Lucene search
K

680 matches found

EUVD
EUVD
added 3 days ago9 views

EUVD-2026-43175

PraisonAI before 4.6.78 fails to validate the caller-controlled dimension argument in the PGVector and Cassandra knowledge-store createcollection backends. Although schema, keyspace, and collection-name identifiers are validated, the dimension value declared as int but not enforced at runtime is...

9.8CVSS6.1AI score0.0041EPSS
Exploits0References3
CVE
CVE
added 2026/07/06 8:5 p.m.12 views

CVE-2026-55574

CVE-2026-55574 affects vLLM prior to 0.24.0, where structured_outputs.regex passes an unguarded user-supplied regex to grammar backends (xgrammar and outlines). In xgrammar, the string reaches the regex compiler without a timeout guard; in outlines, validation overlooks regex complexity (e.g., ne...

8.7CVSS5.9AI score0.00324EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:5 p.m.37 views

CVE-2026-55574 vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structuredoutputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the stri...

8.7CVSS0.00324EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:5 p.m.5 views

CVE-2026-55574

vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, the structuredoutputs.regex API parameter passes a user-supplied regular expression string directly to the grammar compiler backends with no compilation timeout; in the xgrammar backend the stri...

8.7CVSS5.9AI score0.00324EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46590

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

8.8CVSS0.00485EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/06 8:3 a.m.5 views

EUVD-2026-41834

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata KeyMetadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadat...

8.8CVSS6.4AI score0.00485EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.10 views

PT-2026-56000

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.24.0 Description The structured outputs.regex API parameter allows user-supplied regular expression strings to be passed to grammar compiler backends without a compilation timeout. In the xgrammar backend, the string i...

8.7CVSS6AI score0.00324EPSS
Exploits0References8
Fedora
Fedora
added 2026/07/02 1:11 a.m.9 views

[SECURITY] Fedora 44 Update: rclone-1.74.3-1.fc44

"rsync for cloud storage" - Google Drive, S3, Dropbox, Backblaze B2, One Driv e, Swift, Hubic, Wasabi, Google Cloud Storage, Azure Blob, Azure Files, Yandex Files...

9.1CVSS6.3AI score0.00533EPSS
Exploits1
CVE
CVE
added 2026/07/01 9:15 p.m.13 views

CVE-2026-54704

OpenTelemetry Java Instrumentation contains a vulnerability in JDBC auto-instrumentation prior to version 2.28.0 where passwords in SQL CONNECT statements may not be sanitized if the password is double-quoted. This can cause clear-text database passwords to be added to trace spans and exported to...

6.5CVSS5.7AI score0.00224EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/07/01 9:31 a.m.4 views

httpd: Apache HTTP Server: Heap-based Buffer Overflow via malicious backend servers

A flaw was found in Apache HTTP Server. This heap-based buffer overflow vulnerability can be exploited by a malicious backend server when using ProxyPassReverseCookie directives. This could lead to a denial of service DoS condition, making the server unavailable to legitimate users...

7.5CVSS6AI score0.00682EPSS
Exploits0References5
Fedora
Fedora
added 2026/07/01 1:2 a.m.20 views

[SECURITY] Fedora 44 Update: python-django-haystack-3.4.0-1.fc44

Haystack provides modular search for Django. It features a unified, familiar API that allows you to plug in different search backends such as Solr, Elasticsearch, Whoosh, Xapian, etc. without having to modify your code. Haystack is BSD licensed, plays nicely with third-party app without needing t...

5.8AI score
Exploits0
NVD
NVD
added 2026/06/28 2:16 a.m.10 views

CVE-2026-58055

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting...

6.3CVSS0.00202EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/28 1:32 a.m.9 views

EUVD-2026-39975

nghttp2's nghttpx proxy through 1.69.0 forwards an HTTP/1.1 Upgrade request that also carries a Content-Length header and body onto reusable keep-alive backend connections, re-adding the Upgrade and Connection headers while passing Content-Length verbatim. A backend that resolves the resulting...

6.3CVSS5.8AI score0.00202EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 7:17 p.m.10 views

CVE-2026-53948

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On...

5.4CVSS0.00133EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:6 p.m.8 views

CVE-2026-53948

CVE-2026-53948 affects Ghost CMS (Node.js) due to insufficient validation of the client-supplied Content-Type on the Admin API file upload endpoint. Between 6.19.4 and 6.21.1, uploaded files could be served with an attacker-chosen content type on S3/GCS storage backends, and in installations serv...

5.4CVSS5.6AI score0.00133EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/24 7:27 a.m.6 views

CVE-2026-54762

A flaw was found in Traefik, an HTTP reverse proxy and load balancer. When an Ingress is configured to use BasicAuth or DigestAuth, but the associated authentication secret cannot be resolved or is malformed, Traefik fails to apply the authentication middleware. This allows unauthenticated access...

8.6CVSS5.8AI score0.0036EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.7 views

PT-2026-52072

Name of the Vulnerable Software and Affected Versions Ghost versions 6.19.4 through 6.21.0 Description Insufficient validation of the client-supplied Content-Type on the Admin API file upload endpoint allows uploaded files to be served with an attacker-chosen content type when using S3 or GCS...

5.4CVSS5.5AI score0.00133EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/23 8:59 p.m.28 views

CVE-2026-41862

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS0.00423EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 8:59 p.m.8 views

EUVD-2026-38596

Spring Statemachine's Kryo-based persistence backends JPA, MongoDB, Redis and ZooKeeper deserialise persisted state-machine contexts without enforcing a class allowlist CWE-502, deserialisation of untrusted data, which can lead to remote code execution inside the application JVM. Affected version...

8.8CVSS6.5AI score0.00423EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 6:18 p.m.10 views

CVE-2026-54021

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, several direct, index-addressed Ollama proxy routes accept a caller-supplied urlidx path parameter and use it as a raw index into the admin-configured OLLAMABASEURLS list. Access...

6.3CVSS0.0021EPSS
Exploits0References1
Rows per page
Query Builder