Lucene search
+L

342 matches found

OSV
OSV
added 2026/05/18 1:48 p.m.4 views

CLEANSTART-2026-XK75621 Security fixes for CVE-2025-54410, CVE-2026-32952, CVE-2026-33186, ghsa-4vq8-7jfc-9cvp, ghsa-p77j-4mvh-x3m3, ghsa-pjcq-xvwq-hhpj applied in versions: 9.3.3-r0, 9.3.3-r1

Multiple security vulnerabilities affect the elastic-beats package. These issues are resolved in later releases. See references for individual vulnerability details...

9.1CVSS5.8AI score0.01557EPSS
Exploits1References10
NCSC
NCSC
added 2026/05/15 12:8 p.m.16 views

The vulnerability was exploited in Exim.

The developers of Exim introduced a vulnerability in the Exim Mail Transfer Agent versions prior to 4.99.3. This vulnerability involves a use-after-free in the BDAT body parsing process, specifically when certain GnuTLS backend configurations are used. An unauthorized attacker can exploit this...

9.8CVSS6.4AI score0.01225EPSS
Exploits2References4
NVD
NVD
added 2026/05/08 4:16 p.m.14 views

CVE-2026-41683

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

8.6CVSS0.00327EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/08 3:29 p.m.7 views

CVE-2026-42353 Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into...

8.2CVSS5.7AI score0.00387EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/06 12:0 a.m.15 views

PT-2026-41980

Name of the Vulnerable Software and Affected Versions Kanidm versions prior to 1.9.3 Description An unauthenticated GET request to any /scim/v1/... endpoint using a ?filter= query string containing several thousand nested parentheses approximately 4–12 KB can cause a stack overflow. This occurs...

8.7CVSS5.6AI score0.00317EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2026/04/28 9:45 p.m.24 views

Important: Red Hat Security Advisory: multicluster engine for Kubernetes v2.9.3 security update

The multicluster engine for Kubernetes 2.9 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. The multicluster engine for Kubernetes v2.9 images The multicluster engine for Kubernetes provides the foundational components that are...

10CVSS6.9AI score0.025EPSS
Exploits8References8
Cvelist
Cvelist
added 2026/04/22 8:5 p.m.31 views

CVE-2026-33733 EspoCRM has Admin TemplateManager path traversal that allows arbitrary file read write and delete

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

7.2CVSS0.00448EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/22 8:1 p.m.32 views

CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is...

9.1CVSS0.005EPSS
Exploits3References1
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.13 views

PT-2026-34553

EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, the admin template management endpoints accept attacker-controlled name and scope values and pass them into template path construction without normalization or traversal filtering. As a result, an...

7.2CVSS5.8AI score0.00448EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/04/16 10:29 p.m.9 views

@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

Impact @fastify/middie v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently fail...

9.1CVSS5.8AI score0.00498EPSS
Exploits1References5Affected Software1
Snyk
Snyk
added 2026/04/16 10:28 p.m.14 views

Interpretation Conflict

Overview @fastify/middie is a Middleware engine for Fastify Affected versions of this package are vulnerable to Interpretation Conflict in the resolveNormalizationOptions function's deprecated ignoreDuplicateSlashes configuration option. An attacker can bypass middleware by crafting URLs with...

9.1CVSS5.7AI score0.00278EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/16 1:44 p.m.35 views

CVE-2026-6270 @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes

@fastify/middie versions 9.3.1 and earlier do not register inherited middleware directly on child plugin engine instances. When a Fastify application registers authentication middleware in a parent scope and then registers child plugins with @fastify/middie, the child scope does not inherit the...

9.1CVSS0.00498EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/16 12:0 a.m.13 views

@fastify/middie 安全漏洞

@fastify/middie is an open-source middleware engine developed by Fastify. Versions of @fastify/middie 9.3.1 and earlier contained security vulnerabilities. These vulnerabilities occurred when the deprecated ignoreDuplicateSlashes option was enabled, as the middleware’s path matching logic did not...

9.1CVSS5.8AI score0.00278EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/13 8:37 p.m.10 views

EUVD-2026-22098

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference IDOR vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/13 8:37 p.m.19 views

CVE-2026-33740 EspoCRM: Email importEml can import and delete another user's attachment by raw fileId

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference IDOR vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from...

5.4CVSS0.00211EPSS
Exploits1References3
EUVD
EUVD
added 2026/04/13 8:32 p.m.3 views

EUVD-2026-22083

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery SSRF via a DNS rebinding TOCTOU condition. Host validation uses dnsgetrecord but the actual HTTP...

3.5CVSS6.4AI score0.00333EPSS
Exploits1References3
OSV
OSV
added 2026/04/13 8:32 p.m.3 views

CVE-2026-33659 EspoCRM: SSRF via DNS Rebinding in Attachment fromImageUrl Endpoint Allows Internal Network Access

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery SSRF via a DNS rebinding TOCTOU condition. Host validation uses dnsgetrecord but the actual HTTP...

3.5CVSS6.6AI score0.00333EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.12 views

PT-2026-32522

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference IDOR vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from...

5.4CVSS5.8AI score0.00211EPSS
Exploits1References5
Amazon
Amazon
added 2026/04/13 12:0 a.m.13 views

Important: ecs-init

Issue Overview: url.Parse insufficiently validated the host/authority component and accepted some invalid URLs. CVE-2026-25679 On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which t...

9.1CVSS6AI score0.01557EPSS
Exploits1
Patchstack
Patchstack
added 2026/04/07 11:57 a.m.6 views

WordPress WPAMS plugin < 49.5.3 - Arbitrary Content Deletion vulnerability

Arbitrary Content Deletion vulnerability discovered by Denver Jackson in WordPress Plugin WPAMS versions 49.5.3...

5.9AI score0.00352EPSS
Exploits0Affected Software1
Rows per page
Query Builder