CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added last week•3 views

CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

5.1CVSS5.8AI score0.00028EPSS

Cvelist•added last week•30 views

CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin

5.1CVSS0.00028EPSS

EUVD•added last week•3 views

EUVD-2026-32963

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in‌‌ URL‌ as http://::1, the SSRF defenses do not work. This vulnerability is fixed in 0.8.26...

7.4CVSS5.8AI score0.00032EPSS

Exploits0References3

OSV•added 2026/05/27 9:13 p.m.•2 views

GHSA-M7V2-7GXM-VC2V Symfony has Unauthenticated PHP Object Deserialization in MonologBridge server:log Listener

Description Symfony\Bridge\Monolog\Command\ServerLogCommand the server:log console command is a development-time helper that opens a TCP listener and displays log records pushed to it by the application's logging pipeline. Two unsafe defaults combine into a remotely reachable PHP...

9.3CVSS6.4AI score

Exploits0References6

SUSE CVE•added 2026/05/27 5:36 a.m.•2 views

SUSE CVE-2021-22884

Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DN...

5.8CVSS6.9AI score0.0027EPSS

Exploits1References17

Positive Technologies•added 2026/05/27 12:0 a.m.•5 views

PT-2026-44145

Name of the Vulnerable Software and Affected Versions symfony/monolog-bridge versions prior to 5.4.52 symfony/monolog-bridge versions prior to 6.4.40 symfony/monolog-bridge versions prior to 7.4.12 symfony/monolog-bridge versions prior to 8.0.12 symfony/symfony versions prior to 5.4.52...

9.3CVSS6.5AI score

RedhatCVE•added 2026/05/26 8:14 p.m.•10 views

CVE-2026-47076

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

NVD•added 2026/05/25 3:16 p.m.•16 views

Exploits1References1

CVE-2026-47076

6.9CVSS0.00014EPSS

Cvelist•added 2026/05/25 2:0 p.m.•26 views

CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

6.9CVSS0.00014EPSS

OSV•added 2026/05/25 2:0 p.m.•5 views

EEF-CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Summary Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the...

Vulnrichment•added 2026/05/25 2:0 p.m.•6 views

CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

CVE•added 2026/05/25 2:0 p.m.•26 views

CVE-2026-47076

CVE-2026-47076 affects the hackney HTTP client (from 0.13.0 up to, but not including, 4.0.1). The issue1 arises because hackney_url:normalize/2 decodes the host after parsing, while OTP’s uri_string:parse/1 and inet:parse_address/1 do not decode percent-escapes, allowing a crafted URL such as htt...