Lucene search
K

761 matches found

CVE
CVE
added 5 days ago10 views

CVE-2026-31984

CVE-2026-31984 affects Guardian/CMC prior to version 26.2.0, where unbounded resource allocation in the audit logging path allows an unauthenticated attacker to submit oversized input, potentially exhausting disk space and causing DoS. Root cause: missing input size limit in audit entries. Impact...

8.7CVSS6AI score0.00274EPSS
Exploits0References1Affected Software2
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-31984 DoS through oversized audit log entries in Guardian/CMC before 26.2.0

A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. An unauthenticated attacker can submit requests containing excessively large input that is recorded into...

8.7CVSS0.00274EPSS
Exploits0References1
NOZOMI
NOZOMI
added 2026/07/07 12:0 a.m.4 views

DoS through oversized audit log entries in Guardian/CMC before 26.2.0

Summary A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. Impact An unauthenticated attacker can submit requests containing excessively large input that is...

8.7CVSS6AI score0.00274EPSS
Exploits0Affected Software2
Github Security Blog
Github Security Blog
added 2026/07/02 1:50 p.m.7 views

GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...

5.3CVSS5.7AI score0.00455EPSS
Exploits0References2Affected Software2
OSV
OSV
added 2026/06/26 7:40 p.m.1 views

CVE-2026-53287 audit: fix incorrect inheritable capability in CAPSET records

In the Linux kernel, the following vulnerability has been resolved: audit: fix incorrect inheritable capability in CAPSET records auditlogcapset records the effective capability set into the inheritable field due to a copy-paste error. Every CAPSET audit record therefore reports cappi process...

5.5CVSS5.8AI score0.00122EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/06/26 12:0 a.m.14 views

PT-2026-52926

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the audit log capset function where the effective capability set is incorrectly recorded into the inheritable field. This occurs because the function reports cap pi...

7.8CVSS5.8AI score0.00184EPSS
Exploits0References378
EUVD
EUVD
added 2026/06/24 5:33 a.m.8 views

EUVD-2026-38669

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

4.3CVSS5.9AI score0.00146EPSS
Exploits0References6
CVE
CVE
added 2026/06/23 4:14 p.m.11 views

CVE-2026-44960

Vulnerability summary (CVE-2026-44960) : A stored XSS exists in Revive Adserver where malicious content placed in the username could be executed when an admin views audit log details, due to missing output sanitisation. The issue is triggered by usernames being displayed in the audit log details ...

5.7AI score0.00339EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 4:14 p.m.6 views

EUVD-2026-38503

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

5.7AI score0.00339EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:14 p.m.39 views

CVE-2026-44960

A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...

0.00339EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/22 12:0 a.m.10 views

Amazon Linux 2023 : mariadb1011, mariadb1011-backup, mariadb1011-client-utils (ALAS2023-2026-1844)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1844 advisory. Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable...

9.8CVSS6.2AI score0.00567EPSS
Exploits1References14
Github Security Blog
Github Security Blog
added 2026/06/12 3:4 p.m.15 views

Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...

5.5AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/06/12 3:4 p.m.8 views

GHSA-6JQ6-X4CX-QVCM Firefly II has Stored XSS in Audit Log Entry view via piggy bank name (ale.twig)

Summary The Twig template resources/views/list/ale.twig renders the piggy bank name from AuditLogEntry.after.piggy using the |raw filter, bypassing Twig's auto-escaping. A piggy bank created with an HTML payload in its name executes arbitrary JavaScript in any browser viewing that transaction's...

5.1CVSS5.5AI score
Exploits0References3
CNNVD
CNNVD
added 2026/06/11 12:0 a.m.15 views

Cerebrate 信息泄露漏洞

Cerebrate is an open-source platform developed by Cerebrate. It aims to act as an interconnected coordinator for trusted contact information providers and other security tools. Prior to version 1.37 of Cerebrate, there was a vulnerability involving information leakage, which stemmed from exposing...

5.1CVSS5.3AI score0.00242EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/09 2:59 p.m.10 views

CVE-2026-8078

Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...

4.8CVSS5.2AI score0.00143EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/09 1:11 p.m.36 views

CVE-2026-11792 389-ds-base: 389-ds-base: heap buffer overflow in audit log password masking (create_masked_entry_string)

A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the createmaskedentrystring function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged requiri...

3.3CVSS0.00258EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/09 12:0 a.m.8 views

Linux Distros Unpatched Vulnerability : CVE-2026-11792

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the createmaskedentrystring function in auditlog.c copies a...

3.3CVSS5.6AI score0.00258EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/08 11:35 p.m.14 views

nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

5.5AI score0.00043EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/08 11:35 p.m.11 views

GHSA-QM33-P5P9-F8VG nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

7.1CVSS5.5AI score0.00043EPSS
Exploits0References4
NVD
NVD
added 2026/06/08 1:16 p.m.13 views

CVE-2026-8078

Stored cross-site scripting in the global settings change log in Checkmk 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the...

4.8CVSS0.00143EPSS
Exploits0References1
Rows per page
Query Builder