Lucene search
K

42917 matches found

Redos
Redos
added 5 days ago5 views

ROS-20260710-73-0004

The vulnerability of the url.Parse function in the host/authority component of the Go programming language is related to improper syntax validation of input. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

7.5CVSS6.3AI score0.00728EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 5 days ago7 views

FreeBSD : Apache HttpClient -- misinterpret malformed authority component (fa0c03dd-7c3a-11f1-8dc2-dca632daf43b)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the fa0c03dd-7c3a-11f1-8dc2-dca632daf43b advisory. Apache Software Foundation reports: Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can...

5.3CVSS6.7AI score0.08665EPSS
Exploits1References3
Tenable Nessus
Tenable Nessus
added 5 days ago8 views

OpenSSH < 10.4 Multiple Vulnerabilities

The version of OpenSSH installed on the remote host is prior to 10.4. It is, therefore, affected by multiple vulnerabilities, including: - ssh in OpenSSH before 10.4 can have a use-after-free when a server changes its host key during a key re-exchange. This outcome occurs only on the client side...

9.4CVSS6.2AI score0.00407EPSS
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago9 views

Malicious code in vite-pwa-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab1e251883a8eceecc27c935ed05352375d438c1efbbd8727f2b13a766409d0 Package vite-pwa-config impersonates the popular vite-plugin-pwa antfu — the README instructs users to import configJson from vite-plugin-pwa, and...

6.6AI score
Exploits0References2
NVD
NVD
added 6 days ago9 views

CVE-2026-15202

A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function geturl of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTPHOST leads to cross site scripting. The attack may be initiated remotely. The exploit has been...

5.3CVSS0.00263EPSS
Exploits0References5
Cvelist
Cvelist
added 6 days ago32 views

CVE-2026-59734 Coolify: OS Command Injection in Health Check Configuration Allows Remote Code Execution

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generatehealthcheckcommands function directly interpolated the healthcheckhost, healthcheckmethod, and healthcheckpath...

8.8CVSS0.00417EPSS
Exploits1References4
Cvelist
Cvelist
added 6 days ago37 views

CVE-2026-15202 YzmCMS Header yzmphp.php get_url cross site scripting

A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function geturl of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTPHOST leads to cross site scripting. The attack may be initiated remotely. The exploit has been...

5.3CVSS0.00263EPSS
Exploits0References5
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42655

A security vulnerability has been detected in YzmCMS up to 7.5. Affected is the function geturl of the file /yzmphp/yzmphp.php of the component Header Handler. The manipulation of the argument HTTPHOST leads to cross site scripting. The attack may be initiated remotely. The exploit has been...

5.3CVSS4.1AI score0.00263EPSS
Exploits0References5
CVE
CVE
added 6 days ago11 views

CVE-2026-15202

CVE-2026-15202 affects YzmCMS up to version 7.5. The vulnerability resides in the get_url function of /yzmphp/yzmphp.php within the Header Handler, where manipulation of the HTTP_HOST argument enables cross-site scripting. Exploitation is remote and publicly disclosed. Vendor contact did not elic...

5.3CVSS4.1AI score0.00263EPSS
Exploits0References5
OSV
OSV
added 6 days ago1 views

SUSE-SU-2026:2817-1 Security update for go1.25

This update for go1.25 fixes the following issues - Update to version go1.25.12 bsc1244485. - CVE-2026-25679: net/url: reject IPv6 literal not at start of host bsc1259264. - CVE-2026-27139: os: FileInfo can escape from a Root bsc1259268. - CVE-2026-27142: html/template: URLs in meta content...

7.8CVSS6.8AI score0.00728EPSS
Exploits0References14
OSV
OSV
added 6 days ago2 views

ALPINE-CVE-2026-23561

This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:...

9.4CVSS6.2AI score0.0014EPSS
Exploits0References1
OSV
OSV
added 6 days ago3 views

ALPINE-CVE-2026-23562

This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:...

9.4CVSS6.2AI score0.0014EPSS
Exploits0References1
NVD
NVD
added 6 days ago6 views

CVE-2026-23562

This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE. XAPI can configure different users with different roles, using Role Based Access Control. For more details, see:...

9.4CVSS0.0014EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago8 views

Malicious code in es6-codify (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints dist/index.cjs and the ESM build execute a...

6.2AI score
Exploits0References10
CVE
CVE
added 6 days ago30 views

CVE-2026-23561

CVE-2026-23561 is part of a set of RBAC-related issues in XAPI (XenServer/XCP-ng) where certain administrator roles (vm-admin, etc.) can improperly modify RBAC-protected settings. Specifically, this CVE allows a vm-admin to set VM.other_config:storage_driver_domain and mark a VM as the storage do...

9.4CVSS7.3AI score0.0014EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 6 days ago5 views

fast-uri: fast-uri: URI authority bypass due to improper delimiter handling

A flaw was found in fast-uri. A remote attacker could exploit this vulnerability by crafting a malicious Uniform Resource Identifier URI that contains percent-encoded authority delimiters. The fast-uri library incorrectly decodes these delimiters during normalization and then re-emits them as raw...

7.5CVSS6AI score0.00475EPSS
Exploits0References6
Veracode
Veracode
added 6 days ago7 views

Sensitive Information Exposure

Apache Camel Undertow Component is vulnerable to Sensitive Information Exposure. The vulnerability is due to improper handling of exception responses, where processing errors return full Java stack traces instead of suppressing them, allowing attackers to obtain sensitive information such as...

5.3CVSS5.9AI score0.00363EPSS
Exploits0References4Affected Software2
NVD
NVD
added 6 days ago9 views

CVE-2026-12433

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS0.00435EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 6 days ago8 views

CVE-2026-52725

A flaw was found in the @angular/core component. This vulnerability allows an attacker to bypass security restrictions when creating dynamic components. By manipulating the host element or selector, an attacker can force an Angular component to be mounted directly onto a script tag. This can resu...

6.8CVSS6.1AI score0.00238EPSS
Exploits0References6
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-12433 Hydra Booking <= 1.2.1 - Authenticated (Custom+) Insecure Direct Object Reference to Sensitive Information Exposure via 'booking_id' Parameter

The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 1.2.1 via the /wp-json/hydra-booking/v1/booking/details/id REST endpoint. This is due to the getBookingDetails callback only...

4.3CVSS0.00435EPSS
Exploits0References10
Rows per page
Query Builder