Lucene search
K

87 matches found

CVE
CVE
added 2026/06/12 9:3 p.m.22 views

CVE-2026-49396

CVE-2026-49396 affects Nezha Monitoring (versions 1.0.0 up to before 2.0.14). A cross-site GET request can trigger stored cron commands on a victim’s agents, enabling an attacker to force execution of an existing cron task via the victim’s authenticated session. The issue has been patched in vers...

7.1CVSS5.1AI score0.00123EPSS
Exploits0References1
NVD
NVD
added 2026/06/12 8:16 p.m.11 views

CVE-2026-54359

MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...

7.1CVSS0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 7:44 p.m.9 views

EUVD-2026-36551

MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...

7.1CVSS5.3AI score0.00189EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.13 views

PT-2026-48971

MISP contains an insecure default configuration in which the Security.check sec fetch site header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...

7.1CVSS5.2AI score0.00189EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/21 8:35 p.m.10 views

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute through the setTokenCookie function in the authentication service. An attacker can steal or replay the refreshtoken by intercepting it over plaintext HTTP o...

5.4CVSS5.7AI score0.00099EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/12 8:21 p.m.10 views

CVE-2026-42190

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...

5.3CVSS5.7AI score0.00111EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/22 7:22 p.m.5 views

CVE-2026-41194

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/21 10:16 p.m.3 views

CVE-2026-40929 WWBN AVideo's missing CSRF protection in objects/commentDelete.json.php enables mass comment deletion against moderators and content creators

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.11 views

PT-2026-29597

Name of the Vulnerable Software and Affected Versions Payload versions prior to 3.79.1 Description A Cross-Site Request Forgery CSRF issue existed in the authentication process. In certain scenarios, the configured CSRF protection could be bypassed, enabling unauthorized cross-site requests. The...

5.4CVSS5.8AI score0.00129EPSS
Exploits0References7
Tenable Nessus
Tenable Nessus
added 2026/03/24 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2026-30924

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also...

9.6CVSS6.5AI score0.00257EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/03/23 11:44 p.m.24 views

CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS0.00178EPSS
Exploits0References2
OSV
OSV
added 2026/03/23 11:44 p.m.4 views

CVE-2026-33252 MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization,...

7.1CVSS6.4AI score0.00178EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/03/19 9:17 p.m.5 views

CVE-2026-30924

qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that reflects arbitrary origins while also returning Access-Control-Allow-Credentials: true, effectively allowing any external webpage to make authenticated requests on behalf of a...

9.6CVSS6.5AI score0.00257EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/19 12:0 a.m.6 views

PT-2026-26466

The Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary...

7.1CVSS5.8AI score0.00178EPSS
Exploits0References5
NVD
NVD
added 2026/02/03 7:16 p.m.12 views

CVE-2025-52628

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0...

8.8CVSS0.0019EPSS
Exploits0References1
CVE
CVE
added 2026/02/03 6:6 p.m.9 views

CVE-2025-52628

CVE-2025-52628 affects HCL AION 2.0. Connected sources describe a cookie handling issue due to missing or insecure SameSite attributes, enabling cross-site requests and increasing CSRF risk. The CNVD entry calls it a CSRF vulnerability stemming from the cookie SameSite issue; Red Hat and NVD desc...

8.8CVSS5.1AI score0.0019EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/03 12:0 a.m.7 views

PT-2026-5904

Name of the Vulnerable Software and Affected Versions HCL AION version 2.0 Description HCL AION is susceptible to a cookie handling issue where cookies may lack proper SameSite attributes, or have insecure or improper configurations. This can allow cookies to be transmitted in unintended cross-si...

8.8CVSS5.1AI score0.0019EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/07 12:30 a.m.4 views

EUVD-2019-9338

Malware in sbrugna...

8.8CVSS8.6AI score0.00452EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2024-51931

Malicious code in bioql PyPI...

6.3CVSS6.6AI score0.0053EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2008-7179

Malicious code in bioql PyPI...

7.5CVSS8.9AI score0.13355EPSS
Exploits1References21
Rows per page
Query Builder