Lucene search
K

10153 matches found

Jenkins Security Advisories
Jenkins Security Advisories
added 2026/06/24 12:0 a.m.6 views

Missing permission checks in contrast-continuous-application-security allow enumerating Contrast metadata

contrast-continuous-application-security 3.11 and earlier does not perform permission checks in several HTTP endpoints that fill list box options with the names of the configured Contrast metadata. This allows attackers with Overall/Read permission to enumerate the names of configured Contrast...

4.3CVSS5.8AI score0.00167EPSS
Exploits0Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.6 views

AlmaLinux 10 : memcached (ALSA-2026:27842)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:27842 advisory. memcached: memcached: Username enumeration via timing side channel CVE-2026-47783 Tenable has extracted the preceding description block directly from the AlmaLin...

8.1CVSS5.9AI score0.01312EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.8 views

AlmaLinux 9 : memcached (ALSA-2026:27862)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:27862 advisory. memcached: memcached: Username enumeration via timing side channel CVE-2026-47783 Tenable has extracted the preceding description block directly from the AlmaLinu...

8.1CVSS5.9AI score0.01312EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/24 12:0 a.m.8 views

RockyLinux 9 : memcached (RLSA-2026:27862)

The remote RockyLinux 9 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:27862 advisory. memcached: memcached: Username enumeration via timing side channel CVE-2026-47783 Tenable has extracted the preceding description block directly from the...

8.1CVSS5.9AI score0.01312EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/23 9:54 p.m.10 views

EUVD-2026-38393

Filament: Timing-based user enumeration on login page...

5.3CVSS5.8AI score0.0021EPSS
Exploits0References2
NVD
NVD
added 2026/06/23 9:16 p.m.9 views

CVE-2026-46552

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...

5.8CVSS0.00296EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 8:33 p.m.20 views

CVE-2026-47380

CVE-2026-47380 affects NocoDB. The vulnerability stems from an unknown-user sign-in path in auth.service.ts where the unknown-user branch returned without a password hash check, causing timing differences between known and unknown emails. This could enable network-positioned attackers to enumerat...

6.3CVSS5.8AI score0.00197EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 8:33 p.m.26 views

CVE-2026-47380 NocoDB: User Enumeration via Sign-In Timing

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, sign-in response timing differed between known and unknown email addresses because the unknown-user branch returned without performing a password hash comparison. This vulnerability is fixed in 2026.04.1...

6.3CVSS0.00197EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 5:17 p.m.10 views

CVE-2026-54305

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

9.9CVSS0.00343EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/23 4:43 p.m.36 views

CVE-2026-54016 Open WebUI: Open WebUI BOLA: `search_knowledge_files` Allows Unauthorized Knowledge Base File Enumeration

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI has a Broken Object Level Authorization BOLA vulnerability in the builtin searchknowledgefiles tool. When native function calling is enabled and the selected model has no...

4.3CVSS0.00226EPSS
Exploits1References1
CVE
CVE
added 2026/06/23 4:43 p.m.19 views

CVE-2026-54016

CVE-2026-54016 : Open WebUI (self-hosted offline AI platform) suffers a Broken Object Level Authorization in the builtin search_knowledge_files tool. When native function calling is enabled and a model has no attached knowledge bases, an authenticated user can supply an arbitrary knowledge_id and...

4.3CVSS6AI score0.00226EPSS
Exploits1References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/23 3:45 p.m.6 views

CVE-2026-54305

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

8.9CVSS6AI score0.00343EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/06/23 3:45 p.m.9 views

EUVD-2026-38476

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

8.9CVSS6AI score0.00343EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 3:36 p.m.18 views

CVE-2026-56695

OpenHarness ohmo gateway exposed by default to remote invocation via /resume and /summary, enabling attackers to enumerate and load arbitrary session snapshots by ID. This can grant access to private prompts, credentials, tool output, and file paths through shared gateway channels. Documented imp...

7.1CVSS6.1AI score0.00231EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/23 12:13 p.m.6 views

CVE-2026-56322

Capgo before 12.128.2 contains an information disclosure vulnerability in the unauthenticated /updates endpoint that resolves the defaultChannel parameter before enforcing privacy restrictions, allowing attackers to enumerate private channels and leak version/config state. Unauthenticated attacke...

8.7CVSS5.9AI score0.00334EPSS
Exploits0References3
NVD
NVD
added 2026/06/22 10:16 p.m.10 views

CVE-2026-56323

Capgo before 12.128.2 contains an information disclosure vulnerability in the /functions/v1/channelself endpoint that allows unauthenticated attackers to enumerate non-public channel names and determine app existence and subscription status. Remote attackers can send GET requests with arbitrary...

8.7CVSS0.00379EPSS
Exploits0References2
NVD
NVD
added 2026/06/22 10:16 p.m.6 views

CVE-2026-48166

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...

5.3CVSS0.0021EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/06/22 9:42 p.m.7 views

@actual-app/sync-server's missing authorization on GET /secret/:name allows non-admin OpenID users to enumerate admin-configured bank-sync secrets

Summary In @actual-app/sync-server, the GET /secret/:name endpoint app-secrets.js:53 checks only that the caller has a valid session — it does not verify the caller is an admin. The sibling POST /secret/ handler does enforce an admin check in OpenID mode, exposing an authorization asymmetry. Any...

4.3CVSS5.8AI score0.00025EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 9:40 p.m.5 views

CVE-2026-48166

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...

5.3CVSS5.9AI score0.0021EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/22 9:40 p.m.24 views

CVE-2026-48166 Filament: Timing-based user enumeration on login page

Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, the login page has an observable timing discrepancy that allows unauthenticated attackers to enumerate registered email addresses. The impact is limited to disclosing whether ...

5.3CVSS0.0021EPSS
Exploits0References1
Rows per page
Query Builder