Lucene search
K

3063 matches found

Nuclei
Nuclei
added 12 hours ago153 views

phpIPAM - 1.6 - Cross-Site Scripting

phpIPAM 1.6 contains a cross-site scripting vulnerability via the closeClass parameter at /subnet-masks/popup.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.5AI score0.03904EPSS
Exploits3References2
NVD
NVD
added 4 days ago4 views

CVE-2026-51926

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid...

7.5CVSS0.0036EPSS
Exploits0References2
RedHat Linux
RedHat Linux
added 4 days ago6 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via crafted public key with excessive parameters

A flaw was found in golang.org/x/crypto/ssh. The RSA and DSA public key parsers in the affected component did not enforce size limits on key parameters. This vulnerability allows an unauthenticated client to provide a crafted public key with an excessively large modulus or DSA parameter during...

7.5CVSS5.9AI score0.00415EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-51926

An issue in docuForm GmbH FSM Client v.11.11c allows a remote attacker to obtain sensitive information via the login.php component. A vulnerability was identified in the authentication mechanism that allows user enumeration through the login interface. An attacker can differentiate between valid...

7.5CVSS6AI score0.0036EPSS
Exploits0References3
NVD
NVD
added last week11 views

CVE-2026-40138

A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance...

9.2CVSS0.00417EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 4:13 p.m.37 views

CVE-2026-40140

BeyondTrust Remote Support and Privileged Remote Access are affected by CVE-2026-40140, a pre-authentication vulnerability in the network communication subsystem. The issue stems from insufficient validation of client-supplied input, enabling an unauthenticated remote attacker to trigger a denial...

8.7CVSS6AI score0.00561EPSS
Exploits0References1Affected Software2
ATTACKERKB
ATTACKERKB
added 2026/07/06 4:12 p.m.4 views

CVE-2026-40138

A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data may allow a network-positioned attacker to bypass access controls and gain unauthorized access to the appliance...

9.2CVSS6AI score0.00417EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.10 views

PT-2026-55950

Name of the Vulnerable Software and Affected Versions BeyondTrust Remote Support and Privileged Remote Access versions prior to 26.2.1 BeyondTrust Remote Support and Privileged Remote Access versions prior to 25.3.3 Description A critical pre-authentication flaw exists in the authentication...

9.2CVSS6.2AI score0.00417EPSS
Exploits0References23
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.8 views

PT-2026-55952

BeyondTrust Remote Support and Privileged Remote Access contain a high-severity pre-authentication vulnerability in the network communication subsystem. Insufficient validation of client-supplied input may allow an unauthenticated remote attacker to trigger a denial-of-service condition affecting...

8.7CVSS6AI score0.00561EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.9 views

PT-2026-55951

Name of the Vulnerable Software and Affected Versions BeyondTrust Remote Support affected versions not specified Description A critical pre-authentication flaw exists in the authentication subsystem. Improper processing of authentication requests allows an unauthenticated remote attacker to bypas...

9.8CVSS6.2AI score0.00653EPSS
Exploits0References15
EUVD
EUVD
added 2026/07/04 7:15 p.m.7 views

EUVD-2026-41692

A security vulnerability has been detected in code-projects Online Voting System up to 0.x/1.0. This issue affects the function testinput of the file /authentication.php of the component Login. Such manipulation of the argument adminUserName/adminPassword leads to sql injection. It is possible to...

7.5CVSS6.8AI score0.00347EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/04 12:45 p.m.39 views

CVE-2026-14627 NousResearch hermes-agent Discord Platform Integration discord.py DiscordAdapter._is_allowed_user improper authentication

A security vulnerability has been detected in NousResearch hermes-agent up to 0.15.2. This affects the function DiscordAdapter.isalloweduser of the file gateway/platforms/discord.py of the component Discord Platform Integration. Such manipulation leads to improper authentication. The attack can b...

6.3CVSS0.00369EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/01 6:20 p.m.4 views

postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison

A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts...

8.2CVSS5.8AI score0.00558EPSS
Exploits0References5
CVE
CVE
added 2026/07/01 11:59 a.m.22 views

CVE-2026-53908

CVE-2026-53908 affects MCO. The vulnerability enables user enumeration via authentication-related functions: username reminder and password reset responses differ for valid vs invalid users, allowing an attacker to discover valid usernames and email addresses. Vulnerable context: confirmed in ver...

6.9CVSS5.8AI score0.00211EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/07/01 12:0 a.m.11 views

PT-2026-54485

UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy s copies a rule token into temp1rule1 25-byte destination or temp2/temp3 16-byte destination, the code unconditionally writes a...

7.2CVSS6.3AI score0.00571EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/06/30 8:27 a.m.46 views

CVE-2026-12610 Sssd: use-after-free crash in sssd' 'sssd_pam' process

A flaw was found in sssd. When authenticating with a YubiKey, the SSSD PAM responder can crash due to a use-after-free vulnerability, where a memory pointer is incorrectly handled. A local attacker could exploit this flaw by manipulating smartcard or YubiKey contents, leading to a denial of servi...

6.4CVSS0.00155EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/29 8:44 p.m.4 views

CVE-2026-55955

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, fro...

6.5CVSS5.7AI score0.0028EPSS
Exploits0
OSV
OSV
added 2026/06/29 11:50 a.m.4 views

PYSEC-2026-340 Flask-AppBuilder vulnerable to incorrect authentication when using auth type OpenID

Impact When Flask-AppBuilder is set to AUTHTYPE AUTHOID, allows an attacker to forge an HTTP request, that could deceive the backend into using any requested OpenID service. This vulnerability could grant an attacker unauthorised privilege access if a custom OpenID service is deployed by the...

9.1CVSS5.8AI score0.00857EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/25 11:29 p.m.39 views

CVE-2026-9222 Setracker2 Children's Smartwatch Ecosystem Use of password hash instead of password for authentication

Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and prior only require the password hash when authenticating with backend services from the client. This could allow an attacker, who knows the hash, to authenticate and gain full access...

9.2CVSS0.00242EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/25 6:45 p.m.8 views

EUVD-2026-38392

Filament: Multi-factor authentication app recovery codes can still be used multiple times via concurrent submission...

7.4CVSS5.8AI score0.00193EPSS
Exploits0References2
Rows per page
Query Builder