Lucene search
+L

545 matches found

AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.10 views

Astra Linux – Vulnerability in Composer

Composer is a dependency manager for PHP. The URLs for Mercurial repositories in the composer.json file at the root level, as well as the source download URLs, are not sanified correctly. Specifically crafted URL values allow code to be executed via the HgDriver if hg/Mercurial is installed on th...

8.8CVSS8.5AI score0.04849EPSS
Exploits1References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.5 views

Astra Linux – Vulnerability in Git

Git is a version control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker could prepare a local repository in such a way that, when cloned, arbitrary code would be executed during the operation. This issue has been fixed in versions 2.45.1, 2.44.1,...

8.1CVSS7.2AI score0.01271EPSS
Exploits0References2
OSV
OSV
added 2026/05/14 4:18 p.m.5 views

GHSA-6H4J-WCR9-2VG7 n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints

Impact The OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential...

8.3CVSS5.8AI score0.00315EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/13 4:48 p.m.9 views

CVE-2026-44573

Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n configured and middleware/proxy-based authorization can allow unauthorized access to protected page data through locale-less...

7.5CVSS5.8AI score0.00606EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/09 7:39 p.m.7 views

CVE-2026-42257 net-imap: Command Injection via "raw" arguments to multiple commands

Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled...

5.8CVSS5.8AI score0.00429EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/09 3:45 a.m.10 views

EUVD-2026-28892

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...

8.2CVSS5.7AI score0.00607EPSS
Exploits1References4
NVD
NVD
added 2026/05/08 10:16 p.m.31 views

CVE-2026-42206

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate and includes it in the authorization request sent to the identity provider, but never...

7.1CVSS0.00152EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/08 9:54 p.m.9 views

CVE-2026-42206

Roadiz is a polymorphic content management system based on a node system. Prior to versions 2.3.43, 2.5.45, 2.6.31, and 2.7.18, the roadiz/openid package generates an OIDC nonce in OAuth2LinkGenerator::generate and includes it in the authorization request sent to the identity provider, but never...

7.1CVSS5.8AI score0.00152EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/08 3:10 p.m.8 views

CVE-2026-44500

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter...

5.3CVSS5.8AI score0.00362EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/05/08 3:10 p.m.3 views

CVE-2026-44500 ZEBRA: Allocation Amplification in Inbound Network Deserializers

ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.4.0, prior to zebra-chain version 7.0.0, and prior to zebra-network version 6.0.0, several inbound deserialization paths in Zebra allocated buffers sized against generic transport or block-size ceilings before the tighter...

5.3CVSS5.9AI score0.00362EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/08 1:11 p.m.15 views

EUVD-2026-28553

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before 1.17.5, a vulnerability has been found in Dapr that allows bypassing access control policies for...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/08 1:6 p.m.11 views

EUVD-2026-28552

Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Server-Side Request Forgery SSRF vulnerability exists in @angular/platform-server due to improper...

8.7CVSS5.8AI score0.00304EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-38798

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against...

8.8CVSS6.1AI score0.0937EPSS
Exploits0References22
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.15 views

PT-2026-38661

Name of the Vulnerable Software and Affected Versions Onyx versions prior to 3.0.9 Onyx versions prior to 3.1.6 Onyx versions prior to 3.2.6 Description The 'GET /chat/file/file id' endpoint allows any authenticated user to download files uploaded by other users. While the system verifies that th...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/07 10:20 p.m.9 views

CVE-2026-42880

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. From versions 3.2.0 to before 3.2.11 and 3.3.0 to before 3.3.9, there is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext...

9.6CVSS5.7AI score0.00505EPSS
Exploits2References2Affected Software1
CVE
CVE
added 2026/05/07 10:20 p.m.60 views

CVE-2026-42880

CVE-2026-42880 (Argo CD) : A missing authorization/data-masking gap in Argo CD’s ServerSideDiff endpoint allows an attacker with read-only access to extract plaintext Secret data from etcd via the Kubernetes API server’s Server-Side Apply dry-run. Affected versions are 3.2.0–3.2.10 and 3.3.0–3.3....

9.6CVSS5.7AI score0.00505EPSS
Exploits2References7Affected Software1
CVE
CVE
added 2026/05/07 1:15 p.m.44 views

CVE-2026-41490

CVE-2026-41490 affects Dagster’s dynamic partition keys in I/O managers (DuckDB, Snowflake, BigQuery, DeltaLake). Prior to Dagster Core 1.13.1 and Dagster libraries 0.29.1, SQL WHERE clauses were built by interpolating partition key values without escaping, allowing a user with Add Dynamic Partit...

8.3CVSS6AI score0.00265EPSS
Exploits1References2
NVD
NVD
added 2026/05/07 4:16 a.m.21 views

CVE-2026-42216

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3.3.11, and 3.4.0 to before 3.4.11, IDManifest::init reconstructs strings from a prefix-compressed...

9.1CVSS0.00465EPSS
Exploits1References10
NVD
NVD
added 2026/05/07 4:16 a.m.63 views

CVE-2026-41673

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior, seven recursive traversals in lib/dom.js operate without a depth limit. A sufficiently deeply nested DO...

8.7CVSS0.00643EPSS
Exploits0References16
OSV
OSV
added 2026/05/07 4:13 a.m.5 views

CVE-2026-41641 NocoBase Vulnerable to SQL Validation Bypass via `sqlCollection:update` Missing `checkSQL` Call

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and...

7.2CVSS6.2AI score0.01833EPSS
Exploits1References6
Rows per page
Query Builder