Lucene search
+L

2027 matches found

CVE
CVE
added 4 days ago15 views

CVE-2026-51537

OpENer 2.3.0 (commit 76b95cf) contains an out-of-bounds read in the Connection Manager when processing malformed ForwardOpen/LargeForwardOpen requests, allowing a remote attacker to trigger the issue over the network without authentication. Red Hat notes potential denial of service or information...

9.1CVSS6.1AI score0.00434EPSS
Exploits0References2
NVD
NVD
added 6 days ago7 views

CVE-2026-61426

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...

8.8CVSS0.00322EPSS
Exploits0References2
CVE
CVE
added last week30 views

CVE-2026-55884

Tilt HUD server in github.com/tilt-dev/tilt is affected in versions 0.20.8–0.37.3 where the HUD HTTP server registers handlers on a gorilla/mux router without authentication. When bound to a non-loopback address, an unauthenticated network caller can trigger developer-defined Tiltfile resources, ...

9.2CVSS6.2AI score0.00397EPSS
Exploits0References4
CVE
CVE
added 2026/07/10 3:28 p.m.14 views

CVE-2026-55500

CVE-2026-55500 (9router) exposes a critical flaw in the /api/settings/database endpoint. The GET export returns the entire database, including plaintext API keys, OAuth tokens, and provider credentials, while POST can wipe-and-replace the database with attacker-controlled data. This bypasses auth...

9.9CVSS6.1AI score0.00685EPSS
Exploits0References3
NVD
NVD
added 2026/07/09 6:16 p.m.11 views

CVE-2026-61344

The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication...

6.9CVSS0.00272EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/09 5:46 p.m.7 views

EUVD-2026-42663

The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/07/09 12:0 a.m.13 views

PT-2026-57034

Name of the Vulnerable Software and Affected Versions YesWiki version 4.6.5 Description An issue exists in the Bazar widget handler where the id GET parameter is reflected into HTML attributes using only the strip tags function. Since strip tags does not escape double quotes, an unauthenticated...

6.1CVSS6.3AI score0.00039EPSS
Exploits0References5
NVD
NVD
added 2026/07/08 8:16 p.m.11 views

CVE-2026-58253

NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, when noauthuser was configured, a parser fast path intended for ordinary client connections could also apply to route or leafnode listeners, allowing an...

8.8CVSS0.00368EPSS
Exploits0References7
CVE
CVE
added 2026/07/08 7:42 p.m.16 views

CVE-2026-59804

Midscene Bridge Server (affected: 1.10.3 and earlier) has a missing authentication and CORS misconfiguration that permits unauthenticated remote hijacking of active bridge sessions via a cross-origin WebSocket to the local Socket.IO server. The server does not validate Origin headers and requires...

7.6CVSS6AI score0.00213EPSS
Exploits0References4
OSV
OSV
added 2026/07/08 7:42 p.m.5 views

CVE-2026-59804 Midscene Bridge Server - Session Hijack via Unauthenticated WebSocket

Midscene Bridge Server through 1.10.3, fixed in commit 86f4118, contains a missing authentication and CORS misconfiguration vulnerability that allows unauthenticated remote attackers to hijack active bridge sessions by opening a cross-origin WebSocket connection to the local Socket.IO server, whi...

7.6CVSS6.1AI score0.00213EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/07/06 9:10 p.m.3 views

CVE-2026-41899

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, POST /api/feedback has no authentication, no rate limiting, and no input validation, allowing arbitrary content to be forwarded directly to a Discord webhook and enabling...

6.5CVSS6AI score0.003EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/07/06 9:10 p.m.14 views

CVE-2026-41899

CVE-2026-41899 affects Coolify prior to 4.0.0-beta.474. The POST /api/feedback endpoint is unauthenticated, lacks rate limiting and input validation, allowing arbitrary content to reach a Discord webhook and enabling spam, content injection, and webhook abuse. Remediation: upgrade to Coolify 4.0....

6.5CVSS6AI score0.003EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/03 12:31 a.m.10 views

EUVD-2026-41465

The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container...

6.9CVSS5.8AI score0.00359EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 11:49 p.m.9 views

CVE-2026-55726

The Azure Blob Storage container used for Gardyn device logs is publicly listable without authentication. A malicious user would be able to access any device log file available in the blob storage container...

6.9CVSS5.9AI score0.00359EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/02 7:37 p.m.9 views

CVE-2025-71385

Netdata before 2.3.1 reflects the user-supplied love query parameter of the api/v2/ilove.svg and api/v3/ilove.svg endpoints verbatim into the generated SVG document into a text element without HTML or XML escaping, and serves the response with Content-Type image/svg+xml. An attacker can craft a U...

6.1CVSS5.7AI score0.0024EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/02 2:14 a.m.10 views

EUVD-2026-41241

GeoWebPlayer also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud is an addon that can be installed with various GeoVision software GV-VMS, GV-Cloud, .... It creates a websocket server that expands the capabilities of the various web-interfaces provided by the...

8.8CVSS5.7AI score0.00227EPSS
Exploits0References1
Metasploit
Metasploit
added 2026/07/01 7:4 p.m.102 views

Flowise CSV Agent Prompt Injection RCE

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper...

9.8CVSS6.4AI score0.01028EPSS
Exploits3
ATTACKERKB
ATTACKERKB
added 2026/07/01 4:21 p.m.5 views

CVE-2026-34113

Guardian language-system passes the id GET parameter directly into a PHP exec call in speechtext.php line 18 without sanitization: exec"php jobs/speechaudiotext.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/01 4:20 p.m.9 views

EUVD-2026-41070

Guardian language-system passes the id GET parameter directly into a PHP exec call in speechmac.php line 18 without sanitization: exec"php jobs/speechaudiomac.php ".$loginsession." ".$GET'id'." ...". No authentication is required. An unauthenticated remote attacker can append shell...

9.8CVSS6.1AI score0.00537EPSS
Exploits0References2
Talos
Talos
added 2026/07/01 12:0 a.m.9 views

GeoVision GeoWebPlayer Websocket Server lack of authentication vulnerability

Summary A lack of authentication vulnerability exists in the Websocket Server functionality of GeoWebPlayer versions: 1.1.1.0. A specially crafted websocket connection can lead to execute priviledged operation. An attacker can stage a malicious webpage to trigger this vulnerability. Confirmed...

8.8CVSS5.9AI score0.00227EPSS
Exploits0
Rows per page
Query Builder