Lucene search
K

121995 matches found

CVE
CVE
added 2 hours ago5 views

CVE-2026-11869

CVE-2026-11869 affects the WP DSGVO Tools (GDPR) WordPress plugin, prior to version 3.1.40. The root cause is a missing authorization check on the immediate-processing path of the data subject access request feature, enabling unauthenticated attackers to generate and download the full personal-da...

6AI score
Exploits0References1
RedHat Linux
RedHat Linux
added 3 hours ago3 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses

A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak p...

9.1CVSS6.1AI score0.00513EPSS
Exploits0References9
EUVD
EUVD
added 8 hours ago4 views

EUVD-2026-42468

A flaw has been found in davenardella snap7 up to 1.4.3. This affects the function TS7Worker::PerformFunctionRead of the file src/core/s7server.cpp of the component ReadVar Request Handler. This manipulation causes deserialization. The attack requires access to the local network. The exploit has...

6.3CVSS5.5AI score
Exploits0References8
BDU FSTEC
BDU FSTEC
added 8 hours ago14 views

The vulnerability of the Directum HR Pro system, which exists due to insufficient verification of input data, allows a perpetrator to disclose protected information.

The vulnerability of the Directum HR Pro system exists due to insufficient verification of input data. Exploiting this vulnerability can allow a malicious actor to disclose protected information by sending a specially crafted POST request...

7.7CVSS5.7AI score
Exploits0Affected Software1
ATTACKERKB
ATTACKERKB
added yesterday2 views

CVE-2026-55471

HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to 6.9.10, org.hl7.fhir.utilities.XsltUtilities saxonTransform... overloads instantiated a bare net.sf.saxon.TransformerFactoryImpl without ACCESSEXTERNALDTD or ACCESSEXTERNALSTYLESHEET...

8.7CVSS6AI score
Exploits0References4Affected Software1
CVE
CVE
added yesterday33 views

CVE-2026-44161

Fluentd’s out_http plugin (pre-1.19.3) allows placeholders such as ${tag} in the endpoint configuration. If a placeholder comes from untrusted input, an attacker can control the destination hostname of outbound HTTP requests and force requests to arbitrary internal services (SSRF). Affected versi...

7.2CVSS7.3AI score
Exploits0References4
CVE
CVE
added yesterday9 views

CVE-2026-60104

Bitwarden Server before 2026.6.0 is vulnerable to an authorization bypass in the admin/auth request flow. A low-privileged organization member can exploit a mismatch in the POST /auth-requests/admin-request handling to bind a Trusted Device Encryption request to an attacker-controlled public key,...

9.3CVSS6AI score
Exploits0References5
Cvelist
Cvelist
added yesterday10 views

CVE-2026-60104 Bitwarden Server < 2026.6.0 Authorization Bypass via Admin Auth Request

Bitwarden Server before 2026.6.0 does not verify that the email in a POST /auth-requests/admin-request body belongs to the authenticated caller, allowing a low-privileged organization member to obtain another user's vault key and a victim-scoped access token by creating a Trusted Device Encryptio...

9.3CVSS
Exploits0References5
CVE
CVE
added yesterday6 views

CVE-2026-59819

LiteLLM (proxy server AI Gateway) prior to 1.83.10-stable allows a privileged caller via /health/test_connection to resolve request-supplied litellm_params environment and OIDC file references, enabling potential local file reads through an oidc/file/ reference. This is fixed in version 1.83.10-s...

2.1CVSS5.9AI score
Exploits0References3
NVD
NVD
added yesterday5 views

CVE-2026-59896

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS
Exploits0References3
CVE
CVE
added yesterday11 views

CVE-2025-3110

CVE-2025-3110 affects OpenVPN Access Server 2.7.2 through 3.1.0. The vulnerability arises because the product accepts bare line-feed sequences inside HTTP header values, enabling remote attackers to perform HTTP request smuggling when deployed behind a reverse proxy. The connected CVE record conf...

6.9CVSS6AI score
Exploits0References1
Cvelist
Cvelist
added yesterday12 views

CVE-2025-3110

OpenVPN Access Server 2.7.2 through 3.1.0 accepts bare line-feed sequences inside HTTP header values, allowing remote attackers to perform HTTP request smuggling when deployed behind a reverse proxy...

6.9CVSS
Exploits0References1
NVD
NVD
added yesterday5 views

CVE-2026-54344

ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a...

4.7CVSS
Exploits0References1
EUVD
EUVD
added yesterday3 views

EUVD-2026-42326

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS5.9AI score
Exploits0References3
CVE
CVE
added yesterday6 views

CVE-2026-59896

Hono/jsx in the Hono web framework exposes a cross-request data disclosure during server-side rendering. From version 4.11.8 up to, but not including, 4.12.27, context values created via createContext, useContext, jsxRenderer, or useRequestContext were not isolated per request and could be reused...

6.5CVSS5.9AI score
Exploits0References3
Cvelist
Cvelist
added yesterday10 views

CVE-2026-59896 hono/jsx does not isolate context per request, leading to cross-request data disclosure

Hono is a Web application framework that provides support for any JavaScript runtime. From 4.11.8 before 4.12.27, hono/jsx did not isolate context values per request during server-side rendering, allowing createContext, useContext, jsxRenderer, or useRequestContext data from a different in-flight...

6.5CVSS
Exploits0References3
RedHat Linux
RedHat Linux
added yesterday5 views

golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses

A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak p...

9.1CVSS6.1AI score0.00513EPSS
Exploits0References9
EUVD
EUVD
added yesterday5 views

EUVD-2026-42298

repomix contains a server-side request forgery vulnerability in the POST /api/pack endpoint that allows unauthenticated attackers to make arbitrary outbound requests. The endpoint fails to properly validate http://, https://, and file:// URLs before passing them to git clone, enabling attackers t...

9.3CVSS6.1AI score
Exploits0References4
CVE
CVE
added yesterday8 views

CVE-2026-59702

Summary: CVE-2026-59702 affects repomix. A server-side request forgery exists in POST /api/pack, where unauthenticated attackers can cause the server to fetch arbitrary URLs without proper validation. The endpoint accepts http://, https://, and file:// URLs and passes them to git clone, enabling ...

9.3CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added yesterday7 views

EUVD-2026-42276

This vulnerability enables large‑scale data harvesting without requiring app‑specific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, long‑lived twenty‑day JWTs, and the...

6AI score
Exploits0References1
Rows per page
Query Builder