CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added yesterday•5 views

EUVD-2026-38469

OpenHarness /issue and /prcomments slash commands lack remoteinvocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/prcomments....

5.4CVSS6AI score

Exploits0References3

RedHat Linux•added yesterday•9 views

webkitgtk: An app may be able to access sensitive user data

A flaw was found in WebKitGTK. Processing or loading malicious web content can allow an app to access sensitive user data due to improper data protection...

RedHat Linux•added yesterday•4 views

webkitgtk: An app may be able to access sensitive user data

A flaw was found in WebKitGTK. Processing or loading malicious web content can allow an app to access sensitive user data due to improper data protection...

RedHat Linux•added yesterday•2 views

samba: vfs_worm does not block directory modification

A flaw was found in Samba’s vfsworm module. The module is intended to provide write-once, read-many WORM protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write access to a share...

6.5CVSS5.8AI score0.00904EPSS

RedHat Linux•added yesterday•3 views

samba: vfs_worm does not block directory modification

6.5CVSS5.8AI score0.00904EPSS

EUVD•added 2 days ago•6 views

EUVD-2026-38388

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the...

7.5CVSS5.8AI score0.00293EPSS

NVD•added 2 days ago•8 views

CVE-2026-56425

The Azure Active Directory AAD authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application used the PHP session identifier sessionid as the OAuth state...

9.3CVSS0.00303EPSS

NVD•added 2 days ago•6 views

CVE-2026-56446

MISP allowed a site administrator to configure an arbitrary filesystem path for the NDJSON error log used by JsonLogTool. Because log entries can include attacker-controlled content, an authenticated attacker with site administrator privileges could direct log output to a PHP file in a...

8.7CVSS0.00308EPSS

Cvelist•added 2 days ago•29 views

CVE-2026-12628 Hardcoded credential in the IBM Storage Protect Snapshot For Windows leads to unauthorized access to system

IBM Storage Protect Client 8.1.0.0 through 8.2.1.0 and IBM Storage Protect Snapshot For Windows 8.1.0.0 through 8.2.1.0 could allow a remote attacker to bypass authentication due to the use of a hardcoded credential in the FlashCopy Manager FCM authentication mechanism. The application contains a...

9.1CVSS0.00325EPSS

RedhatCVE•added 2 days ago•7 views

CVE-2026-52908

A flaw was found in the Linux kernel. This vulnerability occurs during the re-registration of a Remote Direct Memory Access RDMA memory region. If the memory's access permissions are changed from read-only to read-write, the system may fail to properly update and secure the underlying user memory...

7CVSS5.8AI score0.00168EPSS

Exploits0References4

Wiz blog•added 2 days ago•16 views

Cloud-native Security for your Windows environment: Announcing the Wiz Runtime Sensor for Windows

Secure your Windows fleet without sacrificing performance. Wiz pairs real-time threat detection with a memory-safe architecture that scales efficiently to protect your essential cloud infrastructure...

5.5AI score

Exploits0

EUVD•added 2 days ago•7 views

EUVD-2026-38239

AIL did not restrict repeated failed attempts to verify a two-factor authentication OTP code. An attacker who had reached the 2FA verification step, such as after successfully completing the password-authentication stage, could submit an unlimited number of OTP guesses. This could enable...

5.1CVSS5.9AI score0.0033EPSS

EUVD•added 2 days ago•9 views

EUVD-2026-38228

9.3CVSS5.9AI score0.00303EPSS

CVE•added 2 days ago•10 views

CVE-2026-56425

CVE-2026-56425 affects the AAD authentication plugin for MISP (OAuth 2.0). The vulnerability stems from using session_id() as the OAuth state parameter, lack of session rotation after login, no dedicated nonce for the state, and not enforcing HTTPS for the redirect URI. Additional issue: OAuth er...

9.3CVSS5.9AI score0.00303EPSS

RedHat Linux•added 2 days ago•4 views

webkitgtk: An app may be able to access sensitive user data

A flaw was found in WebKitGTK. Processing or loading malicious web content can allow an app to access sensitive user data due to improper data protection...

RedHat Linux•added 2 days ago•4 views

kernel: smc: Use __sk_dst_get() and dst_dev_rcu() in smc_clc_prfx_match()

A flaw was found in the Linux kernel’s SMC Shared Memory Communication module: in smcclcprfxmatch, the function is called from smclistenwork without proper RCU or RTNL protection. The code previously used skdstgetsk-dev, which can lead to a use-after-free UAF condition if the sk’s destination is...

5.8AI score0.0015EPSS

RedHat Linux•added 2 days ago•6 views

webkitgtk: An app may be able to access sensitive user data

A flaw was found in WebKitGTK. Processing or loading malicious web content can allow an app to access sensitive user data due to improper data protection...