Lucene search
+L

905 matches found

CVE
CVE
added 2026/04/17 11:51 p.m.17 views

CVE-2026-40337

The Sentry kernel vulnerability (CVE-2026-40337) affects tasks with DEV/IO capabilities that can interact with another task’s IRQ line via the _sys_int * syscall family. Before version 0.4.7, this enables DoS and covert-channels to the outside world. A patch exists in 0.4.7; workaround: limit DEV...

5.1CVSS5.8AI score0.00155EPSS
Exploits0References3
OSV
OSV
added 2026/04/17 10:20 p.m.13 views

GHSA-85GX-3QV6-4463 Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/04/17 10:0 p.m.10 views

OpenClaw: Nostr profile mutation routes allowed operator.write config persistence

Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...

5.7AI score
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/16 12:0 a.m.5 views

PT-2026-33384

Name of the Vulnerable Software and Affected Versions Math.js versions 13.1.1 through 15.1.x Description An issue in the expression parser allows the execution of arbitrary JavaScript. This occurs in applications where users are permitted to evaluate arbitrary expressions using the mathjs...

8.8CVSS6AI score0.00551EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.5 views

PT-2026-36183

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2 Description An issue exists in the Kubernetes CRD provider cross-namespace isolation enforcement. When...

6.4CVSS6.4AI score0.00254EPSS
Exploits1References19
Github Security Blog
Github Security Blog
added 2026/04/14 10:29 p.m.7 views

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/04/14 12:4 a.m.25 views

SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh

Impact A crafted hostAlias argument such as -oProxyCommand=... was passed to ssh/scp without an argument terminator. SSH interprets arguments starting with - as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied ProxyCommand locally on the machine...

6.1AI score
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.11 views

PT-2026-33226

Name of the Vulnerable Software and Affected Versions mitmproxy versions prior to 12.2.2 Description The builtin LDAP proxy authentication fails to correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. This issue only affects...

4.8CVSS5.2AI score0.00166EPSS
Exploits1References7
OSV
OSV
added 2026/04/08 7:52 p.m.6 views

GHSA-XRW6-GWF8-VVR9 Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service

Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, an...

7.1CVSS5.8AI score0.00124EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/06 10:57 a.m.7 views

CVE-2026-34954

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.downloadfile in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream with followredirects=True. An attacker who controls the URL can reach any...

8.6CVSS5.8AI score0.00405EPSS
Exploits1References1
Tenable Nessus
Tenable Nessus
added 2026/04/05 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-34591

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without...

7.1CVSS6.8AI score0.00468EPSS
Exploits1References3
SUSE CVE
SUSE CVE
added 2026/04/03 11:25 p.m.9 views

SUSE CVE-2026-34601

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a...

7.5CVSS5.7AI score0.00472EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/03 10:7 p.m.20 views

CVE-2026-34061 nimiq/core-rs-albatross: Macro block proposal interlink bug

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an elected validator proposer can send an election macro block whose header.interlink does not match the canonical next interlink. Honest...

4.9CVSS0.00187EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/04/03 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-34518

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.13.4, when following redirects to a different origin, aiohttp...

6.9CVSS6.1AI score0.00337EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/02 7:21 p.m.23 views

CVE-2026-34931 hoppscotch: Improper loopback redirect_uri validation in device-login flow

hoppscotch is an open source API development ecosystem. Prior to version 2026.3.0, there is an open redirect vulnerability that leads to token exfiltration. With these tokens, the attacker can sign in as the victim to takeover their account. This issue has been patched in version 2026.3.0...

8.5CVSS0.00373EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/04/02 6:36 p.m.8 views

Axios supply chain attack - dependency in @lightdash/cli may resolve to compromised axios versions

Impact A supply chain attack on the axios npm package versions 1.14.1 and 0.30.4 introduced a malicious transitive dependency [email protected] that deploys a cross-platform remote access trojan RAT on macOS, Windows, and Linux. The attacker compromised the primary axios maintainer's npm...

6.1AI score
Exploits0References9Affected Software1
EUVD
EUVD
added 2026/04/02 6:2 p.m.10 views

EUVD-2026-18472

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in t...

8.2CVSS6.2AI score0.00168EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/02 5:26 p.m.21 views

CVE-2026-34590 Postiz: SSRF via Webhook Creation Endpoint Missing URL Safety Validation

Postiz is an AI social media scheduling tool. Prior to version 2.21.4, the POST /webhooks/ endpoint for creating webhooks uses WebhooksDto which validates the url field with only @IsUrl format check, missing the @IsSafeWebhookUrl validator that blocks internal/private network addresses. The updat...

5.4CVSS0.00226EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/04/02 4:56 p.m.7 views

CVE-2025-13535

The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based Stored Cross-Site Scripting vulnerabilities in all versions up to, and including, 51.1.38. This is due to insufficient input sanitization and output escaping across multiple widgets and features. T...

6.4CVSS6AI score0.00241EPSS
Exploits0References1
OSV
OSV
added 2026/04/02 3:16 p.m.4 views

UBUNTU-CVE-2026-31937

Suricata is a network IDS, IPS and NSM engine. Prior to version 7.0.15, inefficiency in DCERPC buffering can lead to a performance degradation. This issue has been patched in version 7.0.15...

7.5CVSS5.7AI score0.00351EPSS
Exploits0References2
Rows per page
Query Builder