Lucene search
K

255 matches found

CNNVD
CNNVD
added 2026/04/01 12:0 a.m.5 views

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6 to 2026.1.11 contained security vulnerabilities. These vulnerabilities were...

6.5CVSS5.8AI score0.00224EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/31 10:53 p.m.9 views

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Technical Description The OpenAPIProvider in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The RequestDirector class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the buildurl method. When an OpenAPI...

10CVSS6AI score0.00988EPSS
Exploits1References6Affected Software1
Snyk
Snyk
added 2026/03/30 5:51 p.m.2 views

Race Condition

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Race Condition through the transferBalance process in plugin/YPTWallet/YPTWallet.php. An attacker can create a wallet balance from nothing by sending concurrent...

6CVSS5.8AI score0.00228EPSS
Exploits1References2
Snyk
Snyk
added 2026/03/26 9:53 p.m.6 views

Information Exposure

Overview apollo-server-core is a core module of the Apollo community GraphQL Server. Affected versions of this package are vulnerable to Information Exposure in the request handling process. An attacker can infer sensitive information about server responses by issuing specially crafted...

6.3CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/03/25 9:56 p.m.4 views

SQL Injection

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to SQL Injection via the save function. An attacker can extract sensitive information from the database and insert arbitrary data by submitting crafted input to the...

7.1CVSS6.1AI score0.00224EPSS
Exploits1References2
OSV
OSV
added 2026/03/19 8:45 p.m.4 views

CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a...

9CVSS6.5AI score0.00257EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/16 11:20 a.m.28 views

CVE-2026-2457 WebSocket Message Spoofing via Permalink Embed Manipulation

Mattermost versions 11.3.x = 11.3.0, 11.2.x = 11.2.2, 10.11.x = 10.11.10 fail to sanitize client-supplied post metadata which allows an authenticated attacker to spoof permalink embeds impersonating other users via crafted PUT requests to the post update API endpoint.. Mattermost Advisory ID:...

4.3CVSS0.00107EPSS
Exploits0References1
Snyk
Snyk
added 2026/02/27 12:16 a.m.2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the getqueryset function in the RepetitionsConfigViewSet and MaxRepetitionsConfigViewSet process. An attacker can access other users' workout configuration data by sending authenticat...

5.3CVSS6AI score0.00257EPSS
Exploits1References2
Snyk
Snyk
added 2026/02/26 10:48 p.m.4 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the http.Error function. An attacker can obtain sensitive database credentials by triggering database errors through authenticated HTTP requests. Remediation Upgrade...

7.1CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/02/26 10:48 p.m.2 views

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File via the http.Error function. An attacker can obtain sensitive database credentials by triggering database errors through authenticated HTTP requests. Remediation Upgrade...

7.1CVSS6AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/23 1:30 p.m.6 views

CVE-2026-27579

CollabPlatform is a full-stack, real-time doc collaboration platform. In all versions of CollabPlatform, the Appwrite project used by the application is misconfigured to allow arbitrary origins in CORS responses while also permitting credentialed requests. An attacker-controlled domain can issue...

7.4CVSS5.6AI score0.00226EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/20 10:56 p.m.23 views

CVE-2019-25447 OrientDB 3.0.17 Cross-Site Request Forgery

OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes,...

5.3CVSS0.0013EPSS
Exploits1References3
CVE
CVE
added 2026/02/20 10:56 p.m.14 views

CVE-2019-25447

CVE-2019-25447 concerns OrientDB 3.0.17 GA Community Edition. The connected sources describe cross-site request forgery vulnerabilities that allow an attacker to perform unauthorized actions by crafting requests to endpoints such as /database/, /command/, and /document/. Attackers can create or d...

5.3CVSS5.2AI score0.0013EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/09 8:59 a.m.4 views

CVE-2023-49910

A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point EAP225 V3 v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an...

8.8CVSS8.3AI score0.01822EPSS
Exploits1References1
CVE
CVE
added 2026/01/05 9:46 p.m.16 views

CVE-2025-68436

CVE-2025-68436 affects Craft CMS: versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16. The issue allows authenticated users to potentially expose sensitive assets via their user profile photo through maliciously crafted requests, causing information disclosure. No exploitation details...

7.1CVSS6.2AI score0.00232EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2025/12/22 11:24 a.m.4 views

EUVD-2025-204707

Mattermost versions 11.1.x = 11.1.0, 11.0.x = 11.0.5, 10.12.x = 10.12.3, 10.11.x = 10.11.7 with the Jira plugin enabled and Mattermost Jira plugin versions =4.4.0 fail to enforce authentication and issue-key path restrictions in the Jira plugin, which allows an unauthenticated attacker who knows ...

7.2CVSS6.5AI score0.00227EPSS
Exploits0References2
CVE
CVE
added 2025/12/18 12:0 a.m.12 views

CVE-2025-63386

CVE-2025-63386 affects Dify v1.9.1, specifically the /console/api/setup endpoint. The vulnerability arises from a misconfigured CORS policy that reflects any Origin header and sets Access-Control-Allow-Credentials: true, allowing arbitrary external domains to make authenticated requests. Impact i...

9.1CVSS5.7AI score0.00212EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2025/12/18 12:0 a.m.7 views

PT-2025-52262

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description A Cross-Origin Resource Sharing CORS misconfiguration exists in the /console/api/setup endpoint. The endpoint has an insecure CORS policy that reflects any Origin header and allows Access-Control-Allow-Credential...

9.1CVSS6.5AI score0.00212EPSS
Exploits0References11
CERT
CERT
added 2025/11/20 12:0 a.m.16 views

Tenda N300 Wi-Fi 4G LTE Router 4G03 Pro impacted by vulnerabilities

Overview A command injection vulnerability exists across multiple firmware versions that allows an attacker to execute arbitrary commands as root on the affected device. Currently, no solution exists to resolve these vulnerabilities in the Tenda N300 series and Tenda 4G03 Pro devices. Description...

8.1AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2025/11/18 12:0 a.m.6 views

PT-2025-47334

Name of the Vulnerable Software and Affected Versions pluginsGLPI Database Inventory Plugin versions prior to 1.0.3 Description The Database Inventory Plugin for pluginsGLPI manages Teclib' inventory agents to inventory databases on workstations. Prior to version 1.0.3, any authenticated user cou...

4.3CVSS6.5AI score0.00261EPSS
Exploits0References7
Rows per page
Query Builder