Lucene search
K

20553 matches found

EUVD
EUVD
added 5 days ago7 views

EUVD-2026-39926

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may allow for command...

8.6CVSS5.9AI score0.00653EPSS
Exploits0References4
NVD
NVD
added 6 days ago16 views

CVE-2026-55975

A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may allow for command...

8.6CVSS0.00653EPSS
Exploits0References3
CVE
CVE
added 6 days ago14 views

CVE-2026-55975

CVE-2026-55975 affects H.View IP cameras (e.g., HV-500S6) where an authenticated user can supply unsanitized XML to the device’s certificate generation interface. The input is incorporated into a backend certificate creation command without proper validation, enabling command execution with eleva...

8.6CVSS5.9AI score0.00653EPSS
Exploits0References3
NVD
NVD
added 6 days ago10 views

CVE-2026-45807

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...

7.7CVSS0.00366EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 6 days ago10 views

CVE-2026-45807

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...

7.7CVSS6AI score0.00366EPSS
Exploits1References2Affected Software1
CVE
CVE
added 6 days ago14 views

CVE-2026-49984

CVE-2026-49984 – Kestra : A path traversal vulnerability in the LocalStorage backend allows any authenticated user who can view an execution to read arbitrary files on the server. Before patching, the LocalStorage path validator mishandles Windows-style backslashes, letting an attacker smuggle tr...

7.7CVSS6AI score0.00366EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-49984

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past...

7.7CVSS6AI score0.00366EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 6 days ago29 views

CVE-2026-49984 Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past...

7.7CVSS0.00366EPSS
Exploits1References1
Cvelist
Cvelist
added 6 days ago28 views

CVE-2026-53577 Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...

6.5CVSS0.00268EPSS
Exploits1References1
CVE
CVE
added 6 days ago7 views

CVE-2026-55838

CVE-2026-55838 (RustFS) : In versions up to 1.0.0-beta.7, the real-time metrics endpoint /rustfs/admin/v3/metrics is accessible to any valid IAM user, because MetricsHandler skips the admin-request validation that other admin handlers perform. As a result, a user whose policy allows only their ow...

4.3CVSS5.8AI score0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago24 views

CVE-2026-55838 RustFS: Missing admin authorization on /rustfs/admin/v3/metrics allows any authenticated user to read server metrics

RustFS is a distributed object storage system built in Rust. In 1.0.0-beta.7 and earlier, the real-time metrics endpoint at /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. Every other admin handler in the codebase calls validateadminrequest to...

4.3CVSS0.00162EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-13372

Incorrect link resolution by display name in the custom PowerShell VPN editor in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 allows an authenticated attacker with write access to a shared workspace to execute a PowerShell script in another user's context via a display name...

7.2CVSS5.8AI score0.00278EPSS
Exploits0References2Affected Software1
NVD
NVD
added 6 days ago7 views

CVE-2026-56823

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS0.0015EPSS
Exploits0References1
NVD
NVD
added 6 days ago9 views

CVE-2026-28385

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with the cancreateimages entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a...

5CVSS0.00172EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-47206

Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.9, Dragonfly has a RESP Protocol Injection via Lua redis.errorreply in EvalSerializer. An authenticated user can inject arbitrary RESP messages into the connection's response stream, potentially causing...

2.3CVSS5.9AI score0.00283EPSS
Exploits0References4Affected Software1
CVE
CVE
added 6 days ago10 views

CVE-2026-28385

CVE-2026-28385 : Canonical LXD 4.12–6.9 contains an SSRF in image import from URL sources. Authenticated users with the can_create_images entitlement can leverage the /images endpoint to trigger outbound requests from the LXD daemon, failing to validate or restrict destinations. This allows conta...

5CVSS5.8AI score0.00172EPSS
Exploits0References2
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-28385 SSRF via image import from URL allows internal network probing by authenticated users

In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with the cancreateimages entitlement to interact with internal network infrastructure via the /images endpoint. When importing an image from a...

5CVSS0.00172EPSS
Exploits0References2
OSV
OSV
added 6 days ago2 views

DEBIAN-CVE-2026-9639

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with cancreatestoragevolumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expiresat snapshot field...

6.5CVSS5.7AI score0.00376EPSS
Exploits1References1
NVD
NVD
added 6 days ago7 views

CVE-2026-9639

Nil-pointer dereference in CreateCustomVolumeFromBackup in LXD up to version 6.8 and 5.21 on Linux allows an authenticated user with cancreatestoragevolumes permissions to cause a denial of service via a specially crafted custom-volume backup tarball that omits the expiresat snapshot field...

6.5CVSS0.00376EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 6 days ago7 views

CVE-2026-56823

AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Prior to , the POST /api/integrations/webhooks/webhookid/ping endpoint fetches the target webhook by primary key alone without verifying that the webhook belongs to the...

5.4CVSS5.9AI score0.0015EPSS
Exploits0References2Affected Software1
Rows per page
Query Builder