Lucene search
K

2052 matches found

Veracode
Veracode
added 2026/06/16 9:35 a.m.11 views

XML External Entity (XXE) Injection

Spring Web Services is vulnerable to XML External Entity XXE Injection. The vulnerability is due to Jaxp13XPathTemplate using a code path for StreamSource and SAXSource inputs that parses attacker-controlled XML with the default DocumentBuilderFactory configuration instead of Spring's hardened XM...

8.2CVSS5.4AI score0.00352EPSS
Exploits0References2Affected Software1
Redos
Redos
added 2026/06/16 12:0 a.m.5 views

ROS-20260616-73-0039

The vulnerability in ImageMagick is related to the lack of memory release after the effective lifespan of the component. Exploiting this vulnerability can allow an attacker to cause a service failure...

5.3CVSS5.3AI score0.00384EPSS
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 5:23 p.m.10 views

Malicious code in flowcardano (npm)

flow/surf-lending DeFi cred-exfil campaign sibling c1655. Cardano-themed Sentinel-9.9.9 dependency-confusion squat. preinstall node index.js || true exfils env secrets mnemonic/private-key/token/blockfrost to raw C2 2.25.140.71:8443/surflending/npm-confusion same C2 as...

5.4AI score
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/06/15 12:0 a.m.13 views

VulnCheck KEV: CVE-2026-39813

A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via specially crafted HTTP requests...

9.8CVSS5.8AI score0.16739EPSS
In wildExploits2References4
OSV
OSV
added 2026/06/11 1:2 p.m.12 views

MAL-2026-5644 Malicious code in self-certificate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab587fcd5a0b45e17454fc742007b8b597a0aec49b443d8a5a087ba910ea4a40 The package presents itself as a self-signed certificate generator, but its public generateCertificates API path loads sample/cert.pem, strips the...

5.9AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/11 12:0 a.m.16 views

PT-2026-48712

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a normal user can create a ticket with a reason containing @everyone, @here, user mentions, or role mentions. When the ticket is created, the bot posts the attacker-controlled reason...

6.3CVSS5.4AI score0.00263EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.15 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.5.12 contained security vulnerabilities. These vulnerabilities stemmed from shell option parsing; combining POSIX shell flags could bypass the exec revalidation check. Attackers c...

8.8CVSS5.3AI score0.00419EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 11:47 p.m.38 views

CVE-2026-41696 Spring Data MongoDB Bind Parameter Literal Quoting Breakout

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0...

5.9CVSS0.00262EPSS
Exploits0References1
CVE
CVE
added 2026/06/09 5:4 p.m.26 views

CVE-2026-45643

Summary of CVE-2026-45643 : Affected product is Microsoft Word (Office). The vulnerability is an untrusted pointer dereference in Word that allows an attacker to achieve local code execution on a vulnerable system with high impact (confidentiality, integrity, and availability). The CVSS-3.1 vecto...

7.8CVSS5.7AI score0.00372EPSS
Exploits0References1Affected Software4
AlpineLinux
AlpineLinux
added 2026/06/09 4:3 p.m.9 views

CVE-2026-42769

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol CMP message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority RA level to t...

5.3CVSS5.7AI score0.00262EPSS
Exploits0
EUVD
EUVD
added 2026/06/09 3:48 a.m.10 views

EUVD-2026-35321

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to...

5.9CVSS5.5AI score0.0028EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.16 views

PT-2026-47646

Name of the Vulnerable Software and Affected Versions Spring Retry versions 2.0.0 through 2.0.12 Spring Retry versions 1.3.0 through 1.3.4 Description An attacker can send a large volume of unique requests that trigger failures, which exhausts the capacity of the application-wide stateful retry...

5.9CVSS5.8AI score0.0028EPSS
Exploits0References3
CVE
CVE
added 2026/06/08 12:58 p.m.26 views

CVE-2026-49232

CVE-2026-49232—Routinator exits on any error when accepting incoming HTTP or RTR connections, including recoverable ones like running out of file descriptors. An attacker could trigger this by opening a large number of connections to the HTTP/RTR server, affecting availability for untrusted netwo...

8.7CVSS5.5AI score0.00333EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:58 p.m.17 views

CVE-2026-5589

An integer underflow in btmeshsolrecv in the Bluetooth Mesh solicitation handling subsys/bluetooth/mesh/solicitation.c leads to an out-of-bounds write. When CONFIGBTMESHODPRIVPROXYSRV is enabled, the function parses solicitation PDUs from raw BLE advertising payloads. The AD parsing loop reads an...

6.3CVSS5.9AI score0.00218EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:45 p.m.11 views

CVE-2026-48589

A flaw was found in Apache Shiro's Jakarta EE module. Insufficient validation of the HTTP Referer header, a client-controlled value, could allow an attacker to influence the redirect target after a user login. This vulnerability can be exploited to redirect users to malicious sites, potentially...

5.4CVSS5.8AI score0.00352EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.10 views

CVE-2026-47117

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...

9.8CVSS6.3AI score0.00915EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:11 p.m.11 views

CVE-2026-44468

The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary...

8.5CVSS5.5AI score0.00123EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/05 12:31 a.m.10 views

EUVD-2026-34446

Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. Chromium security severity: Medium...

5.8AI score0.00241EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/04 2:39 p.m.7 views

CVE-2026-10868

A mass assignment vulnerability exists in the MISP user edit functionality due to insufficient filtering of user-supplied fields in UsersController::edit. When processing edit requests, the application accepted a user-controlled User.id value from request data. An authenticated attacker could cra...

9CVSS5.8AI score0.00239EPSS
Exploits0References2
CVE
CVE
added 2026/06/04 1:26 p.m.23 views

CVE-2026-10861

An open redirect vulnerability affects MISP in UsersController::routeafterlogin(), where the pre_login_requested_url session key is used as the post-login redirect destination without enforcing that it is a local path. An unauthenticated attacker can lure a user to a trusted MISP instance and, af...

6.1CVSS5.8AI score0.00223EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder