Lucene search
+L

7 matches found

EUVD
EUVD
added 22 hours ago9 views

EUVD-2026-45409

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/accesscontrol.go of the component First Run Setup. Performing a manipulation of the argument allowedcidrs results in authentication bypass using alternate...

6.3CVSS5.1AI score
Exploits0References9
CVE
CVE
added yesterday11 views

CVE-2026-16198

The CVE affects Sipeed PicoClaw ≤ 0.2.9, specifically the First Run Setup’s web/backend/middleware/access_control.go where manipulation of the allowed_cidrs argument enables authentication bypass via an alternate channel. The issue can be triggered remotely and has high attack complexity with no ...

6.3CVSS5.1AI score
Exploits0References8
NVD
NVD
added 2026/06/11 8:16 p.m.20 views

CVE-2026-49973

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/11 7:4 p.m.31 views

CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings

Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...

9.4CVSS0.00543EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/06 4:59 p.m.9 views

EUVD-2026-27135

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/05/05 8:21 p.m.9 views

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.18 views

PT-2026-36921

Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7 Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without...

9.8CVSS5.8AI score0.00346EPSS
Exploits1References13
Rows per page
Query Builder