Lucene search
K

277 matches found

CVE
CVE
added 2026/04/15 5:48 p.m.14 views

CVE-2026-33212

CVE-2026-33212 affects Weblate (web-based localization tool). The vulnerability lies in the tasks API where, in versions prior to 5.17, access control for pending tasks was not enforced, potentially exposing in-progress task logs to users without the proper scope. The attack requires brute-forcin...

3.1CVSS5.8AI score0.00221EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/15 5:48 p.m.21 views

CVE-2026-33212 Weblate: Improper access control for pending tasks in API

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

3.1CVSS0.00221EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.9 views

PT-2026-33113

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

3.1CVSS5.8AI score0.00221EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/13 12:0 a.m.1 views

CVE-2026-31282

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because 1 local log...

5.9AI score0.0039EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/13 12:0 a.m.6 views

Totara LMS 安全漏洞

Totara LMS is an learning management system provided by the Totara company. Versions of Totara LMS prior to v19.1.5 contained security vulnerabilities. These vulnerabilities stemmed from the forget password API not implementing rate limits on target email addresses, which could lead to email...

9.8CVSS5.8AI score0.00397EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/13 12:0 a.m.4 views

PT-2026-32359

Name of the Vulnerable Software and Affected Versions Totara LMS versions prior to 19.1.6 Description Incorrect Access Control allows the login page code to be manipulated to reveal the login form. This can be combined with a missing rate-limit on the login form to facilitate a brute force attack...

9.8CVSS5.9AI score0.0039EPSS
Exploits0References6
OSV
OSV
added 2026/04/10 7:22 p.m.2 views

GHSA-Q5R4-47M9-5MC7 PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/04/10 7:22 p.m.9 views

PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/10 4:3 p.m.6 views

EUVD-2026-21458

OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting...

6.5CVSS5.8AI score0.00314EPSS
Exploits0References4
OSV
OSV
added 2026/04/10 12:30 a.m.5 views

GHSA-59XC-5V89-R7PR Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation...

6.3CVSS5.7AI score0.00244EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.8 views

PT-2026-31967

OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting...

6.5CVSS5.8AI score0.00314EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/09 9:20 p.m.3 views

CVE-2026-40116 PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

7.5CVSS5.8AI score0.00372EPSS
Exploits1References1
CVE
CVE
added 2026/04/09 9:20 p.m.21 views

CVE-2026-40116

CVE-2026-40116 affects PraisonAI prior to 4.5.128: the /media-stream WebSocket endpoint accepted unauthenticated connections and bypassed Twilio validation, proxying each connection to OpenAI’s Realtime API using the server key with no concurrency/rate/size limits. This could allow an unauthentic...

7.5CVSS5.9AI score0.00372EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/04/09 9:20 p.m.20 views

CVE-2026-40116 PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the...

7.5CVSS0.00372EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.7 views

vLLM 安全漏洞

vLLM is an open-source solution designed for LLM-based models, featuring high throughput and memory-efficient reasoning and service engines. Versions of vLLM prior to 0.7.0 to 0.19.0 contained security vulnerabilities. These vulnerabilities stemmed from the VideoMediaIO.loadbase64 method not...

6.5CVSS5.8AI score0.00378EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.9 views

Bulwark Webmail 安全漏洞

Bulwark Webmail is an open-source, self-hosted webmail client developed by Bulwark Mail. Versions of Bulwark Webmail prior to 1.4.11 contained security vulnerabilities. These vulnerabilities stemmed from the getClientIP function, which trusted the X-Forwarded-For header provided by the client. Th...

8.7CVSS5.8AI score0.00136EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/31 12:31 p.m.6 views

Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation

Duplicate Advisory This advisory has been withdrawn because CVE-2026-34508 has been rejected as a duplicate of CVE-2026-34505. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds,...

5.8AI score0.00056EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/31 12:16 p.m.8 views

CVE-2026-34505

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...

6.9CVSS0.00272EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/03/27 10:51 p.m.11 views

CVE-2026-33152

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS5.9AI score0.00513EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/26 7:7 p.m.5 views

CVE-2026-33152 Tandoor Recipes Vulnerable to Unrestricted Brute-Force via BasicAuthentication

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, Tandoor Recipes configures Django REST Framework with BasicAuthentication as one of the default authentication backends. The AllAuth rate limiting configuration...

9.1CVSS5.8AI score0.00513EPSS
Exploits1References2
Rows per page
Query Builder