Lucene search
K

291 matches found

CNNVD
CNNVD
added 2026/05/09 12:0 a.m.15 views

Plainpad 安全漏洞

Plainpad is a self-hosted note-taking application by the individual developer Alex Tselegidis. A security vulnerability exists in Plainpad versions prior to 1.1.1, which stems from allowing a low-privileged user to self-elevate to administrator via the admin parameter in a PUT request, potentiall...

8.3CVSS5.8AI score0.00261EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/05/06 1:41 a.m.8 views

SUSE CVE-2026-42091

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/05/04 5:24 p.m.68 views

CVE-2026-42091 goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the CVE-2026-40883 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS...

6.5CVSS0.00165EPSS
Exploits1References3
CVE
CVE
added 2026/05/04 5:24 p.m.29 views

CVE-2026-42091

CVE-2026-42091 affects goshs (Go SimpleHTTPServer). Prior to v2.0.2, the PUT upload handler lacks CSRF validation (unlike POST), and the preflight OPTIONS handler uses Access-Control-Allow-Origin: *. Combined, this enables cross-origin writes of arbitrary files to a goshs instance via the victim’...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2026/04/24 6:16 a.m.6 views

CVE-2026-1949

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS0.00611EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 5:50 a.m.28 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS0.00611EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/24 5:50 a.m.8 views

CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T

Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service...

9.8CVSS5.4AI score0.00611EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.9 views

PT-2026-34853

CVE-2026-1949 Delta Electronics AS320T has incorrect calculation of the buffer size on the stack in the GET/PUT request handler of the web service. https://t.co/NRUjOzyfyB...

9.8CVSS5.4AI score0.00611EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/23 2:28 p.m.6 views

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the put function. An attacker can overwrite or create arbitrary files in the webroot by enticing a user to visit a malicious website, which then issues crafted PUT requests through the victim's browse...

7.1CVSS5.9AI score0.00165EPSS
Exploits1References2
OSV
OSV
added 2026/04/23 2:28 p.m.13 views

GHSA-RHF7-WVW3-VJVM goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

Summary The PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS preflight handler httpserver/server.go, any website can wri...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/04/23 2:28 p.m.9 views

goshs has Cross-Origin Arbitrary File Write via Missing CSRF on PUT and Wildcard CORS

Summary The PUT upload handler httpserver/updown.go lacks the CSRF token validation that was added to the POST upload handler during the GHSA-jrq5-hg6x-j6g3 fix. Combined with the unconditional Access-Control-Allow-Origin: on the OPTIONS preflight handler httpserver/server.go, any website can wri...

6.5CVSS5.9AI score0.00165EPSS
Exploits1References5Affected Software2
RedhatCVE
RedhatCVE
added 2026/04/16 1:22 p.m.9 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References1
NVD
NVD
added 2026/04/14 4:16 p.m.8 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

6.5CVSS0.00311EPSS
Exploits2References3
Vulnrichment
Vulnrichment
added 2026/04/14 12:0 a.m.6 views

CVE-2026-38533

An improper authorization vulnerability in the /api/v1/users/id endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request...

5.8AI score0.00311EPSS
Exploits2References2
CNNVD
CNNVD
added 2026/04/14 12:0 a.m.7 views

Snipe-IT 安全漏洞

Snipe-IT is a set of open-source IT asset/license management systems developed by Grokability. Version Snipe-IT v8.4.0 contains a security vulnerability. This vulnerability stems from the improper authorization in the/api/v1/users/id endpoint, which may allow authenticated attackers with the...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3
CVE
CVE
added 2026/04/14 12:0 a.m.13 views

CVE-2026-38533

CVE-2026-38533 : In Snipe-IT v8.4.0, an improper authorization flaw in the /api/v1/users/{id} endpoint lets authenticated users with the users.edit permission modify sensitive authentication and account-state fields of other non-admin users via a crafted PUT request. Public details show the impac...

6.5CVSS5.8AI score0.00311EPSS
Exploits2References3Affected Software1
Snyk
Snyk
added 2026/04/08 10:12 p.m.3 views

Improper Authorization

Overview Affected versions of this package are vulnerable to Improper Authorization via the transaction update endpoint. An attacker can bypass intended restrictions and hide protected transaction records from normal views by sending a crafted PUT request to soft-delete synced non-manual...

6.9CVSS5.4AI score0.00292EPSS
Exploits0References2
OSV
OSV
added 2026/04/03 6:29 p.m.3 views

GHSA-245V-P8FJ-VWM2 Juju has a resource poisoning vulnerability

Summary Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This one is very straightforward to just read in the code: Step 1: The authorisation mechanism for the resource handler is defined here. One is on...

7.1CVSS6.1AI score0.00232EPSS
Exploits0References4
Snyk
Snyk
added 2026/04/03 4:7 a.m.1 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the put function. An attacker can write arbitrary files to any location on the filesystem by sending crafted HTTP PUT requests with specially constructed paths that traverse directories. PoC !/usr/bin/env bash...

9.8CVSS6.3AI score0.00683EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/04/01 5:4 p.m.7 views

CVE-2026-34574

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the...

5.4CVSS5.7AI score0.0021EPSS
Exploits0References1
Rows per page
Query Builder