Lucene search
K

741 matches found

Vulnrichment
Vulnrichment
added 2026/05/20 1:9 p.m.14 views

CVE-2026-3039 BIND 9 server memory exhaustion during GSS-API TKEY negotiation

BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or...

7.5CVSS5.7AI score0.01047EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/19 2:46 p.m.14 views

Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover

Summary A stored cross-site scripting XSS vulnerability exists in HAX CMS due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page is viewed. This enables attackers to execute arbitrary JavaScript in the conte...

9.3CVSS5.9AI score0.0023EPSS
Exploits0References3Affected Software3
Snyk
Snyk
added 2026/05/18 9:0 p.m.16 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
Snyk
Snyk
added 2026/05/14 8:27 p.m.11 views

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS via the profileimageurl process. An attacker can execute arbitrary JavaScript in the context of another authenticated user's session by crafting a malicious SVG image as their OAuth...

8.5CVSS5.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/14 7:24 p.m.11 views

Malicious code in cheerio-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2d51a2885f4eaff732d1ef7ab065b04d21c59263b1212d5b92b92c87914ef879 cheerio-tool typosquats the popular cheerio HTML parser README claims 'Cheerio Tool utility helpers', keywords are 'lodash','utilities', and index.js...

5.8AI score
Exploits0References3
NVD
NVD
added 2026/05/14 5:16 p.m.19 views

CVE-2025-62312

HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...

3CVSS0.00137EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/14 4:9 p.m.33 views

CVE-2025-62312 HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication

HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication. Use of basic authorization mechanisms may expose credentials to potential interception or misuse, especially if not combined with secure transmission practices...

3CVSS0.00137EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/14 12:0 a.m.12 views

HCL AION 安全漏洞

HCL AION is an AI lifecycle management platform developed by the Indian company HCL. HCL AION has a security vulnerability, which stems from the use of basic authorization tokens for authentication. This vulnerability may lead to credentials being intercepted or abused...

3CVSS5.8AI score0.00137EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/10 12:0 a.m.8 views

Catalyst::Plugin::Statsd 安全漏洞

Catalyst::Plugin::Statsd is a plugin module by Robert Rothenberg, an individual developer, for capturing application runtime metrics and sending them to a statistics system. A security vulnerability exists in Catalyst::Plugin::Statsd 0.10.0 and earlier versions, which stems from an unencrypted...

7.5CVSS5.8AI score0.00244EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/10 12:0 a.m.14 views

PT-2026-39537

Name of the Vulnerable Software and Affected Versions Catalyst::Plugin::Statsd versions prior to 0.10.0 Description Catalyst::Plugin::Statsd for Perl may leak session ids. This occurs if the communication channel to the statsd daemon is not secured, such as when sending UDP packets to a host on...

7.5CVSS5.8AI score0.00244EPSS
Exploits0References7
CVE
CVE
added 2026/05/07 1:41 p.m.16 views

CVE-2026-41519

CVE-2026-41519 affects Weblate prior to 5.17.1, where DRF API tokens with wlu_ prefix stored in authtoken_token are not revoked on password change, while browser sessions are invalidated via cycle_session_keys(). The connected advisory confirms the issue impact and provides remediation: upgrade t...

5.4CVSS5.7AI score0.00228EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 4:42 p.m.10 views

Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API

Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...

9.4CVSS6.5AI score0.00281EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/06 4:42 p.m.8 views

GHSA-VJR5-C9QV-HGM3 Rucio has SQL Injection in FilterEngine Oracle JSON Path via DID Search API

Summary A SQL injection vulnerability in the Oracle path of FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. Attacker-controlled filter keys and values are interpolated...

9.9CVSS6.5AI score0.00281EPSS
Exploits0References6
Microsoft Secure
Microsoft Secure
added 2026/05/04 3:0 p.m.8 views

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

In this article 1. Multi-step social engineering campaign leading to credential theft 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Hunting queries 5. Indicators of compromise Phishing campaigns continue to improve sophistication and refinement in blending social...

5.7AI score
Exploits0
CNNVD
CNNVD
added 2026/05/01 12:0 a.m.10 views

V2Board 安全漏洞

V2Board is a multi-user proxy service management panel for V2Board open source. A security vulnerability exists in V2Board 1.7.4 and earlier versions that originates from server authentication tokens being transmitted via GET parameters, which could lead to an attacker extracting the token from a...

7.5CVSS5.8AI score0.00286EPSS
Exploits1References1
OSV
OSV
added 2026/04/30 5:28 p.m.4 views

GHSA-6J8J-4QP3-36P2 Weblate Doesn't Invalidate API Token on Password Change

Impact When a user changes their password, browser sessions are correctly invalidated via cyclesessionkeys, but DRF API tokens wlu prefix stored in authtokentoken are not revoked. Patches https://github.com/WeblateOrg/weblate/pull/19057 Resources Weblate thanks Sang Yu Jeon for reporting this via...

4.2CVSS5.8AI score0.00228EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.9 views

AdaptiveGRC 跨站脚本漏洞

AdaptiveGRC is an enterprise-level platform for governance, risk, and compliance management developed by the Polish company AdaptiveGRC. AdaptiveGRC has a cross-site scripting vulnerability. This vulnerability stems from improper validation of text type field parameters by the server. It may allo...

2.4CVSS5.9AI score0.0059EPSS
Exploits0References1
NVD
NVD
added 2026/04/21 8:17 p.m.8 views

CVE-2026-40907

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

6.5CVSS0.00269EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/20 8:16 p.m.4 views

CVE-2026-34403 Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking CSWSH. Combined with the fact that authentication tokens...

6.9CVSS5.7AI score0.00176EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/20 12:0 a.m.8 views

Canonical Livepatch 安全漏洞

Canonical Livepatch is a system component developed by Canonical OpenSource that manages kernel hotfix updates and patches. Versions of Canonical Livepatch prior to 10.15.0 contained security vulnerabilities. These vulnerabilities were caused by improper access control, allowing local...

5.7CVSS5.8AI score0.00121EPSS
Exploits0References1
Rows per page
Query Builder