Lucene search
K

1084 matches found

NVD
NVD
added 6 days ago7 views

CVE-2026-55878

Symfony UX is a JavaScript ecosystem for Symfony. From 2.32.0 before 2.36.1 and from 3.0.0 before 3.2.0, the ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map, and because Path::isRelative accepts paths like ../../../etc, a crafted or...

7.8CVSS0.00146EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-59819

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.83.10-stable, LiteLLM's /health/testconnection endpoint resolved request-supplied environment and OIDC file references in litellmparams, allowing a proxy administrator or another privileged caller with...

4.9CVSS0.00278EPSS
Exploits0References3
Snyk
Snyk
added 6 days ago7 views

Server-side Request Forgery (SSRF)

Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Server-side Request Forgery SSRF through the processRemoteRepo path in POST /api/pack and its repository URL handling before git clone. An attacker can...

9.3CVSS6.2AI score0.00324EPSS
Exploits0References2
NVD
NVD
added 6 days ago10 views

CVE-2026-57259

The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local path...

6.5CVSS0.00205EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago38 views

CVE-2026-57259 Foxit PDF Editor/Reader XDP XFA XXE arbitrary local file read

The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local path...

6.5CVSS0.00205EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago6 views

EUVD-2026-42197

The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local path...

6.5CVSS5.9AI score0.00205EPSS
Exploits0References1
CVE
CVE
added 6 days ago10 views

CVE-2026-57259

Technical details about CVE-2026-57259 are not publicly available in the provided documents; no product/version/root-cause information is present here. Monitor for updates.

6.5CVSS5.9AI score0.00205EPSS
Exploits0References1Affected Software2
Positive Technologies
Positive Technologies
added 6 days ago9 views

PT-2026-56358

Name of the Vulnerable Software and Affected Versions Foxit Reader affected versions not specified Description An XML External Entity XXE issue exists where the application processes files that are not strictly in a structurally valid PDF format. By opening a malicious document disguised as a PDF...

6.5CVSS6.1AI score0.00205EPSS
Exploits0References5
Snyk
Snyk
added 2026/07/03 6:16 p.m.5 views

Cross-site Request Forgery (CSRF)

Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An attacker can open...

5.3CVSS6AI score0.00116EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/03 5:0 p.m.42 views

CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS0.00116EPSS
Exploits0References2
CVE
CVE
added 2026/07/03 5:0 p.m.31 views

CVE-2026-14620

webpack-dev-server prior to 5.2.6 exposes two internal endpoints (/webpack-dev-server/open-editor and /webpack-dev-server/invalidate) that perform state-changing actions on any GET request without origin verification. This enables cross-origin interactions when a user visits any website while the...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/07/03 5:0 p.m.4 views

CVE-2026-14620 webpack-dev-server vulnerable to cross-site request forgery via internal developer endpoints

webpack-dev-server versions 5.2.5 and earlier expose two internal developer endpoints, /webpack-dev-server/open-editor and /webpack-dev-server/invalidate, that perform state-changing actions on any GET request without verifying that the request originated from the dev server's own page. Any websi...

4.7CVSS6.1AI score0.00116EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/02 5:30 a.m.11 views

CVE-2026-47214

A flaw was found in Docling, a document processing tool. Its HTML backend contained vulnerabilities related to unsafe handling of Uniform Resource Identifiers URIs and file paths. This could allow an attacker to access local files, navigate outside of intended directories path traversal, and...

7.1CVSS5.8AI score0.00217EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/29 12:0 a.m.32 views

PT-2026-53311

Name of the Vulnerable Software and Affected Versions Snowflake CLI versions prior to 3.19 Description Improper restriction of file path resolution allows arbitrary local file content to be read and transmitted to Snowflake services. An attacker can exploit this by providing crafted repository or...

6.3CVSS6.1AI score0.00139EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:57 p.m.11 views

CVE-2026-45807

Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard onl...

7.7CVSS6AI score0.00386EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/06/24 6:17 p.m.8 views

CVE-2026-48704

Warp is an agentic development environment. From 0.2023.10.24.08.03.stable00 until 0.2026.05.06.15.42.stable01, Warp may open executable local files through the operating system default file handler. A malicious Markdown document or project can contain a local-file link that appears as normal...

8.8CVSS0.00255EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 3:18 p.m.8 views

XML External Entity (XXE) Injection

Overview org.jenkins-ci.plugins:assembla is a plugin that integrates Jenkins with Assembla tickets during SCM update / Build. Affected versions of this package are vulnerable to XML External Entity XXE Injection via the XML parser. An attacker can extract sensitive information from the server or...

8.8CVSS6AI score0.00224EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.7 views

Astra Linux – Vulnerability in qBittTorrent

qBittorrent versions before 5.1.2 do not prevent access to a local file that is referenced in a link URL. This issue affects rsswidget.cpp and searchjobwidget.cpp...

5.3CVSS5.8AI score0.00398EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/23 3:49 p.m.44 views

CVE-2026-49465 n8n: Git Node Clone and Push Operations Bypass File Sandbox

n8n is an open source workflow automation platform. Prior to 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push...

6CVSS0.00495EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 1:16 p.m.11 views

CVE-2026-56274

Flowise before 3.1.2 contains multiple OS command injection vulnerabilities in the Custom MCP Server feature due to incomplete command-flag validation and a regex bypass in local file access restrictions. An attacker with a Flowise account of any role, or API access with view/update permissions f...

9.9CVSS0.02683EPSS
Exploits1References2
Rows per page
Query Builder