Lucene search
K

423 matches found

OSV
OSV
added 2026/04/06 7:58 a.m.2 views

BIT-NODE-MIN-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

5.3CVSS6.5AI score0.00146EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/04 12:0 a.m.9 views

Electron 数据伪造问题漏洞

Electron is an open-source JavaScript framework developed by users for creating cross-platform desktop applications. This framework is based on Node.js and Chromium, allowing the development of cross-platform desktop applications using HTML and CSS. Versions of Electron prior to 38.8.6, 39.8.1,...

6.5CVSS5.7AI score0.00123EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/04/03 2:44 a.m.8 views

Electron: Service worker can spoof executeJavaScript IPC replies

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

6.5CVSS5.9AI score0.00123EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVE
added 2026/04/01 5:3 p.m.4 views

CVE-2026-34218

ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single compile-time baseline rule was enforced by opfilter. All managed MDM-delivered and user-defined...

6.3CVSS5.8AI score0.00196EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/30 7:7 p.m.4 views

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

5.3CVSS6.4AI score0.00146EPSS
Exploits0References1
CVE
CVE
added 2026/03/30 7:7 p.m.19 views

CVE-2026-21711

CVE-2026-21711 is a Node.js vulnerability describing a permission-check bypass in the Unix Domain Socket (UDS) handling under the Permission Model. The flaw allows code running with --permission and without --allow-net to create and expose local IPC endpoints, enabling potential cross-process com...

5.3CVSS6AI score0.00146EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/30 7:7 p.m.31 views

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

5.3CVSS0.00146EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.7 views

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Version 25.x of Node.js contains a security vulnerability. This vulnerability stems from the lack of permission checks for Unix-domain socket servers during network execution, which may...

5.3CVSS6.7AI score0.00146EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 12:30 p.m.5 views

EUVD-2026-16160

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can...

8.8CVSS5.9AI score0.00449EPSS
Exploits1References2
CVE
CVE
added 2026/03/26 10:55 a.m.8 views

CVE-2026-24068

The CVE-2026-24068 issue affects Vienna Assistant (MacOS) via the VSL privileged helper that uses NSXPC for IPC. The core problem is that shouldAcceptNewConnection does not validate clients, allowing any process to connect and invoke HelperToolProtocol functions, notably writeReceiptFile and runU...

8.8CVSS5.9AI score0.00449EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/26 10:55 a.m.2 views

CVE-2026-24068

The VSL privileged helper does utilize NSXPC for IPC. The implementation of the "shouldAcceptNewConnection" function, which is used by the NSXPC framework to validate if a client should be allowed to connect to the XPC listener, does not validate clients at all. This means that any process can...

8.8CVSS5.9AI score0.00449EPSS
Exploits1References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/03/26 12:0 a.m.4 views

FreeBSD : Mozilla -- Multiple vulnerabilities (26c24872-2943-11f1-8461-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 26c24872-2943-11f1-8461-b42e991fc52e advisory. CVE-2026-4729: Memory safety bugs CVE-2026-4728: Spoofing issue in the Privacy: Anti-Tracking...

10CVSS7.3AI score0.0053EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/03/24 12:30 p.m.6 views

CVE-2026-4722

Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149...

8.8CVSS7.2AI score0.00313EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.6 views

Mozilla Firefox和Mozilla Thunderbird 安全漏洞

Mozilla Firefox is an open source web browser.Mozilla Thunderbird is a set of e-mail client software separate from the Mozilla Application Suite. The software supports IMAP, POP mail protocols and HTML mail format. A code execution vulnerability exists in Mozilla Firefox and Mozilla Thunderbird d...

8.8CVSS7.9AI score0.00313EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/23 10:34 p.m.8 views

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in the IPC API process when spurious data is provided by an unprivileged local user. An attacker can cause the system to freeze or overwrite the stack by sending crafted IPC API calls. Remediation A fix was...

7.8CVSS5.9AI score0.00121EPSS
Exploits0References2
NVD
NVD
added 2026/03/23 10:16 p.m.4 views

CVE-2026-29111

systemd, a system and service manager, as PID 1 hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this i...

5.5CVSS0.00121EPSS
Exploits0References11
CNNVD
CNNVD
added 2026/03/23 12:0 a.m.6 views

systemd 安全漏洞

Systemd is a Linux-based system and service manager developed by Lennart Poettering of Germany. This product is compatible with SysV and LSB startup scripts, and it provides a framework for representing dependencies between system services. Systemd versions from v239 to v259.2 and earlier contain...

5.5CVSS5.9AI score0.00121EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 2026/03/18 3:24 p.m.4 views

CVE-2026-24062 Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center

The "Privileged Helper" component of the Arturia Software Center MacOS does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation...

5.8AI score0.00122EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/03/18 3:24 p.m.22 views

CVE-2026-24062 Insufficient XPC Client validation leading to local privilege escalation in Arturia Software Center

The "Privileged Helper" component of the Arturia Software Center MacOS does not perform sufficient client code signature validation when a client connects. This leads to an attacker being able to connect to the helper and execute privileged actions leading to local privilege escalation...

0.00122EPSS
Exploits1References1
Packet Storm News
Packet Storm News
added 2026/03/02 12:0 a.m.6 views

Exploiting PendingIntent Provenance Confusion to Spoof Android SDK Authentication

A single authentication bypass in a partner SDK grants attackers the identity of every partner in the ecosystem -- and millions of apps use SDKs with exactly this vulnerability. OWASP's 2024 Mobile Top 10 ranks Inadequate Supply Chain Security as the second most critical mobile risk, explicitly...

6AI score
Exploits0
Rows per page
Query Builder