Lucene search
K

890 matches found

osv
osv
added 2026/04/22 7:19 p.m.3 views

GHSA-7C4J-2M43-2MGH nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals

Impact An untrusted p2p peer can cause a node to panic by announcing an election macro block whose validators set contains an invalid compressed BLS voting key. Hashing an election macro header hashes validators and reaches Validators::votingkeys, which calls validator.votingkey.uncompress.unwrap...

7.5CVSS5.8AI score0.00372EPSS
Exploits0References6
nessus
nessus
added 2026/04/22 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-41651

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit betwe...

8.8CVSS6AI score0.0046EPSS
Exploits10References2
cvelist
cvelist
added 2026/04/21 7:32 p.m.32 views

CVE-2026-40889 Frappe HR has Improper Access Control on Files

Frappe HR is an open-source human resources management solution HRMS. Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Versions 15.58.2 and 16.4.2 contain a patch. No known workarounds are available...

6.5CVSS0.00231EPSS
Exploits0References3
ibm
ibm
added 2026/04/21 5:5 p.m.6 views

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of the path-to-regexp package

Summary Due to use of the path-to-regexp package, DevOps Test Performance and Rational Performance Tester contain a potential Regular Expression Denial of Service ReDoS vulnerability. Vulnerability Details CVEID:CVE-2026-4867 DESCRIPTION: Impact: A bad regular expression is generated any time you...

7.5CVSS5.8AI score0.00496EPSS
Exploits0Affected Software1
euvd
euvd
added 2026/04/21 2:32 p.m.5 views

EUVD-2026-23889

OpenMage LTS: Phar Deserialization leads to Remote Code Execution...

8.1CVSS5.8AI score0.00539EPSS
Exploits1References3
cvelist
cvelist
added 2026/04/20 8:24 p.m.34 views

CVE-2026-33431 Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config//show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and it...

7.1CVSS0.00392EPSS
Exploits1References2
nvd
nvd
added 2026/04/20 4:16 p.m.13 views

CVE-2026-25058

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint GET /internal/transcripts/meetingid that returns transcript data for any meeting without any authentication or...

7.5CVSS0.00402EPSS
Exploits1References1
ptsecurity
ptsecurity
added 2026/04/18 12:0 a.m.23 views

PT-2026-34845

Name of the Vulnerable Software and Affected Versions MailKit versions prior to 4.16.0 Description A STARTTLS Response Injection issue allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary. This can enable a SASL authentication...

6.5CVSS6AI score0.00223EPSS
Exploits1References6
cve
cve
added 2026/04/17 11:51 p.m.15 views

CVE-2026-40337

The Sentry kernel vulnerability (CVE-2026-40337) affects tasks with DEV/IO capabilities that can interact with another task’s IRQ line via the _sys_int * syscall family. Before version 0.4.7, this enables DoS and covert-channels to the outside world. A patch exists in 0.4.7; workaround: limit DEV...

5.1CVSS5.8AI score0.00155EPSS
Exploits0References3
osv
osv
added 2026/04/17 10:20 p.m.12 views

GHSA-85GX-3QV6-4463 Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

8.1CVSS5.7AI score0.00325EPSS
Exploits0References4
github
github
added 2026/04/17 10:0 p.m.8 views

OpenClaw: Nostr profile mutation routes allowed operator.write config persistence

Summary Nostr profile mutation routes allowed operator.write config persistence. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Nostr plugin HTTP profile routes could persist profile config through a path that did not require admin...

5.7AI score
Exploits0References3Affected Software1
ptsecurity
ptsecurity
added 2026/04/16 12:0 a.m.5 views

PT-2026-33384

Name of the Vulnerable Software and Affected Versions Math.js versions 13.1.1 through 15.1.x Description An issue in the expression parser allows the execution of arbitrary JavaScript. This occurs in applications where users are permitted to evaluate arbitrary expressions using the mathjs...

8.8CVSS6AI score0.00551EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/04/15 12:0 a.m.5 views

PT-2026-36183

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2 Description An issue exists in the Kubernetes CRD provider cross-namespace isolation enforcement. When...

6.4CVSS6.4AI score0.00254EPSS
Exploits1References19
github
github
added 2026/04/14 10:29 p.m.6 views

October Rain has Environment Variable Exfiltration via INI Parser Interpolation

A server-side information disclosure vulnerability was identified in the INI settings parser. PHP's parseinistring function supports $ syntax for environment variable interpolation. Attackers with Editor access could inject $APPKEY, $DBPASSWORD, or similar patterns into CMS page settings fields,...

4.9CVSS5.7AI score0.00326EPSS
Exploits0References3Affected Software1
github
github
added 2026/04/14 12:4 a.m.24 views

SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh

Impact A crafted hostAlias argument such as -oProxyCommand=... was passed to ssh/scp without an argument terminator. SSH interprets arguments starting with - as options regardless of position, so the option-injection caused SSH to execute the attacker-supplied ProxyCommand locally on the machine...

6.1AI score
Exploits0References4Affected Software1
ptsecurity
ptsecurity
added 2026/04/14 12:0 a.m.10 views

PT-2026-33226

Name of the Vulnerable Software and Affected Versions mitmproxy versions prior to 12.2.2 Description The builtin LDAP proxy authentication fails to correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. This issue only affects...

4.8CVSS5.2AI score0.00166EPSS
Exploits1References7
osv
osv
added 2026/04/08 7:52 p.m.3 views

GHSA-XRW6-GWF8-VVR9 Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service

Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, an...

7.1CVSS5.8AI score0.00124EPSS
Exploits0References5
redhatcve
redhatcve
added 2026/04/06 10:57 a.m.5 views

CVE-2026-34954

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.downloadfile in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream with followredirects=True. An attacker who controls the URL can reach any...

8.6CVSS5.8AI score0.00405EPSS
Exploits1References1
nessus
nessus
added 2026/04/05 12:0 a.m.6 views

Linux Distros Unpatched Vulnerability : CVE-2026-34591

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without...

7.1CVSS6.8AI score0.00468EPSS
Exploits1References3
susecve
susecve
added 2026/04/03 11:25 p.m.9 views

SUSE CVE-2026-34601

xmldom is a pure JavaScript W3C standard-based XML DOM Level 2 Core DOMParser and XMLSerializer module. In xmldom versions 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and 0.9.9, xmldom/xmldom allows attacker-controlled strings containing the CDATA terminator to be inserted into a...

7.5CVSS5.7AI score0.00472EPSS
Exploits0References3
Rows per page
Query Builder