CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/05/22 1:17 p.m.•4 views

OESA-2026-2380 libsoup3 security update

Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup, but the SOAP and non-SOAP parts have now been split into separate packages. Security Fixes: A flaw was found in libsoup. When establishing HTTPS tunnels throu...

8.2CVSS5.8AI score0.00014EPSS

RedhatCVE•added 2026/05/20 7:57 p.m.•6 views

CVE-2026-30118

scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery SSRF in the scalarurl query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to...

9.8CVSS5.8AI score0.0008EPSS

AstraLinux•added 2026/05/20 5:53 a.m.•1 views

Astra Linux - уязвимость в twisted

Twisted is an event-driven networking engine written in Python. In affected versions, Twisted exposes cookies and authorization headers when performing cross-origin redirects. This issue is present in the twited.web.RedirectAgent and twisted.web.BrowserLikeRedirectAgent functions. Users are advis...

7.5CVSS7.1AI score0.00241EPSS

NVD•added 2026/05/19 4:16 p.m.•7 views

CVE-2026-8706

Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user's cookies. This vulnerability was fixed in Firefox for iOS 151.0...

6.5CVSS0.00019EPSS

UbuntuCve•added 2026/05/19 4:16 p.m.•4 views

CVE-2026-8706

6.5CVSS5.9AI score0.00019EPSS

Exploits0References3

Vulnrichment•added 2026/05/19 12:0 a.m.•5 views

CVE-2026-30118

5.8AI score0.0008EPSS

CVE•added 2026/05/19 12:0 a.m.•9 views

CVE-2026-30118

CVE-2026-30118 affects scalar/astro v0.1.13. The vulnerability is a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. Unauthenticated attackers can coerce the backend to perform HTTP requests to attacker-controlled URLs, leading to exposure of auth...

9.8CVSS5.8AI score0.0008EPSS

Cvelist•added 2026/05/19 12:0 a.m.•34 views

CVE-2026-30118

0.0008EPSS

Tenable Nessus•added 2026/05/11 12:0 a.m.•5 views

MiracleLinux 8 : libsoup-2.62.3-14.el8_10 (AXSA:2026-596:09)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2026-596:09 advisory. libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment CVE-2026-5119 Tenable has extracted the...

8.2CVSS5.8AI score0.00014EPSS

OSV•added 2026/05/07 6:0 a.m.•6 views

RLSA-2026:14087 Moderate: libsoup security update

The libsoup packages provide an HTTP client and server library for GNOME. Security Fixes: libsoup: libsoup: Information disclosure via cleartext transmission of cookies during HTTPS tunnel establishment CVE-2026-5119 For more details about the security issues, including the impact, a CVSS score,...

5.9CVSS5.8AI score0.00014EPSS

Snyk•added 2026/05/05 5:31 p.m.•6 views

Use of Persistent Cookies Containing Sensitive Information

Overview Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Affected versions of this package are vulnerable to Use of Persistent Cookies Containing Sensitive Information in the SESSIONSAVEEVERYREQUEST. An attacker can hijack a user's sessio...

6.5CVSS5.8AI score0.00041EPSS

Positive Technologies•added 2026/03/31 12:0 a.m.•1 views

PT-2026-29358

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/emailAllUsers.json.php allows administrators to send HTML emails to every registered user on the platform. While the endpoint verifies admin session status, it does not validate a CSRF token...

6.5CVSS6AI score0.00008EPSS

Exploits1References3

UbuntuCve•added 2026/02/06 5:16 p.m.•3 views

CVE-2026-23738

Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using aststrappend. The...

6.1CVSS5.7AI score0.00051EPSS

EUVD•added 2026/02/06 4:41 p.m.•2 views

EUVD-2026-5645

3.5CVSS5.3AI score0.00051EPSS

Cvelist•added 2026/01/24 12:5 a.m.•31 views

CVE-2026-24399 ChatterMate has Stored Cross-Site Scripting (XSS) via Chatbot Input Execution

ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an payload containing a javascript: URI can be processed and executed in the browser context. This allow...

9.3CVSS0.00017EPSS

Exploits1References3

Positive Technologies•added 2026/01/24 12:0 a.m.•3 views

PT-2026-4544

9.3CVSS5.4AI score0.00017EPSS

Exploits1References4

RedhatCVE•added 2026/01/17 2:6 p.m.•3 views

CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values...

6.5CVSS6.8AI score0.0002EPSS