Lucene search
K

21171 matches found

RedhatCVE
RedhatCVE
added yesterday5 views

CVE-2026-53539

A flaw was found in Python-Multipart, a streaming multipart parser. A remote attacker can exploit this vulnerability by submitting a specially crafted application/x-www-form-urlencoded body. This can cause the QuerystringParser to perform inefficient processing, leading to excessive CPU...

7.5CVSS6.1AI score0.00263EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday65 views

Navigate CMS 2.9.4 - Server-Side Request Forgery

Navigate CMS 2.9.4 is susceptible to server-side request forgery via feedparser class. This can allow a remote attacker to force the application to make arbitrary requests via injection of arbitrary URLs into the feed parameter, thus enabling possible theft of sensitive information, data...

4.9CVSS6.2AI score0.2195EPSS
Exploits6References5
EUVD
EUVD
added yesterday5 views

EUVD-2026-43563

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS6.2AI score0.00445EPSS
Exploits0References4
Cvelist
Cvelist
added 2 days ago27 views

CVE-2026-62184 luci-app-banip Log Monitor IP Extraction Bypass

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS0.00445EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2 days ago2 views

CVE-2026-62184

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP...

8.7CVSS6.2AI score0.00445EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2 days ago5 views

CVE-2026-58228 Scheme validation bypass in Phoenix.LiveView.Utils leads to XSS via <.link>

Cross-site scripting vulnerability in phoenixframework phoenixliveview allows an attacker to bypass URL scheme validation and execute JavaScript in a victim's browser session. The Phoenix.LiveView.Utils.validdestination!/2 and Phoenix.LiveView.Utils.validlivenavigationdestination!/2 functions in...

5CVSS6.2AI score0.00382EPSS
Exploits0References4
NVD
NVD
added 2 days ago4 views

CVE-2026-6850

Mattermost versions 11.7.x = 11.7.2, 11.6.x = 11.6.4, 10.11.x = 10.11.19 fail to validate the length and content of message attachment field values, which allows an authenticated attacker to cause a denial of service for all users in a channel via a post containing a specially crafted payload tha...

6.5CVSS0.0024EPSS
Exploits0References1
Nuclei
Nuclei
added 2 days ago193 views

Mongo-Express - Remote Code Execution

Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server. id: CVE-2020-24391 info: nam...

9.8CVSS7.4AI score0.74519EPSS
Exploits0References5
Nuclei
Nuclei
added 2 days ago88 views

Apache Solr <= 7.1 - XML Entity Injection

Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external...

9.8CVSS7.3AI score0.91896EPSS
Exploits11References5
Positive Technologies
Positive Technologies
added 2 days ago4 views

PT-2026-57886

Name of the Vulnerable Software and Affected Versions luci-app-banip versions 0 through 0.11.1 Description A log parsing flaw exists where the awk-based parser extracts the first IPv4 address from log lines regardless of its field position. This allows an unauthenticated remote attacker to inject...

8.7CVSS6.2AI score0.00445EPSS
Exploits0References5
Fedora
Fedora
added 4 days ago6 views

[SECURITY] Fedora 44 Update: cjson-1.7.19-1.fc44

cJSON aims to be the dumbest possible parser that you can get your job done with. It's a single file of C, and a single header file...

9.8CVSS6.1AI score0.00693EPSS
Exploits2
Fedora
Fedora
added 4 days ago6 views

[SECURITY] Fedora 44 Update: perl-HTML-Gumbo-0.19-1.fc44

Gumbo is an implementation of the HTML5 parsing algorithm implemented as a pure C99 library with no outside dependencies...

9.8CVSS6.1AI score0.00663EPSS
Exploits0
Fedora
Fedora
added 4 days ago7 views

[SECURITY] Fedora 43 Update: perl-HTML-Gumbo-0.19-1.fc43

Gumbo is an implementation of the HTML5 parsing algorithm implemented as a pure C99 library with no outside dependencies...

9.8CVSS6.1AI score0.00663EPSS
Exploits0
Nuclei
Nuclei
added 4 days ago187 views

Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit users documents with duplicate keysfor 'roles' used for access control within the database, including the special case 'admin' role, th...

10CVSS7.1AI score0.99838EPSS
Exploits21References5
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-52747 ModSecurity: Multipart form-data parser silently strips embedded line breaks from form-field values, enabling request-body inspection bypass

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...

8.6CVSS0.0046EPSS
Exploits1References3
RedHat Linux
RedHat Linux
added 5 days ago1 views

python: Python: CPU Denial of Service in HTML parser via repeated unterminated markup declarations

A flaw was found in Python. Its incremental HTML parser can be exploited by a remote attacker. By sending specially crafted, uncontrolled data with repeated, incomplete markup declarations, the attacker can cause the system to consume excessive central processing unit CPU resources. This leads to...

8.7CVSS6AI score0.00553EPSS
Exploits0References11
RedHat Linux
RedHat Linux
added 5 days ago2 views

python: Python: CPU Denial of Service in HTML parser via repeated unterminated markup declarations

A flaw was found in Python. Its incremental HTML parser can be exploited by a remote attacker. By sending specially crafted, uncontrolled data with repeated, incomplete markup declarations, the attacker can cause the system to consume excessive central processing unit CPU resources. This leads to...

8.7CVSS6AI score0.00553EPSS
Exploits0References11
Cvelist
Cvelist
added 5 days ago34 views

CVE-2026-55781 NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields

NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's UFS and FFS image handler in NanaZip.Codecs.Archive.Ufs.cpp validates the superblock block size only against the MINBSIZE lower bound and does not validate the fsfsize fragment size, allowin...

2.4CVSS0.00112EPSS
Exploits0References3
Cvelist
Cvelist
added 5 days ago28 views

CVE-2026-54063 Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet function in github.com/xuri/excelize/v2 uses an attacker-controlled XML attribute value directly as the length argument to makexlsxRow, row without validating it against the Exc...

7.5CVSS0.00575EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-56814

Plug.Parsers.MULTIPART, the multipart request-body parser used to handle file uploads and multipart forms, does not enforce its :length budget against all consumed resources, allowing an unauthenticated remote attacker to cause denial of service. The parser charges the :length limit only for part...

6.9CVSS0.00579EPSS
Exploits0References9
Rows per page
Query Builder