Lucene search
K

52137 matches found

NVD
NVD
added 5 hours ago5 views

CVE-2026-45337

Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny...

7.6CVSS0.00017EPSS
Exploits0References4
CVE
CVE
added 6 hours ago31 views

CVE-2026-45337

Better Auth (TypeScript library) vulnerability CVE-2026-45337 affects versions 1.6.0–1.6.10 in the deviceAuthorization plugin. The root cause is that the verification path does not claim ownership of the pending device code and the approve/deny checks short-circuit when userId is unset, allowing ...

7.6CVSS6.2AI score0.00017EPSS
Exploits0References4
CVE
CVE
added 6 hours ago7 views

CVE-2026-14961

CVE-2026-14961 affects Pegatron tdeio64.sys exposing the .�5cTdeIo device. The IOCTL dispatch lacks privilege validation and does not validate user-supplied kernel addresses, allowing arbitrary kernel memory read/write and privilege escalation to NT AUTHORITY\SYSTEM. The linked explainer also not...

6.2CVSS6.2AI score
Exploits1References1
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-44667

ICU Scandinavia Boomerang is vulnerable to a missing authentication flaw in its device receiver endpoints. This allows an unauthenticated remote attacker to read full facility configurations and write unauthorized data to the sensor database. This issue has been fixed in version 2.4.18.029...

5.3CVSS6.1AI score
Exploits0References2
Nuclei
Nuclei
added 19 hours ago47 views

LOYTEC LGATE-902 6.3.2 - Local File Inclusion

LOYTEC LGATE-902 6.3.2 is susceptible to local file inclusion which could allow an attacker to manipulate path references and access files and directories including critical system files that are stored outside the root folder of the web application running on the device. This can be used to read...

7.8CVSS7AI score0.17982EPSS
Exploits3
Nuclei
Nuclei
added 19 hours ago50 views

Emerson Dixell XWEB-500 - Arbitrary File Write

Emerson Dixell XWEB-500 contains an arbitrary file write caused by unauthenticated access to /cgi-bin/logoextraupload.cgi, /cgi-bin/calsave.cgi, and /cgi-bin/loutils.cgi, letting attackers write any file on the system, exploit requires no authentication. id: CVE-2021-45420 info: name: Emerson...

10CVSS7.1AI score0.1755EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago66 views

TOTOLINK EX1200T 4.1.2cu.5215 - Authentication Bypass

TOTOLINK EX1200T 4.1.2cu.5215 is susceptible to authentication bypass. An attacker can bypass login by sending a specific request through formLoginAuth.htm, thus potentially being able to obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-42887 info:...

9.8CVSS7.1AI score0.42853EPSS
Exploits1References3
Nuclei
Nuclei
added 19 hours ago72 views

WAVLINK - Access Control

Wavlink WN530HG4, WN531G3, WN533A8, and WN551K are susceptible to improper access control via /cgi-bin/ExportAllSettings.sh, where a crafted POST request returns the current configuration of the device, including the administrator password. No authentication is required. The attacker must perform...

7.5CVSS7AI score0.07759EPSS
Exploits0References5
Nuclei
Nuclei
added 19 hours ago88 views

AnythingLLM - Information Disclosure

AnythingLLM suffers from an information disclosure vulnerability through the /api/setup-complete API endpoint. By accessing this endpoint, a remote and unauthenticated attacker can access sensitive configuration of the target AnythingLLM instance. This detection is included in the AI and LLM...

7.5CVSS7AI score0.29187EPSS
Exploits1References2
CISA KEV Catalog
CISA KEV Catalog
added 23 hours ago5 views

KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability

KNX Association KNX Protocol Connection Authorization Option 1 contains an overly restrictive account lockout mechanism vulnerability that could allow an attacker to purge all devices without additional security options enabled and set a BCU key to lock the device...

7.5CVSS6.1AI score0.00483EPSS
In wildExploits0
Cvelist
Cvelist
added yesterday30 views

CVE-2026-48125 UAParser.js: Unbounded `Sec-CH-UA-Model` parsing can trigger ReDoS in `withClientHints()`

UAParser.js is a JavaScript library to detect browsers, operating systems, CPUs, and devices from user-agent data. From 2.0.1 until 2.0.10, a regular expression denial-of-service vulnerability exists when using the Client Hints API. By sending a crafted Sec-CH-UA-Model header to an application th...

5.3CVSS
Exploits0References3
RedHat Linux
RedHat Linux
added yesterday4 views

libinput: local privilege escalation via crafted uinput devices

A flaw was found in libinput. A local attacker with access to /dev/uinput can inject arbitrary udev properties through the libinput-device-group helper. This injection can lead to root code execution, for example, by exploiting REMOVECMD properties that are executed when a device is removed. This...

9.8CVSS6.2AI score0.00498EPSS
Exploits0References5
NVD
NVD
added yesterday4 views

CVE-2026-5040

TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication...

7.1CVSS
Exploits0References3
NVD
NVD
added yesterday6 views

CVE-2026-62655

A security flaw was found in certain NETGEAR Orbi models that could allow an unauthorized user to cause the device to stop responding or restart unexpectedly, disrupting network connectivity and making the device temporarily unavailable...

7.1CVSS
Exploits0References7
NVD
NVD
added yesterday2 views

CVE-2026-50387

Stack-based buffer overflow in Windows GDI allows an authorized attacker to elevate privileges locally...

7.8CVSS
Exploits0References1
CVE
CVE
added yesterday6 views

CVE-2026-5040

The CVE-2026-5040 entry applies to TP-Link Deco M5 v1. The issue stems from a weak password hashing mechanism used to store user credentials. An attacker who obtains the password hash via system compromise or privileged access could perform brute-force or dictionary attacks. Practical consequence...

7.1CVSS6.1AI score
Exploits0References3
Cvelist
Cvelist
added yesterday38 views

CVE-2026-5040 Weak Password Hashing Mechanism in TP-Link Deco M5

TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication...

7.1CVSS
Exploits0References3
Vulnrichment
Vulnrichment
added yesterday3 views

CVE-2026-62659 Authenticated users can make unauthorized changes on NETGEAR WAX333 Access Points

A security flaw was discovered in the NETGEAR WAX333 Access Point that could allow someone already logged in and connected to the local network to make unauthorized changes to the device's settings...

6.8CVSS6.1AI score
Exploits0References2
CVE
CVE
added yesterday8 views

CVE-2026-58547

The CVE-2026-58547 entry details a heap-based buffer overflow in Windows UPnP Device Host (upnp.dll) that can enable local privilege escalation for an authorized user. Affected component: Universal Plug and Play in Windows. Root cause: heap-based overflow in upnp.dll. Impact: local privilege elev...

5.5CVSS6.1AI score
Exploits0References1
Cvelist
Cvelist
added yesterday30 views

CVE-2026-58547 Windows Universal Plug and Play (UPnP) Device Host Elevation of Privilege Vulnerability

...

5.5CVSS
Exploits0References1
Rows per page
Query Builder