CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

28667 matches found

Github Security Blog•added 2026/03/09 5:29 p.m.•6 views

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

8.6CVSS5.9AI score0.00196EPSS

Exploits1References10Affected Software1

Positive Technologies•added 2026/03/09 12:0 a.m.•3 views

PT-2026-24052

A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The...

6.5CVSS6.3AI score0.00361EPSS

Exploits1References6

Positive Technologies•added 2026/03/09 12:0 a.m.•3 views

PT-2026-24150

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.19 Description OneUptime’s GitHub App callback does not properly validate the state and installation id values received from a user, allowing an attacker to overwrite another project's GitHub App installation...

8.6CVSS5.9AI score0.00196EPSS

Exploits1References22

OpenVAS•added 2026/03/09 12:0 a.m.•2 views

SUSE: Security Advisory (SUSE-SU-2026:20574-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

9.8CVSS5.8AI score0.00834EPSS

Exploits1References6

OSV•added 2026/03/08 6:16 a.m.•2 views

AZL-79523 CVE-2026-3713 affecting package optipng 0.7.8-5

A flaw has been found in pnggroup libpng up to 1.6.55. Affected by this vulnerability is the function dopnm2png of the file contrib/pngminus/pnm2png.c of the component pnm2png. This manipulation of the argument width/height causes heap-based buffer overflow. The attack is restricted to local...

5.3CVSS6.2AI score0.00126EPSS

Exploits0References1

GithubExploit•added 2026/03/08 4:1 a.m.•143 views

Exploit for OS Command Injection in Motioneye_Project Motioneye

No d...

7.2CVSS5.8AI score0.24749EPSS

Exploits16

RedhatCVE•added 2026/03/08 1:44 a.m.•4 views

CVE-2026-30244

Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attackers can enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django REST Framework permission...

7.5CVSS5.7AI score0.00377EPSS

Exploits0References1

RedhatCVE•added 2026/03/08 1:44 a.m.•5 views

CVE-2026-30242

Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validation in plane/app/serializers/webhook.py only checks ip.isloopback, allowing attackers with workspace ADMIN role to create webhooks pointing to private/internal network addresses 10.x.x.x, 172.16.x.x...

8.5CVSS5.8AI score0.00284EPSS

Exploits0References1

RedhatCVE•added 2026/03/08 1:44 a.m.•3 views

CVE-2026-29789

Vito is a self-hosted web application that helps manage servers and deploy PHP applications into production servers. Prior to version 3.20.3, a missing authorization check in workflow site-creation actions allows an authenticated attacker with workflow write access in one project to create/manage...

9.9CVSS5.8AI score0.00367EPSS

Exploits1References1

RedhatCVE•added 2026/03/07 7:59 a.m.•3 views

CVE-2026-25877

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the projectid parameter when handling chart-related operations update, delete, etc...

6.5CVSS5.8AI score0.00286EPSS

Exploits1References1

Github Security Blog•added 2026/03/07 2:30 a.m.•3 views

OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE

Summary OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape this.constructor.constructor, an...

9.9CVSS6.2AI score0.00387EPSS

Exploits1References3Affected Software1

RedhatCVE•added 2026/03/07 1:44 a.m.•3 views

CVE-2026-29610

OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host execution or project-local bootstrapping. Attackers with authenticated access to node-host execution...

8.8CVSS6AI score0.00465EPSS

Exploits0References1