Lucene search
K

120712 matches found

CVE
CVE
added 2026/06/24 6:18 p.m.8 views

CVE-2026-49247

Jellyfin (open-source self-hosted media server) has a authenticated path-traversal vulnerability in the POST /ClientLog/Document endpoint affecting 10.9.0 through 10.11.10. The endpoint uses the Authorization header’s Client and Version fields to form on-disk filenames for client-uploaded log doc...

8.8CVSS6AI score0.00344EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:18 p.m.29 views

CVE-2026-49247 Jellyfin: Potential Authenticated path traversal in /ClientLog/Document

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a...

8.8CVSS0.00344EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:8 p.m.9 views

CVE-2026-53946

Ghost (Node.js CMS) is affected in versions 6.19.4–6.21.1. During post re-render, Ghost fetches image dimensions by issuing an outbound HTTP request to the URL stored on an image card, without restricting allowed hosts. An authenticated staff user who can create or edit posts could point an image...

5.4CVSS5.9AI score0.00122EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 5:17 p.m.9 views

CVE-2026-52972

In the Linux kernel, the following vulnerability has been resolved: crypto: afalg - Cap AEAD AD length to 0x80000000 In order to prevent arithmetic overflows when checking the TX buffer size, cap the associated data length to 0x80000000...

7CVSS0.0014EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/06/24 2:50 p.m.6 views

WordPress Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin <= 6.1.4 - Page Builder for Gutenberg Blocks & Patterns <= 6.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Page Builder for Gutenberg Blocks & Patterns plugin = 6.1.4 - Page Builder for Gutenberg Blocks & Patterns = 6.1.4 - Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Viet Anh Ngo in WordPress Plugin Essential Blocks for Gutenberg versions = 6.1.4...

6.4CVSS5.8AI score0.00193EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/24 2:20 p.m.9 views

CVE-2026-50699

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in referencedocument using a whitelisted write path and trigger script execution when users open the affected Auto...

4.6CVSS6AI score0.00313EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 2:20 p.m.10 views

EUVD-2026-38795

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev. An authenticated attacker with write access to Auto Repeat can persist HTML/JavaScript in referencedocument using a whitelisted write path and trigger script execution when users open the affected Auto...

4.6CVSS6AI score0.00313EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/24 1:21 p.m.18 views

CVE-2026-35025

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in...

8.6CVSS5.9AI score0.00331EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 1:21 p.m.32 views

CVE-2026-35025 ProFTPD ACL Bypass via /proc/self/root Path Prefix in RNFR

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in...

8.6CVSS0.00331EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 1:21 p.m.7 views

EUVD-2026-38789

ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in...

8.6CVSS5.9AI score0.00331EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 1:16 p.m.10 views

CVE-2026-56358

n8n before 1.123.25 1.x and before 2.11.2 2.x, with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can injec...

5.4CVSS0.00144EPSS
Exploits0References2
NVD
NVD
added 2026/06/24 1:16 p.m.16 views

CVE-2026-56351

n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply...

9.6CVSS0.00217EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 12:33 p.m.15 views

CVE-2026-12242

CVE-2026-12242 affects the WordPress AdRotate Banner Manager plugin up to version 5.17.7. The vulnerability is PHP Code Injection via the banner attribute of the adrotate shortcode, caused by insufficient validation and sanitization before concatenation into a PHP code string wrapped in W3 Total ...

8.8CVSS6.2AI score0.00467EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/06/24 12:29 p.m.9 views

WordPress AdRotate Banner Manager plugin <= 5.17.7 - Authenticated (Contributor+) PHP Code Injection vulnerability

Authenticated Contributor+ PHP Code Injection vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin AdRotate Banner Manager versions = 5.17.7...

8.8CVSS5.9AI score0.00467EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/06/24 12:19 p.m.8 views

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Jonah Burgess CryptoCat in WordPress Plugin ProfileGrid versions = 5.9.9.2...

6.4CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/24 11:53 a.m.6 views

CVE-2026-56351

n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply...

9.6CVSS6.1AI score0.00217EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/24 11:53 a.m.8 views

EUVD-2026-38753

n8n before version 2.4.0 contains a sql injection vulnerability in MySQL, PostgreSQL, and Microsoft SQL nodes that allows authenticated users to inject arbitrary SQL through unescaped identifier values in node configuration parameters. Attackers with workflow creation permissions can supply...

8.2CVSS6.1AI score0.00217EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/24 11:53 a.m.7 views

EUVD-2026-38754

n8n before 1.123.25 1.x and before 2.11.2 2.x, with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can injec...

5.4CVSS5.7AI score0.00144EPSS
Exploits0References2
CVE
CVE
added 2026/06/24 11:53 a.m.22 views

CVE-2026-56351

CVE-2026-56351 affects n8n prior to 2.4.0. A SQL injection exists in the MySQL, PostgreSQL, and Microsoft SQL nodes, where unescaped identifier values in node configuration parameters can be exploited by an authenticated user with workflow-creation permissions to inject arbitrary SQL and compromi...

9.6CVSS6.1AI score0.00217EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.33 views

CVE-2026-56358 n8n - Stored Cross-Site Scripting in Form Trigger Node

n8n before 1.123.25 1.x and before 2.11.2 2.x, with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can injec...

5.4CVSS0.00144EPSS
Exploits0References2
Rows per page
Query Builder