CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

ATTACKERKB•added 2026/05/29 3:12 p.m.•7 views

CVE-2026-33386

QuickCMS is vulnerable to Cross-Site Scripting XSS through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle MITM attack by impersonating the opensolution.org server and serving arbitrary HTML or JavaScript at the plugin list endpoint. When a...

4.8CVSS5.9AI score0.00185EPSS

Exploits0References3

EUVD•added 2026/05/29 3:12 p.m.•13 views

EUVD-2026-33339

4.8CVSS5.9AI score0.00185EPSS

OSSF Malicious Packages•added 2026/05/21 4:39 a.m.•10 views

Malicious code in @zhengshuo888/huoke (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f352f11f7811b28966799c9359f99dbbe9829240066504be17c100981dd45ab On npm install, the package's postinstall hook runs node bin/huoke.js install-skill, which uses execSync to invoke curl -fsSL against...

5.8AI score

EUVD•added 2026/05/14 4:6 p.m.•7 views

EUVD-2025-209854

4.3CVSS5.8AI score0.0008EPSS

AstraLinux•added 2026/05/03 11:59 p.m.•4 views

Astra Linux – Vulnerability in Firefox

If an attacker needed a user to load an insecure http: page and knew that the user had enabled HTTPS-only mode, the attacker could trick the user into clicking to grant an HTTPS-only exception, provided they could get the user to participate in a clicking game. This vulnerability affects Firefox...

6.5CVSS6.6AI score0.0049EPSS

CNNVD•added 2026/04/23 12:0 a.m.•6 views

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a security vulnerability. This vulnerability stemmed from the password reset feature sending reset links via an insecure HTTP protocol, which cou...

7.5CVSS5.7AI score0.00192EPSS

Exploits1References2

IBM Security Bulletins•added 2026/04/16 10:57 a.m.•8 views

Security Bulletin: Vulnerability in curl affects IBM Netezza Appliance

Summary The curl package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-9086 Vulnerability Details CVEID:CVE-2025-9086 DESCRIPTION: 1. A cookie is set using the secure keyword for https://target 2. curl is redirected to or otherwise made to...

7.5CVSS5.8AI score0.01301EPSS

Exploits1Affected Software1

ATTACKERKB•added 2026/04/16 5:11 a.m.•5 views

CVE-2026-22618

A security misconfiguration was identified in Eaton Intelligent Power Protector IPP, where an HTTP response header was set with an insecure attribute, potentially exposing users to web‑based attacks. This security issue has been fixed in the latest version of Eaton IPP software which is available...

5.9CVSS5.7AI score0.00233EPSS

CVE•added 2026/04/16 5:11 a.m.•15 views

CVE-2026-22618

The CVE concerns Eaton Intelligent Power Protector (IPP) with a security misconfiguration where an HTTP response header used an insecure attribute. The issue could enable web-based attacks and has been fixed in the latest Eaton IPP version available from Eaton’s download centre. Practical impact ...

7.1CVSS5.7AI score0.00233EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/04/03 12:0 a.m.•11 views

PT-2026-30014

Summary Ech0 implements link preview editor fetches a page title through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body...

7.5CVSS6AI score0.00327EPSS

Exploits1References4

ATTACKERKB•added 2026/03/19 10:7 p.m.•1 views

CVE-2026-32034

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or...

6.8CVSS5.8AI score0.00381EPSS

Exploits0References4

Vulnrichment•added 2026/02/03 2:26 a.m.•4 views

CVE-2026-24934 An improper certificate validation vulnerability was found in ADM while querying an external server for the device's WAN IP address.

The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device's WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to spoof the response, leading the device to update its...

ATTACKERKB•added 2026/02/03 2:26 a.m.•3 views

CVE-2026-24934

Exploits0References2Affected Software1

CVE•added 2026/02/03 2:26 a.m.•11 views

CVE-2026-24934

CVE-2026-24934 describes an insecure DDNS WAN-IP lookup in ADM firmware. The DDNS function uses HTTP or fails to validate the SSL/TLS certificate when querying an external server for the device’s WAN IP, enabling an unauthenticated MitM attacker to spoof the response and cause the device to updat...

Exploits0References1Affected Software1

Cvelist•added 2026/02/03 2:26 a.m.•31 views

CVE-2026-24934 An improper certificate validation vulnerability was found in ADM while querying an external server for the device's WAN IP address.

6.3CVSS0.00156EPSS

EUVD•added 2026/02/03 2:26 a.m.•7 views

EUVD-2026-5285

Positive Technologies•added 2026/02/03 12:0 a.m.•9 views

PT-2026-5766