Lucene search
K

31207 matches found

RedhatCVE
RedhatCVE
added 3 days ago8 views

CVE-2026-13676

A flaw was found in fast-uri. This vulnerability occurs because fast-uri fails to properly convert Unicode Internationalized Domain Name - IDN hostnames for HTTP-family URLs. This can lead to a situation where security policies, such as denylists or redirect validations, are bypassed when...

7.5CVSS5.7AI score0.00278EPSS
Exploits0References5
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-56780 Modoboa < 2.9.0 - Insecure Direct Object Reference in Account Password Change API

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS0.00265EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-40155

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/pk/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References3
CVE
CVE
added 3 days ago8 views

CVE-2026-56780

Modoboa prior to version 2.9.0 contains an insecure direct object reference in the PUT /api/v1/accounts/{pk}/password/ API. This flaw allows domain administrators to bypass object‑level access controls and change any user’s password, enabling full account takeover by resetting superadmin password...

7.7CVSS5.8AI score0.00265EPSS
Exploits0References3
CVE
CVE
added 3 days ago7 views

CVE-2026-56285

Nitter is affected by a Server-Side Request Forgery in the /video media proxy endpoint. The vulnerability arises because the endpoint does not validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, enabling unauthenticated attackers to compute valid HMACs for arbitr...

8.6CVSS5.9AI score0.0036EPSS
Exploits0References3
Cvelist
Cvelist
added 3 days ago30 views

CVE-2026-56285 Nitter - Server-Side Request Forgery in /video Media Proxy Endpoint

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including...

8.6CVSS0.0036EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-40154

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including...

8.6CVSS5.9AI score0.0036EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added 3 days ago5 views

gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...

7.4CVSS5.8AI score0.00566EPSS
Exploits1References5
CVE
CVE
added 3 days ago14 views

CVE-2026-13676

The CVE concerns the fast-uri library (versions 2.3.1–3.1.2 and 4.0.0) where the IDN host canonicalization path fails to normalize Unicode hosts for HTTP URLs. A helper used in IDN conversion does not exist on the global URL constructor, leaving the host in Unicode form while normalize() and equa...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 3 days ago5 views

gnutls: GnuTLS: Policy bypass due to case-sensitive nameConstraints comparison

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName DNS or rfc822Name email constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf...

7.4CVSS5.8AI score0.00566EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 3 days ago6 views

CVE-2026-57964

A flaw was found in spice-vdagent. On macOS and BSD platforms, an unprivileged local user can bypass authentication by connecting to the Unix Domain Socket Client/Server UDSCS socket. This allows the unauthorized user to receive host-to-guest messages, including clipboard data and file transfers,...

5.3CVSS5.8AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 3 days ago5 views

CVE-2026-53280

A flaw was found in the Linux kernel's Input-Output Memory Management Unit IOMMU component. This vulnerability occurs when a default IOMMU domain fails to allocate during the initial probe, leading to a NULL pointer dereference. This can cause a system crash, resulting in a Denial of Service DoS...

5.5CVSS5.8AI score0.00155EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago9 views

Malicious code in express-mocha-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01d87351be0d9f68d73ec05867e55fe5712d4885fa76c70c5ec9b003ef512825 [email protected] declares a postinstall lifecycle hook that loads the package's main module, which calls fetch against an anonymous...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago7 views

Malicious code in eslint-commit-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5fc51e200a141d1dbbb4f7eb9e5e3dec18507572e5dc9562278713c554fad195 The package is published under the name eslint-commit-parser but its contents are a verbatim copy of the supertest HTTP-testing library — package.jso...

5.8AI score
Exploits0References1
OSV
OSV
added 4 days ago10 views

MAL-2026-6561 Malicious code in skillspector (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c77584b4e40db9023ca0b8a90fa1bd611c859ed486f99ca3a7c9a83dbfa9877 This package presents itself as a redistribution of NVIDIA/skillspector pyproject Homepage points to github.com/NVIDIA/skillspector and the source...

5.9AI score
Exploits0References2
OSV
OSV
added 4 days ago4 views

MAL-2026-6559 Malicious code in lc-chatbot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606 package.json declares both preinstall and postinstall scripts that run node callback.js, so the callback fires automatically on npm install with no...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago5 views

Malicious code in lc-chatbot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81ca324fdc9c4ba5536abcd43972f1a506f4af99ace29447b66a17947b1b8606 package.json declares both preinstall and postinstall scripts that run node callback.js, so the callback fires automatically on npm install with no...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 4 days ago8 views

Malicious code in livekit-agents (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5abf921f58c69745fee91e812853b493a282f3d42f55db38516ba54b827ea35b The unscoped npm package livekit-agents advertises itself in README as the official LiveKit Agents SDK and links to livekit.io documentation, but the...

5.8AI score
Exploits0References5
OSV
OSV
added 4 days ago7 views

MAL-2026-6555 Malicious code in livekit-agents (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5abf921f58c69745fee91e812853b493a282f3d42f55db38516ba54b827ea35b The unscoped npm package livekit-agents advertises itself in README as the official LiveKit Agents SDK and links to livekit.io documentation, but the...

5.8AI score
Exploits0References5
NVD
NVD
added 4 days ago11 views

CVE-2026-10646

Zephyr's BSD-sockets getaddrinfo implementation subsys/net/lib/sockets/getaddrinfo.c passes a pointer to a stack-allocated state object struct getaddrinfostate aistate as the userdata of an asynchronous DNS resolver query. The socket layer waits on a semaphore with a timeout deliberately set...

7.4CVSS0.00255EPSS
Exploits0References2
Rows per page
Query Builder