Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

70 matches found

Nuclei
Nucleiadded 17 hours ago19 views

LiteLLM - Arbitrary File Read

LiteLLM 1.83.0 contains a broken access control vulnerability caused by lack of admin role enforcement on /config/update endpoint, letting authenticated users modify configurations, execute code, read files, and take over accounts. id: CVE-2026-35029 info: name: LiteLLM - Arbitrary File Read...

8.8CVSS5.9AI score0.27194EPSS
Exploits2References3
RedhatCVE
RedhatCVEadded 2026/06/05 7:23 p.m.7 views

CVE-2026-43985

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.3AI score0.00146EPSS
Exploits0References1
NVD
NVDadded 2026/06/04 4:16 p.m.10 views

CVE-2026-43985

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS0.00146EPSS
Exploits0References2
CVE
CVEadded 2026/06/04 2:32 p.m.11 views

CVE-2026-43985

Tautulli (Python-based Plex monitoring) before v2.17.1 exposes the admin-changing endpoint /configUpdate without enforcing POST or anti-CSRF checks. In default form/JWT modes, the SameSite=Lax cookie permits top-level cross-site requests, enabling an attacker to coerce a logged-in admin to submit...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References2
EUVD
EUVDadded 2026/06/04 2:32 p.m.7 views

EUVD-2026-34285

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/06/04 2:32 p.m.5 views

CVE-2026-43985

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References3Affected Software1
Cvelist
Cvelistadded 2026/06/04 2:32 p.m.34 views

CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS0.00146EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/06/04 2:32 p.m.9 views

CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

8.8CVSS5.8AI score0.00146EPSS
Exploits0References2
GithubExploit
GithubExploitadded 2026/05/19 8:8 a.m.85 views

Exploit for Incorrect Authorization in Litellm

CVE-2026-35029 – LiteLLM /config/update privilege escalation...

8.8CVSS6AI score0.27194EPSS
Exploits2
RedhatCVE
RedhatCVEadded 2026/04/07 2:13 p.m.4 views

CVE-2026-35029

A flaw was found in LiteLLM, an AI Gateway proxy server. An authenticated user can exploit a missing authorization check on the /config/update endpoint. This allows the user to modify proxy configurations and environment variables, leading to remote code execution by registering custom endpoint...

8.8CVSS6.5AI score0.27194EPSS
Exploits2References4
Cvelist
Cvelistadded 2026/04/06 4:35 p.m.32 views

CVE-2026-35029 LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment...

8.7CVSS0.27194EPSS
Exploits2References1
Vulnrichment
Vulnrichmentadded 2026/04/06 4:35 p.m.3 views

CVE-2026-35029 LiteLLM affected by privilege escalation via unrestricted proxy configuration endpoint

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.83.0, the /config/update endpoint does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to modify proxy configuration and environment...

8.7CVSS6.3AI score0.27194EPSS
Exploits2References1
CVE
CVEadded 2026/04/06 4:35 p.m.42 views

CVE-2026-35029

CVE-2026-35029 affects LiteLLM, a proxy AI Gateway. The /config/update endpoint lacks admin authorization, allowing an authenticated user to modify proxy config and environment variables, register attacker-controlled Python code handlers, achieve remote code execution, read arbitrary server files...

8.8CVSS6.3AI score0.27194EPSS
Exploits2References2Affected Software1
Veracode
Veracodeadded 2026/04/04 5:28 a.m.6 views

Privilege Escalation

LiteLLM is vulnerable to Privilege Escalation. The vulnerability is due to missing admin authorization checks on the /config/update endpoint, which allows an authenticated attacker to modify configurations, execute arbitrary code, and access sensitive data...

8.8CVSS6AI score0.27194EPSS
Exploits2References4Affected Software1
Snyk
Snykadded 2026/04/03 9:59 p.m.3 views

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization in the /config/update endpoint due to missing authorization checks. An attacker can modify proxy configuration, register custom endpoint handlers to...

9.9CVSS6AI score0.27194EPSS
Exploits2References2
Positive Technologies
Positive Technologiesadded 2026/04/03 12:0 a.m.4 views

PT-2026-30278

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.0 Description LiteLLM is a proxy server for LLM APIs. The /config/update API endpoint did not enforce admin role authorization, allowing authenticated users to modify proxy configurations and environment variable...

8.8CVSS6.5AI score0.27194EPSS
Exploits2References14
CNNVD
CNNVDadded 2026/03/23 12:0 a.m.4 views

OpenSource-WorkShop Connect-CMS 安全漏洞

OpenSource-WorkShop Connect-CMS is a content management system used by the OpenSource-WorkShop company, designed for easy website creation. Connect-CMS versions 1.41.0 and earlier, as well as 2.41.0 and earlier, have security vulnerabilities. These vulnerabilities stem from issues with the...

8.1CVSS5.8AI score0.00305EPSS
Exploits0References4
RedhatCVE
RedhatCVEadded 2026/03/01 1:43 a.m.5 views

CVE-2026-28516

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

9.3CVSS6.1AI score0.0097EPSS
Exploits2References1
EUVD
EUVDadded 2026/02/28 12:31 a.m.6 views

EUVD-2026-9097

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

9.3CVSS6.1AI score0.0097EPSS
Exploits2References8
Cvelist
Cvelistadded 2026/02/27 10:11 p.m.258 views

CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

9.3CVSS0.0097EPSS
Exploits2References7
Rows per page
Query Builder