Lucene search
+L

389 matches found

Nuclei
Nuclei
added 9 hours ago197 views

Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

6.9CVSS7.4AI score0.84607EPSS
Exploits0References5
NVD
NVD
added yesterday5 views

CVE-2026-59861

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral in Writers/StringExtensions.cs into Ruby double-quoted literals...

7.5CVSS
Exploits0References4
CVE
CVE
added yesterday10 views

CVE-2026-59859

Kiota’s PHP generator (prior to 1.32.4) embeds OpenAPI-derived strings directly into PHP double-quoted literals via SanitizeDoubleQuote(), without escaping $. This permits attacker-controlled interpolation constructs like ${…}, $var, or {$obj-&gt;prop} to inject arbitrary PHP code into generated ...

8.7CVSS6.2AI score
Exploits0References4
Cvelist
Cvelist
added yesterday24 views

CVE-2026-59859 Kiota: Code Generation Literal Injection in the PHP Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote in Writers/StringExtensions.cs without escaping $...

8.7CVSS
Exploits0References4
Cvelist
Cvelist
added yesterday26 views

CVE-2026-59861 Kiota: Code Generation Literal Injection in Kiota Ruby Generator

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral in Writers/StringExtensions.cs into Ruby double-quoted literals...

7.5CVSS
Exploits0References4
Cvelist
Cvelist
added last week31 views

CVE-2026-55659 Grist: XSS through unsafe value interpolation in server-rendered pages

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's nam...

7.7CVSS0.00275EPSS
Exploits0References3
OSV
OSV
added last week5 views

CVE-2026-55659 Grist: XSS through unsafe value interpolation in server-rendered pages

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's nam...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References5
NVD
NVD
added last week7 views

CVE-2026-61444

PraisonAI versions before 4.6.78 contain a code injection vulnerability in deploy/api.py where the agentsfile parameter is directly interpolated into an f-string without sanitization. Attackers can inject arbitrary Python code that executes when the generated server code runs via subprocess.Popen...

9.4CVSS0.00392EPSS
Exploits0References2
CVE
CVE
added last week13 views

CVE-2026-61444

PRAISONAi before 4.6.78 has a code‑injection vulnerability in deploy/api.py: the agents_file parameter is interpolated into an f-string without sanitization, allowing arbitrary Python code execution when the generated server code runs via subprocess.Popen(). Affected: PraisonAI

9.4CVSS6.2AI score0.00392EPSS
Exploits0References2
OSV
OSV
added 2026/07/10 9:12 a.m.2 views

OPENSUSE-SU-2026:21293-1 Security update for perl-DBI

This update for perl-DBI fixes the following issues - CVE-2026-14380: unvalidated string eval interpolation of the Profile package name can lead to arbitrary Perl code execution bsc1271018. - CVE-2026-14740: one-byte out-of-bounds read when deleting an initial SQL comment line can lead to a proce...

9.1CVSS6.3AI score0.00498EPSS
Exploits0References4
NVD
NVD
added 2026/07/09 11:17 p.m.6 views

CVE-2026-59858

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honor...

8.4CVSS0.00137EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/09 10:37 p.m.51 views

CVE-2026-59858 Vim: Arbitrary Code Execution via C Omni-Completion

Vim is an open source, command line text editor. Prior to 9.2.0735, the C omni-completion script in runtime/autoload/ccomplete.vim interpolates the typeref: or typename: extension field of a tags entry, without escaping, into a :vimgrep pattern that is run through :execute. Because :vimgrep honor...

8.4CVSS0.00137EPSS
Exploits0References2
OSV
OSV
added 2026/07/08 1:49 p.m.5 views

CVE-2026-59257 n8n - SQL Injection in MySQL v1 executeQuery Operation via Expression Interpolation

n8n before 1.123.61, 2.x before 2.27.4, and 2.28.x before 2.28.1 contains a SQL injection vulnerability in the legacy MySQL v1 node's executeQuery operation. The operation substitutes evaluated ... expression values directly into the raw SQL string without parameterization. When a workflow uses...

5.3CVSS6.3AI score0.00314EPSS
Exploits0References4
NVD
NVD
added 2026/07/02 8:17 p.m.6 views

CVE-2026-59102

Forgejo before 15.0.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to execute arbitrary JavaScript in other users' browsers by setting a full name containing an HTML payload and triggering an Actions run. When the DEFAULTSHOWFULLNAME option is enabled,...

5.4CVSS0.00199EPSS
Exploits0References4
Oracle linux
Oracle linux
added 2026/06/29 12:0 a.m.7 views

perl-IO-Compress security update

2.081-2 - Remove use of eval in File::GlobMapper for safer string interpolation - Resolves: RHEL-180411...

7.8CVSS5.8AI score0.00292EPSS
Exploits3
Github Security Blog
Github Security Blog
added 2026/06/17 5:57 p.m.14 views

Open WebUI: RAG ACL Bypass in Milvus Multitenancy Mode

RAG ACL Bypass in Milvus Multitenancy Mode Summary This is a bypass of the fix for: - GHSA-h36f-rqpx-j5wx - CVE-2026-44560 - "Unauthorized File and Knowledge Base Content Access via RAG Vector Search" Open WebUI added collection-level ACL checks, but the patch can still be bypassed when Milvus...

6.5CVSS5.5AI score0.00366EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 2026/06/11 6:33 p.m.33 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS0.0091EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/09 9:58 p.m.11 views

EUVD-2026-31112

PhoenixStorybook: Unauthenticated remote code execution via HEEx template injection in phoenixstorybook playground...

9.5CVSS6.3AI score0.00907EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:43 p.m.10 views

CVE-2026-8767

A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an...

7.5CVSS4.9AI score0.04261EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:36 p.m.9 views

CVE-2026-41591

Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a ,...

6.4CVSS5.4AI score0.00195EPSS
Exploits0References1
Rows per page
Query Builder