Lucene search
K

340 matches found

Cvelist
Cvelist
added 4 days ago39 views

CVE-2026-4249 Denial of Service via Malicious JSON Payloads in Throttling Events in Multiple WSO2 Products Causing Persistent Service Disruption

The throttling event handling mechanism in multiple WSO2 products accepts user-supplied JSON payloads without sufficient validation of their structure and content. This allows an unauthenticated remote attacker to inject malicious JSON data that can lead to a persistent denial of service conditio...

8.6CVSS0.00339EPSS
Exploits0References1
CVE
CVE
added 4 days ago17 views

CVE-2026-4249

The CVE-2026-4249 affects multiple WSO2 products where the throttling event handling accepts unvalidated JSON payloads. The underlying issue is insufficient validation of the structure/content, enabling an unauthenticated remote attacker to inject malicious JSON that can cause a persistent denial...

8.6CVSS6AI score0.00339EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 6 days ago7 views

EUVD-2025-210425

picklescan before 0.0.34 fails to detect the operator.methodcaller built-in function when scanning pickle files for malicious code. Attackers can craft malicious pickle payloads using operator.methodcaller that evade detection and execute arbitrary code when loaded by pickle.load...

8.1CVSS6.3AI score0.00365EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 6 days ago8 views

CVE-2025-71373

picklescan before 0.0.33 fails to detect operator.methodcaller function calls in pickle files, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle payloads using operator.methodcaller that execute arbitrary code when loaded, compromising systems relying on...

8.1CVSS6.3AI score0.00444EPSS
Exploits0References3
Nuclei
Nuclei
added 2026/06/28 3:8 p.m.115 views

XWiki < 4.10.20 - Remote code execution

XWiki is vulnerable to a remote code execution RCE attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user...

10CVSS8.1AI score0.9348EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/06/21 1:27 p.m.3 views

CVE-2026-56393

Craft CMS 4.x = 4.0.0-RC1, = 5.0.0-RC1, 5.9.0-beta.1 contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization e.g., via the checkbox.twig template, which used label|raw . An authenticated administrator with...

4.8CVSS5.9AI score0.00183EPSS
Exploits0References5
Snyk
Snyk
added 2026/06/19 5:45 p.m.10 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the default code block rendering. An attacker can execute arbitrary JavaScript in the context of users viewing generated pages by supplying a crafted code-fence language info-string containing malicious...

5.4CVSS5.9AI score0.00172EPSS
Exploits0References2
OSV
OSV
added 2026/06/17 6:35 p.m.5 views

GHSA-CC5P-54X3-HCF8 Duplicate Advisory: Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-97f8-7cmv-76j2. This link is maintained to preserve external references. Original Description picklescan before 1.0.3 contains a scanning bypass vulnerability in the scanpytorch function that allows attackers to...

7.1CVSS6.1AI score0.00434EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/11 2:59 a.m.12 views

CVE-2026-25860

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with...

6.1CVSS5.6AI score0.00293EPSS
Exploits1References1
NVD
NVD
added 2026/06/10 12:16 a.m.18 views

CVE-2026-40993

An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository saml2assertingpartymetadata may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials verificationcredentials and...

7.3CVSS0.00198EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/08 1:55 a.m.48 views

CVE-2021-47982 WordPress Plugin WP-Paginate 2.1.3 Stored XSS via preset

WordPress Plugin WP-Paginate 2.1.3 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the preset parameter. Attackers can submit POST requests to the plugin settings page with script payloads in the preset parameter...

6.4CVSS0.00187EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 12:9 a.m.10 views

CVE-2025-67448

The SMS module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to stored XSS. The application does not properly sanitize user input in SMS messages before storing and displaying them. An attacker can send an SMS containing a malicious XSS payload, which will be executed in the...

7.1CVSS5.8AI score0.00196EPSS
Exploits0References1
NVD
NVD
added 2026/05/29 12:16 p.m.19 views

CVE-2026-9809

A stored Cross-Site Scripting XSS vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views such as campaigns, emails, or forms, user-supplied project names are rendered without proper sanitization. An authenticated user...

7.6CVSS0.00164EPSS
Exploits0References1
Packet Storm News
Packet Storm News
added 2026/05/27 12:0 a.m.14 views

Technical Report: Exploring the Emerging Threats of the Agent Skill Ecosystem

We analyzed 3,984 AI agent skills from major marketplaces and found 76 confirmed malicious payloads, including credential theft, backdoor installation, and data exfiltration. 13.4% of all skills contain at least one critical-level security issue and at least 8 manually confirmed malicious skills...

5.8AI score
Exploits0
EUVD
EUVD
added 2026/05/25 2:15 p.m.11 views

EUVD-2018-21901

Joomla Component eXtroForms 2.1.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL commands through the filtertypeid, filterpidid, and filtersearch parameters. Attackers can submit POST requests to the extroformfield view with malicious SQL...

7.1CVSS6.1AI score0.00284EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/05/18 11:53 a.m.15 views

CVE-2021-47952

A flaw was found in python-jsonpickle. A remote attacker can exploit this vulnerability by crafting and sending malicious JSON payloads. When these payloads, which contain specially crafted py/repr objects, are deserialized, they can trigger the execution of arbitrary Python commands and system...

9.8CVSS6.3AI score0.00696EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/17 12:11 p.m.12 views

EUVD-2018-21850

Joomla! extension EkRishta 2.10 contains persistent cross-site scripting and SQL injection vulnerabilities that allow attackers to inject malicious code through profile fields and POST parameters. Attackers can inject script payloads in profile information fields like Address that execute when...

8.8CVSS5.8AI score0.00317EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.11 views

PT-2026-41342

Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application. Attackers can craft malicious markdown files with embedded JavaScript that executes system commands...

7.2CVSS6.5AI score0.00469EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/13 3:57 p.m.9 views

Malicious Package

Overview github.com/BufferZoneCorp/log-core is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster of...

9.8CVSS6AI score
Exploits0References2
EUVD
EUVD
added 2026/05/10 3:31 p.m.9 views

EUVD-2022-55974

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4, webm, and ogg parameters. Attackers can inject payloads like autofocus onfocus event handlers throug...

6.4CVSS5.9AI score0.00191EPSS
Exploits0References4
Rows per page
Query Builder