-2026-54066

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...

7.5CVSS0.01892EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:15 p.m.15 views

CVE-2026-54068 SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...

5.9CVSS0.00239EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 9:13 p.m.16 views

CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...

7.5CVSS0.01892EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/23 9:54 a.m.5 views

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in follow-redirects

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to vulnerability in follow-redirects. CVE-2026-40895 The vulnerabilities have been addressed Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in...

7.5CVSS5.8AI score0.00486EPSS
Exploits0Affected Software2
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.9 views

PT-2026-51642

Name of the Vulnerable Software and Affected Versions Snipe-IT affected versions not specified Description An authorization bypass exists in the BulkAssetsController::update function. The system accepts the company id variable directly from user input without utilizing the standard company-scopin...

6.3CVSS5.9AI score
Exploits0References5
Rows per page
Query Builder