CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/06/10 1:55 p.m.•6 views

EUVD-2026-36031

A flaw was found in migration-planner. The agent-API middleware processes JSON Web Tokens JWTs for authentication, but its UpdateSourceInventory and UpdateAgentStatus handlers fail to validate the sourceid claim within these tokens against the requested source ID. This oversight allows an...

9.6CVSS5.5AI score0.00282EPSS

RedhatCVE•added 2026/06/10 1:55 p.m.•5 views

CVE-2026-53473

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

Vulnrichment•added 2026/06/10 1:55 p.m.•7 views

Exploits0References4

CVE-2026-53473 Migration-planner-ui-app: stored xss via javascript: url in agent credential link

EUVD•added 2026/06/10 1:55 p.m.•7 views

EUVD-2026-36029

Positive Technologies•added 2026/06/10 12:0 a.m.•8 views

PT-2026-48446

CNNVD•added 2026/06/10 12:0 a.m.•4 views

Exploits0References4

Migration Planner UI 跨站脚本漏洞

The Migration Planner UI is an open-source migration planning front-end tool developed by KubeV2V. The Migration Planner UI has a cross-site scripting vulnerability. This vulnerability arises from the ability of attackers to register malicious discovery agents containing JavaScript code. When an...

7.3CVSS5.1AI score0.00187EPSS

OSV•added 2026/06/08 11:35 p.m.•6 views

GHSA-QM33-P5P9-F8VG nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

7.1CVSS5.5AI score0.00043EPSS

Exploits0References4

Positive Technologies•added 2026/06/08 12:0 a.m.•6 views

PT-2026-47578

7.1CVSS5.5AI score

Exploits0References5

Positive Technologies•added 2026/06/08 12:0 a.m.•7 views

PT-2026-47623

7.1CVSS5.5AI score0.00043EPSS

Exploits0References5

Positive Technologies•added 2026/06/04 12:0 a.m.•9 views

PT-2026-46897

Summary An authenticated tenant can inject arbitrary SQL through the valueProperty or groupBy fields of POST /api/v1/meters. The injection passes the application's JSONPath validation check and executes against the shared ClickHouse database, which contains event data for all tenants with no...

5.3CVSS6.1AI score0.00036EPSS

Exploits0References6

EUVD•added 2026/05/30 12:30 a.m.•12 views

EUVD-2026-33445

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

6.3CVSS5.8AI score0.00172EPSS

Exploits0References2

CVE•added 2026/05/29 9:19 p.m.•35 views

CVE-2026-9831

The CVE-2026-9831 entry describes a race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path. Under high-concurrency traffic, requests authenticated with an Extreme Platform ONE /IAM API key could intermittently return data for a different tenant, indicating cross...

6.3CVSS5.8AI score0.00172EPSS

CVE•added 2026/05/28 4:51 p.m.•12 views

CVE-2026-45296

OpenReplay before 1.26.0 exposes cross-tenant risks via the Python API app_apikey routes that trust a caller-provided projectKey after validating only the API key and existence of the projectKey. The authorization flow fails to bind the authenticated API key to the correct tenant, enabling an att...

7.7CVSS5.8AI score0.00231EPSS

Vulnrichment•added 2026/05/21 12:47 a.m.•6 views

CVE-2026-9152 Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace's...

10CVSS5.8AI score0.00339EPSS

Cvelist•added 2026/05/19 9:28 a.m.•38 views

CVE-2026-31388 Apache OFBiz: Cross-Tenant Data Exposure via Program Export Feature

Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

0.00416EPSS

Cvelist•added 2026/04/24 4:8 p.m.•19 views

CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

9.8CVSS0.00254EPSS

NVD•added 2026/04/22 2:17 p.m.•1 views

CVE-2026-6355

A vulnerability in the web application allows unauthorized users to access and manipulate sensitive data across different tenants by exploiting insecure direct object references. This could lead to unauthorized access to sensitive information and unauthorized changes to the tenant's configuration...

6.5CVSS0.00213EPSS