Lucene search
K

305 matches found

CVE
CVE
added 4 days ago7 views

CVE-2026-46388

CVE-2026-46388 affects osquery. Prior to version 5.23.1, unprivileged attackers could read contents of an osquery file carve before the carve completes, due to in-progress carve directories not being created with private permissions. If the carve targets a directory the attacker controls, arbitra...

4.4CVSS6.2AI score0.00094EPSS
Exploits0References4
OSV
OSV
added 2026/07/07 10:17 a.m.3 views

PYSEC-2026-868 OpenStack Cinder, glance, and Nova vulnerable to Path Traversal

An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, a...

5.7CVSS7.1AI score0.01025EPSS
Exploits1References11
OSV
OSV
added 2026/06/17 4:43 a.m.10 views

MAL-2026-5982 Malicious code in metrics-probe-77d4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d079b30dbb30db1a61acddcd094d2e7e67e7ef466d624e4ad2392edc9d9203e On install, package.json runs postinstall: node run.js. run.js imports os, fs, http, https, and childprocess and at runtime collects host identifiers...

5.7AI score
Exploits0References2
OSV
OSV
added 2026/06/16 1:34 a.m.5 views

MAL-2026-5858 Malicious code in metrics-pipeline-d8k2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01ad2ee3d3807102a3f02c01af0d3fec46d91e9764eb77a8bcedf9c6be7fc3b0 Package declares "postinstall": "node run.js" in package.json, causing automatic execution of bundled beacon scripts on npm install. beacon29.js load...

5.8AI score
Exploits0References22
OSV
OSV
added 2026/06/11 6:33 a.m.14 views

MAL-2026-5612 Malicious code in gpt-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9bdc5e04979d5b4f73407bcedaecc9df24dbb03e0bfbc0edefe333023dc50c On npm install, postinstall.js runs unconditionally and collects a wide range of installer-side reconnaissance data: hostname and FQDN, contents of...

5.5AI score
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 4:37 a.m.14 views

Malicious code in testzapier (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a5840f2a3b34d7f32de7243a146ecf85ac875bd1ef09b0ba9a395d08e356084f package.json declares a preinstall hook node index.js that fires automatically on npm install. index.js spawns a shell that runs curl -X POST against...

5.5AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/10 2:59 p.m.13 views

CVE-2026-8045

CWE-611 Improper Restriction of XML External Entity Reference vulnerability exists that could cause information disclosure of server-side file contents when an attacker with a Data Center Expert user account submits crafted XML payloads to SOAP service endpoints...

7.1CVSS5.4AI score0.00233EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/06/03 4:14 p.m.8 views

kernel: Read root-owned files as an unprivileged user

A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully...

7.8CVSS6AI score0.0138EPSS
Exploits6References7
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.11 views

PT-2026-45053

Summary The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcp server/adapters/cli tools.py: "registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and...

9.6CVSS6AI score0.00619EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/26 6:40 p.m.8 views

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the debugMode process. An attacker can obtain sensitive server-side source code and file contents by provoking a runtime error in a served script. Remediation Upgrade github.com/xyproto/algernon/engine to versio...

8.7CVSS5.9AI score0.00303EPSS
Exploits0References2
NVD
NVD
added 2026/05/22 3:16 p.m.23 views

CVE-2026-8340

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

4.3CVSS0.00103EPSS
Exploits0References1
CVE
CVE
added 2026/05/22 1:58 p.m.30 views

CVE-2026-8340

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion, enabling a user with edit_file_contents to publish an attacker‑chosen version (downgrade or publish an unpublished co-editor version). The entry provides CVSS v4.0 base score 2.3 (low) with network attack vector ...

4.3CVSS5.8AI score0.00103EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/22 1:58 p.m.10 views

CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

2.3CVSS5.8AI score0.00103EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/22 1:58 p.m.12 views

EUVD-2026-31441

Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with editfilecontents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version downgrade to an older version of a file, or activation of a co-editor's unpublished version. The...

2.3CVSS5.8AI score0.00103EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/20 11:40 p.m.10 views

kernel: Read root-owned files as an unprivileged user

A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully...

7.8CVSS5.8AI score0.0138EPSS
Exploits6References7
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 5:41 a.m.14 views

Malicious code in qazaq-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 31fa15731b4c683297d550bb3157dff08f2bfa3db01c14952cd35c7c61407d0a The package's default AI provider hardcodes the destination opengateway.gitlawb.com/v1/chat/completions with header api-key: 'not-needed'...

6AI score
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/19 10:14 p.m.14 views

rsync: rsync server leaks arbitrary client files

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare wi...

6.8CVSS7.1AI score0.01761EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/05/19 2:35 p.m.37 views

Algernon: Single-file mode unconditionally enables debug mode

Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow algernon foo.lua, algernon page.po2, algernon index.html, algernon mywebsite.alg — singleFileMode is set to true and debugMode is forcibly enabled with no opt-out: go //...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/19 2:35 p.m.6 views

GHSA-FWQX-8365-9983 Algernon: Single-file mode unconditionally enables debug mode

Summary When Algernon is invoked with a single file path instead of a directory — the documented "quick demo" workflow algernon foo.lua, algernon page.po2, algernon index.html, algernon mywebsite.alg — singleFileMode is set to true and debugMode is forcibly enabled with no opt-out: go //...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.15 views

PT-2026-41975

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description An authenticated Server-Side Request Forgery SSRF allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and...

7.1CVSS5.6AI score0.00238EPSS
Exploits0References6
Rows per page
Query Builder