Lucene search
K

1131 matches found

NVD
NVD
added 2 days ago6 views

CVE-2026-61502

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS0.00182EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-61502 Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS0.00182EPSS
Exploits0References2
CVE
CVE
added 2 days ago8 views

CVE-2026-61502

CVE-2026-61502 affects Rejetto HFS versions 3.0.0 through 3.2.0. The root cause is that state-changing API requests can be issued via GET and are exempt from the anti-CSRF header check, enabling a remote attacker to perform administrative actions (e.g., account creation, configuration changes) an...

5.1CVSS6.4AI score0.00182EPSS
Exploits0References2
OSV
OSV
added 2 days ago4 views

CVE-2026-61502 Rejetto HFS < 3.2.1 Cross-Site Request Forgery via GET Requests

Rejetto HFS 3.0.0 through 3.2.0 accepts state-changing API requests via the GET method and exempts GET requests from its anti-CSRF header check. A remote attacker can perform administrative actions including account creation and configuration changes leading to code execution - by causing a...

5.1CVSS6.4AI score0.00182EPSS
Exploits0References5
OSV
OSV
added 2026/07/03 5:0 p.m.4 views

CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References4
Amazon
Amazon
added 2026/06/29 12:0 a.m.6 views

Critical: rclone

Issue Overview: Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /remote:path/object. The remote value is parsed from th...

9.8CVSS5.8AI score0.00701EPSS
Exploits0
NVD
NVD
added 2026/06/25 2:16 p.m.9 views

CVE-2026-56122

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traver...

8.7CVSS0.00377EPSS
Exploits0References3
Debian CVE
Debian CVE
added 2026/06/25 12:22 p.m.7 views

CVE-2026-40208

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame...

3.7CVSS5.9AI score0.00285EPSS
Exploits0
OSV
OSV
added 2026/06/25 12:22 p.m.2 views

CVE-2026-40208 Denial of service via DoH3 queries

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame...

3.7CVSS5.9AI score0.00285EPSS
Exploits0References5
Tenable Nessus
Tenable Nessus
added 2026/06/25 12:0 a.m.9 views

Tridium Niagara Use of GET Request Method With Sensitive Query Strings (CVE-2025-3943)

Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11;...

7.5CVSS7.4AI score0.07416EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/23 5:39 p.m.36 views

CVE-2026-54317 Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.6.0, the Konnected integration registers an HTTP endpoint, KonnectedView homeassistant/components/konnected/init.py, that is marked as not requiring authentication requiresauth = False....

7.6CVSS0.00193EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.26 views

PT-2026-51458

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.3 Description Organization team member management can be performed via GET requests without Cross-Site Request Forgery CSRF protection. CSRF is a security flaw where an attacker tricks a logged-in user into executin...

8.8CVSS6AI score0.00248EPSS
Exploits0References14
NVD
NVD
added 2026/06/20 7:16 p.m.12 views

CVE-2026-56341

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including...

8.7CVSS0.00302EPSS
Exploits0References2
CVE
CVE
added 2026/06/19 5:18 p.m.20 views

CVE-2019-25753

The CVE-2019-25753 entry concerns Joomla! Component VMap 1.9.6, where an SQL injection vulnerability exists in the latlngbound parameter. An unauthenticated attacker can craft GET requests to index.php with options com_vmap&task=loadmarker containing SQL payloads to manipulate database queries an...

8.8CVSS6.2AI score0.00366EPSS
Exploits0References4
NVD
NVD
added 2026/06/19 5:16 p.m.11 views

CVE-2017-20272

Joomla Ultimate Property Listing 1.0.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the sfselectuserid parameter. Attackers can send GET requests to index.php with the option=comupl and...

8.8CVSS0.00237EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:58 p.m.7 views

CVE-2017-20282

Joomla! Component jCart for OpenCart 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the productid parameter. Attackers can send GET requests to index.php with the option=comjcart&route=product/product...

8.8CVSS6AI score0.00267EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/06/19 4:38 p.m.13 views

CVE-2017-20276

Vulnerability: CVE-2017-20276 in Joomla! component SIMGenealogy 2.1.5. Impactful flaw: SQL injection via the type parameter in index.php when option=com_simgenealogy and view=latest are used; unauthenticated attackers can manipulate database queries and potentially exfiltrate data. Affected compo...

8.8CVSS6AI score0.00237EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/19 4:11 p.m.6 views

EUVD-2017-18995

Joomla! Component Zap Calendar Lite 4.3.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'eid' parameter. Attackers can send GET requests to the RSVP plugin endpoint with crafted SQL payloads t...

8.8CVSS6.2AI score0.0027EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:1 p.m.4 views

CVE-2017-20265

Joomla! Component Flip Wall 8.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wallid parameter. Attackers can send GET requests to index.php with the option=comflipwall&task=click&wallid...

7.1CVSS6.2AI score0.00241EPSS
Exploits0References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/19 3:30 p.m.5 views

CVE-2017-20256

Joomla Survey Force Deluxe 3.2.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the invite parameter. Attackers can send GET requests to the component with crafted SQL payloads in the invite...

8.8CVSS6.2AI score0.00334EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder