Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

25037 matches found

CVE
CVEadded 2026/03/11 8:41 p.m.12 views

CVE-2026-32111

CVE-2026-32111 affects ha-mcp, a Home Assistant MCP Server. Before version 7.0.0, the ha-mcp OAuth consent form (beta) accepts a user-supplied ha_url and makes a server-side HTTP request to {ha_url}/api/config without URL validation. An unauthenticated attacker can submit arbitrary URLs to perfor...

5.3CVSS6AI score0.00278EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/03/11 8:41 p.m.3 views

CVE-2026-32111

ha-mcp is a Home Assistant MCP Server. Prior to 7.0.0, the ha-mcp OAuth consent form beta feature accepts a user-supplied haurl and makes a server-side HTTP request to haurl/api/config with no URL validation. An unauthenticated attacker can submit arbitrary URLs to perform internal network...

5.3CVSS6AI score0.00278EPSS
Exploits0References2Affected Software1
Snyk
Snykadded 2026/03/11 8:40 p.m.1 views

Allocation of Resources Without Limits or Throttling

Overview tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling during the parsing of multipart/form-data bodies containing an excessive...

8.7CVSS5.9AI score0.00375EPSS
Exploits0References2
PyPA
PyPAadded 2026/03/11 8:16 p.m.7 views

PYSEC-2026-140

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS7.3AI score0.00375EPSS
Exploits0References2Affected Software1
OSV
OSVadded 2026/03/11 8:16 p.m.8 views

DEBIAN-CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

7.5CVSS8.3AI score0.00375EPSS
Exploits0References1
NVD
NVDadded 2026/03/11 8:16 p.m.7 views

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS0.00375EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/03/11 7:27 p.m.5 views

CVE-2026-31958 Tornado has a DoS due to too many multipart parts

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References1
CVE
CVEadded 2026/03/11 7:27 p.m.94 views

CVE-2026-31958

Tornado (Python) before 6.5.5 is vulnerable in its multipart/form-data parsing: the only limit is max_body_size (default 100MB) and parsing occurs synchronously on the main thread, enabling denial-of-service via very large multipart bodies with many parts. The issue is fixed in 6.5.5. CVSS metric...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/03/11 7:27 p.m.9 views

CVE-2026-31958

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References2Affected Software1
Cvelist
Cvelistadded 2026/03/11 7:27 p.m.28 views

CVE-2026-31958 Tornado has a DoS due to too many multipart parts

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS0.00375EPSS
Exploits0References1
The Hacker News
The Hacker Newsadded 2026/03/11 2:51 p.m.6 views

Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials

Cybersecurity researchers have disclosed details of two now-patched security flaws in the n8n workflow automation platform, including two critical bugs that could result in arbitrary command execution. The vulnerabilities are listed below - CVE-2026-27577 CVSS score: 9.4 - Expression sandbox esca...

9.9CVSS6.8AI score0.1016EPSS
Exploits0
RedhatCVE
RedhatCVEadded 2026/03/11 1:19 p.m.3 views

CVE-2026-2724

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form...

7.2CVSS5.9AI score0.00345EPSS
Exploits0References1
EUVD
EUVDadded 2026/03/11 12:31 p.m.4 views

EUVD-2026-11133

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References3
NVD
NVDadded 2026/03/11 10:16 a.m.3 views

CVE-2026-3492

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS0.00203EPSS
Exploits0References2
Patchstack
Patchstackadded 2026/03/11 9:35 a.m.4 views

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting vulnerability

WordPress LatePoint - Calendar Booking Plugin for Appointments and Events plugin = 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting vulnerability discovered by lucsob in WordPress Plugin LatePoint versions = 5.2.7...

6.1CVSS5.8AI score0.00095EPSS
Exploits0References1Affected Software1
EUVD
EUVDadded 2026/03/11 9:31 a.m.5 views

EUVD-2026-11125

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

7.2CVSS5.9AI score0.00241EPSS
Exploits0References5
CVE
CVEadded 2026/03/11 9:25 a.m.13 views

CVE-2026-3492

The Gravity Forms WordPress plugin (all versions up to 2.9.28.1) is vulnerable to Stored XSS due to a trio of issues: (1) missing authorization on the create_from_template AJAX endpoint allowing any authenticated user to create forms, (2) insufficient input sanitization where sanitize_text_field(...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References2
Vulnrichment
Vulnrichmentadded 2026/03/11 9:25 a.m.3 views

CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/03/11 9:25 a.m.27 views

CVE-2026-3492 Gravity Forms <= 2.9.28.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Form Title

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS0.00203EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/03/11 9:25 a.m.3 views

CVE-2026-3492

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the createfromtemplate AJAX endpoint allowing any authenticated user to create forms, insufficie...

6.4CVSS5.9AI score0.00203EPSS
Exploits0References3
Rows per page
Query Builder