Lucene search
K

15102 matches found

Positive Technologies
Positive Technologies
added 2026/04/25 12:0 a.m.14 views

PT-2026-38566

Name of the Vulnerable Software and Affected Versions ReverseProxy affected versions not specified Description ReverseProxy can forward queries containing parameters that are not visible to Rewrite functions. When utilizing a Rewrite function or a Director function that parses query parameters,...

9.8CVSS5.8AI score0.0039EPSS
Exploits0
NVD
NVD
added 2026/04/24 6:16 p.m.3 views

CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS0.00217EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/04/24 5:40 p.m.33 views

CVE-2026-42040 Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

3.7CVSS0.00217EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/24 12:31 a.m.4 views

EUVD-2026-25363

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchd...

8.1CVSS5.7AI score0.00324EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/24 12:2 a.m.27 views

CVE-2026-40620 SenseLive X3050 Missing authentication for critical function

A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts management connections from any reachable host, enabling unrestricted...

9.8CVSS0.00546EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.11 views

Budibase 授权问题漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.35.4 contained an authorization vulnerability. This vulnerability stemmed from authenticated...

9.1CVSS5.8AI score0.00445EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/24 12:0 a.m.6 views

PT-2026-34810

Name of the Vulnerable Software and Affected Versions SenseLive X3050 affected versions not specified Description The embedded management service in the SenseLive config application lacks authentication and authorization. This allows any reachable host to establish full administrative control and...

9.8CVSS5.3AI score0.00546EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/04/23 11:58 p.m.3 views

CVE-2026-40623 SenseLive X3050 Missing Authorization

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchd...

8.1CVSS5.3AI score0.00324EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/23 9:31 p.m.7 views

EUVD-2026-25314

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr. Attackers can inject shell metacharacters throu...

9.8CVSS6.8AI score0.0192EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/04/23 8:58 p.m.5 views

CVE-2026-6942 radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2cmdstr. Attackers can inject shell metacharacters throu...

9.8CVSS6.8AI score0.0192EPSS
Exploits1References3
OSV
OSV
added 2026/04/23 12:31 p.m.5 views

GHSA-QMCV-HH7C-3M56 H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

5.9CVSS6.8AI score0.00938EPSS
Exploits1References4
OSV
OSV
added 2026/04/23 11:5 a.m.5 views

CLSA-2026-1776942343 php: Fix of 7 CVEs

CVE-2021-21702: fix NULL pointer dereference in SoapClient - CVE-2021-21703: fix OOB R/W in root process leading to privilege escalation - CVE-2022-31625: don't free uninitialized parameters in pgqueryparams/pgsendexecute that have led to RCE - CVE-2022-31626: fix mysqlnd/pdo password of...

9.8CVSS7.5AI score0.5838EPSS
Exploits8References1
NVD
NVD
added 2026/04/23 10:16 a.m.5 views

CVE-2026-3960

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

9.8CVSS0.00938EPSS
Exploits1References2
CVE
CVE
added 2026/04/23 8:47 a.m.19 views

CVE-2026-3960

CVE-2026-3960 is a remote code execution in H2O-3 prior to 3.46.0.10 via the unauthenticated REST endpoint /99/ImportSQLTable. The issue stems from a MySQL-focused parameter blacklist that can be bypassed by switching the JDBC URL to a PostgreSQL URL (e.g., using socketFactory/socketFactoryArg pa...

9.8CVSS7.2AI score0.00938EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/23 8:47 a.m.4 views

CVE-2026-3960 Remote Code Execution in h2oai/h2o-3

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

5.9CVSS7.7AI score0.00938EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/23 8:47 a.m.3 views

CVE-2026-3960

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

5.9CVSS7.7AI score0.00938EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/23 8:47 a.m.32 views

CVE-2026-3960 Remote Code Execution in h2oai/h2o-3

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

5.9CVSS0.00938EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.7 views

PT-2026-34648

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

5.9CVSS6.8AI score0.00938EPSS
Exploits1References3
GitLab Advisory Database
GitLab Advisory Database
added 2026/04/23 12:0 a.m.8 views

H2O-3 is Vulnerable to Code Injection

A critical remote code execution vulnerability exists in the unauthenticated REST API endpoint /99/ImportSQLTable in H2O-3 version 3.46.0.9 and prior. The vulnerability arises due to insufficient security controls in the parameter blacklist mechanism, which only targets MySQL JDBC driver-specific...

9.8CVSS7.5AI score0.00938EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/22 10:22 p.m.14 views

OpenC3 COSMOS is Vulnerable to Self-XSS Through the Command Sender

Summary The Command Sender UI uses an unsafe eval function on array-like command parameters, which allows a user-supplied payload to execute in the browser when sending a command. This creates a self-XSS risk because an attacker can trigger their own script execution in the victim’s session, if...

4.6CVSS6.1AI score0.002EPSS
Exploits1References5Affected Software1
Rows per page
Query Builder