Lucene search
+L

1112 matches found

cvelist
cvelist
added yesterday26 views

CVE-2026-45535 DataEase: Stored SQL Injection Vulnerability

DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase SQL-type datasets store attacker-controlled SQL variable defaultValue entries such as $var and SqlparserUtils.handleVariableDefaultValue inserts them with String.replace without escaping or parameterizatio...

8.7CVSS0.00017EPSS
Exploits0References3
cve
cve
added yesterday10 views

CVE-2026-45535

DataEase (open source data visualization/analysis tool) contains a stored SQL injection in SQL-type datasets prior to version 2.10.23. The vulnerability arises because attacker-controlled SQL variable defaultValue entries (e.g., ${var}) are stored and SqlparserUtils.handleVariableDefaultValue() i...

8.7CVSS6.1AI score0.00017EPSS
Exploits0References3
cve
cve
added 2 days ago8 views

CVE-2026-7494

CVE-2026-7494 describes a Server-Side Request Forgery (SSRF) in Nexus Repository 3, exploitable via the SSL Certificate Retrieval endpoint. A user with the nexus:ssl-truststore:read permission can trigger outbound connections from the server to internal or restricted hosts. Affected versions are ...

5.3CVSS6.1AI score0.00146EPSS
Exploits0References2
cvelist
cvelist
added 2026/07/08 3:44 p.m.31 views

CVE-2026-59262 AFFiNE - Unauthorized Document Edit History Access via GraphQL histories Field

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails...

7.1CVSS0.00238EPSS
Exploits0References4
osv
osv
added 2026/07/07 11:45 a.m.5 views

PYSEC-2026-1494 Kinto Attachment's attachments can be replaced on read-only records

Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...

8.6CVSS5.9AI score0.00702EPSS
Exploits0References7
nvd
nvd
added 2026/06/29 6:16 p.m.12 views

CVE-2026-57954

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...

5.3CVSS0.00168EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/29 5:21 p.m.37 views

CVE-2026-57954 Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...

5.3CVSS0.00168EPSS
Exploits0References2
cve
cve
added 2026/06/29 5:21 p.m.16 views

CVE-2026-57954

Vulnerability summary (CVE-2026-57954) Elide 7.1.17 has a flaw in SortingImpl.getValidSortingRules where @ReadPermission is not enforced on client-supplied sort expressions. This allows attackers to sort collections by forbidden fields and infer hidden field values via row ordering analysis, leak...

5.3CVSS5.8AI score0.00168EPSS
Exploits0References2
osv
osv
added 2026/06/29 5:21 p.m.4 views

CVE-2026-57954 Elide 7.1.17 - Permission Bypass in Sort Expression Validation

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...

5.3CVSS6AI score0.00168EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/29 12:0 a.m.10 views

PT-2026-53672

Name of the Vulnerable Software and Affected Versions Elide versions prior to 7.1.18 Description Insufficient enforcement of @ReadPermission within the getValidSortingRules function of SortingImpl allows attackers to use forbidden fields in client-supplied sort expressions. By analyzing the...

5.3CVSS5.9AI score0.00168EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/06/26 1:14 a.m.7 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0References2Affected Software1
nvd
nvd
added 2026/06/24 2:17 p.m.11 views

CVE-2026-57299

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata...

4.3CVSS0.00167EPSS
Exploits0References1
nvd
nvd
added 2026/06/24 2:17 p.m.12 views

CVE-2026-57300

A missing permission check in Jenkins MCP Server Plugin 0.177.v629fdb2557fe and earlier allows attackers with Item/Read permission to read the Pipeline replay scripts of jobs they can access...

4.3CVSS0.00178EPSS
Exploits0References1
osv
osv
added 2026/06/24 2:17 p.m.2 views

CVE-2026-57297

A missing permission check in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, API key, and service key...

4.3CVSS6AI score
Exploits0References1
nvd
nvd
added 2026/06/24 2:17 p.m.13 views

CVE-2026-57291

Missing permission checks in Jenkins Gitee Plugin 1288.v18bdebc9069b and earlier allow attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method...

5.4CVSS0.00145EPSS
Exploits0References1
nvd
nvd
added 2026/06/24 2:17 p.m.11 views

CVE-2026-57285

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration...

4.3CVSS0.00216EPSS
Exploits0References1
osv
osv
added 2026/06/24 2:17 p.m.2 views

CVE-2026-57285

A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration...

4.3CVSS6AI score
Exploits0References1
euvd
euvd
added 2026/06/24 1:20 p.m.10 views

EUVD-2026-38785

A missing permission check in Jenkins Assembla Plugin 1.4 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username and password...

5.4CVSS5.8AI score0.00161EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/24 1:20 p.m.34 views

CVE-2026-57302

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system...

0.00178EPSS
Exploits0References1
attackerkb
attackerkb
added 2026/06/24 1:20 p.m.5 views

CVE-2026-57299

Missing permission checks in Jenkins Contrast Continuous Application Security Plugin 3.11 and earlier allow attackers with Overall/Read permission to enumerate the names of configured Contrast metadata...

4.3CVSS5.9AI score0.00167EPSS
Exploits0References2
Rows per page
Query Builder