Lucene search
K

591 matches found

CNNVD
CNNVD
added 2026/04/09 12:0 a.m.8 views

n8n-MCP 代码问题漏洞

n8n-MCP is a model context protocol server developed by Romuald Członkowski, an individual developer. Versions of n8n-MCP prior to 2.47.4 contained code vulnerabilities. These vulnerabilities stemmed from authenticated server-side request forgery attacks, which could allow callers with a valid...

8.5CVSS6AI score0.00316EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/09 12:0 a.m.10 views

V2Board 安全漏洞

V2Board is an open-source multi-user agent service management panel developed by V2Board. Versions 1.6.1 to 1.7.4 of V2Board, as well as Xboard 0.1.9 and earlier versions, have security vulnerabilities. These vulnerabilities stem from the HTTP response body of the loginWithMailLink endpoint...

9.1CVSS5.8AI score0.00584EPSS
Exploits1References8
Github Security Blog
Github Security Blog
added 2026/04/08 7:53 p.m.6 views

n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode

Impact An authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTHTOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the conten...

8.5CVSS6AI score0.00316EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/04/03 10:16 p.m.7 views

ALPINE-CVE-2026-34990

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That...

5CVSS5.9AI score0.00289EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/30 5:24 p.m.11 views

FHIR Validator HTTP service has SSRF via /loadIG Chains with startsWith() Credential Leak for Authentication Token Theft

Summary The FHIR Validator HTTP service exposes an unauthenticated /loadIG endpoint that makes outbound HTTP requests to attacker-controlled URLs. Combined with a startsWith URL prefix matching flaw in the credential provider ManagedWebAccessUtils.getServer, an attacker can steal authentication...

9.3CVSS5.9AI score0.00299EPSS
Exploits1References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/29 12:0 a.m.7 views

PT-2026-28613

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.64 Parse Server versions prior to 9.7.0-alpha.8 Description Parse Server is an open source backend deployable on Node.js infrastructure. An attacker with a valid authentication provider token and a single MFA...

4.4CVSS5.9AI score0.00311EPSS
Exploits0References12
RedhatCVE
RedhatCVE
added 2026/03/28 4:59 p.m.6 views

CVE-2026-4984

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

8.2CVSS6AI score0.00156EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/03/28 12:24 a.m.4 views

SUSE CVE-2026-33898

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS6AI score0.00347EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/28 12:0 a.m.3 views

PT-2026-28311

Name of the Vulnerable Software and Affected Versions Ninja Forms - The Contact Form Builder That Grows With You versions prior to 3.14.2 Description The Ninja Forms plugin for WordPress is susceptible to sensitive information disclosure. Authenticated attackers with Contributor-level access or...

6.5CVSS5.9AI score0.00225EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/27 5:21 p.m.10 views

Local Incus UI web server vulnerable to nuthentication bypass

Summary The web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. Details incus webui runs a local web server on a random localhost port. For authentication, it provides the user with a URL containing an authentication token...

8.8CVSS6AI score0.00347EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/27 2:10 p.m.2 views

CVE-2026-33757 OpenBao lacks user confirmation for OIDC direct callback mode

OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishin...

9.6CVSS6.4AI score0.00411EPSS
Exploits0References5
NVD
NVD
added 2026/03/27 12:16 p.m.1 views

CVE-2026-25099

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4...

8.8CVSS0.01919EPSS
Exploits4References2
Vulnrichment
Vulnrichment
added 2026/03/27 11:55 a.m.2 views

CVE-2026-25099 Remote Code Execution via Unrestricted File Upload in Bludit

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4...

8.7CVSS5.9AI score0.01919EPSS
Exploits4References2
NVD
NVD
added 2026/03/27 12:16 a.m.4 views

CVE-2026-33898

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS0.00347EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/03/27 12:16 a.m.5 views

CVE-2026-33898

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS5.9AI score0.00347EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/03/26 11:25 p.m.31 views

CVE-2026-33898 Local Incus UI web server vulnerable to nuthentication bypass

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS0.00347EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/26 11:25 p.m.4 views

CVE-2026-33898

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS5.9AI score0.00347EPSS
Exploits0References2Affected Software1
Debian CVE
Debian CVE
added 2026/03/26 11:25 p.m.7 views

CVE-2026-33898

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by incus webui incorrectly validates the authentication token such that an invalid value will be accepted. incus webui runs a local web server on a random localhost port. For authentication, i...

8.8CVSS5.7AI score0.00347EPSS
Exploits0
CNVD
CNVD
added 2026/03/26 12:0 a.m.1 views

OpenClaw Access Control Error Vulnerability (CNVD-2026-16052)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an Access Control Error vulnerability that can be exploited by an attacker to cause a local process to capture a gateway authentication token...

6.8CVSS5.9AI score0.00126EPSS
Exploits0
EUVD
EUVD
added 2026/03/21 3:31 a.m.3 views

EUVD-2026-13974

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to...

6.3CVSS5.8AI score0.00262EPSS
Exploits0References4
Rows per page
Query Builder