Lucene search
K

172 matches found

CVE
CVE
added yesterday6 views

CVE-2026-59148

The CVE covers Mockoon prior to version 9.7.0, where the admin API was mounted on the same Express listener as user mock routes with default-enabled, unauthenticated access and permissive CORS (Access-Control-Allow-Origin: ). This allowed any unauthenticated client on the mock server port to: rea...

8.8CVSS6AI score
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:16 a.m.8 views

CVE-2026-57759

Unauthenticated Cross Site Request Forgery CSRF in ProfileGrid = 5.9.9.7 versions...

8.8CVSS5.8AI score0.00142EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/02 11:14 a.m.37 views

CVE-2026-27404 WordPress LMS theme <= 9.7 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in LMS = 9.7 versions...

7.1CVSS0.0018EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/07/02 9:14 a.m.4 views

WordPress ProfileGrid plugin <= 5.9.9.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by dodoh4t in WordPress Plugin ProfileGrid versions = 5.9.9.8...

8.8CVSS5.9AI score0.00142EPSS
Exploits0Affected Software1
OSV
OSV
added 2026/06/25 7:16 p.m.4 views

UBUNTU-CVE-2026-56766

Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an...

8.8CVSS6.6AI score0.01325EPSS
Exploits2References2
ATTACKERKB
ATTACKERKB
added 2026/06/25 6:1 p.m.5 views

CVE-2026-56766

Hydra through 9.7, fixed in commit 9cc84c2, contains a stack buffer overflow in NTLM authentication across SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, and HTTP-Proxy-Urlenum modules when processing malicious NTLM Type-2 challenges. A malicious server can send a crafted NTLM Type-2 challenge with an...

8.8CVSS6.8AI score0.01325EPSS
Exploits2References3
EUVD
EUVD
added 2026/06/15 9:30 p.m.9 views

EUVD-2026-36991

Subscriber Broken Access Control in ChatBot = 7.9.7 versions...

7.1CVSS5.1AI score0.00307EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/15 8:41 p.m.33 views

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

9.1CVSS0.00419EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.19 views

PT-2026-49426

Subscriber Broken Access Control in ChatBot = 7.9.7 versions...

7.1CVSS5.1AI score0.00307EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:51 p.m.9 views

EUVD-2026-36546

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

6.3CVSS5.5AI score0.0016EPSS
Exploits0References2
CVE
CVE
added 2026/06/12 6:51 p.m.22 views

CVE-2026-50552

Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...

6.3CVSS5.5AI score0.0016EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/26 8:1 p.m.15 views

EUVD-2026-31981

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

9.1CVSS6.2AI score0.0037EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/26 8:0 p.m.8 views

CVE-2026-44449

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

9.1CVSS6AI score0.00451EPSS
Exploits0References2Affected Software1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.10 views

OpenCTI 访问控制错误漏洞

OpenCTI is an open-source network threat intelligence platform developed by OpenCTI. Versions of OpenCTI prior to 6.9.7 contained a access control vulnerability. This vulnerability stemmed from incorrect Access Control Lists ACLs when users were editing relationship additions, potentially allowin...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.13 views

PT-2026-43350

Name of the Vulnerable Software and Affected Versions OpenCTI versions prior to 6.9.7 Description An organization administrator can escalate their privileges by adding a user from a different organization who possesses higher privileges into their own organization. This occurs due to an incorrect...

7.2CVSS5.8AI score0.00316EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.20 views

PT-2026-43401

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

9.1CVSS6AI score0.00451EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/14 3:52 p.m.62 views

CVE-2026-44504 Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)

Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's threadid, can execute graph runs against the user's thread, read the user's full...

8.6CVSS0.00285EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/04/29 12:0 a.m.5 views

Oracle Linux 8 : libxml2 (ELSA-2026-11349)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-11349 advisory. - Fix CVE-2025-9714 RHEL-119279 - Fix CVE-2025-32415 RHEL-100177 - Fix CVE-2025-7425 RHEL-102797 - Fix CVE-2025-6021 RHEL-96498 - Fix CVE-2025-49794 RHEL-96398...

9.1CVSS6AI score0.01067EPSS
Exploits3References2
RedhatCVE
RedhatCVE
added 2026/04/16 7:22 p.m.6 views

CVE-2026-40740

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.7...

5.4CVSS5.8AI score0.00177EPSS
Exploits0References1
NVD
NVD
added 2026/04/15 11:16 a.m.8 views

CVE-2026-40740

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.7...

5.4CVSS0.00177EPSS
Exploits0References1
Rows per page
Query Builder