Lucene search
K

633 matches found

Nuclei
Nuclei
added yesterday76 views

CasaOS < 0.4.4 - Authentication Bypass via Random JWT Token

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

9.8CVSS7.3AI score0.05871EPSS
Exploits1References2
NVD
NVD
added 4 days ago5 views

CVE-2026-57474

Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced...

6.9CVSS0.00279EPSS
Exploits0References4
CVE
CVE
added 4 days ago6 views

CVE-2026-57475

Deloitte AI Assist for Customer had an unauthenticated POST vulnerability on public API endpoints that allowed a remote attacker to perform limited additions to the configuration. These changes were not used by the system. On 2026-03-25, access was restricted and authentication enforced for the e...

6.9CVSS6.2AI score0.0034EPSS
Exploits0References4
CVE
CVE
added 6 days ago7 views

CVE-2026-59262

AFFiNE CVE-2026-59262 involves the histories GraphQL field failing to validate Doc.Read permissions before exposing edit histories. The vulnerability allows authenticated workspace members to supply arbitrary document GUIDs and access full edit histories, including user names, emails, and timesta...

7.1CVSS6AI score0.00238EPSS
Exploits0References4
Cvelist
Cvelist
added last week30 views

CVE-2026-55077 Coder: User-admin role can reset owner account password

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, the PUT /api/v2/users/user/password endpoint authorized only ActionUpdatePersonal and did not prevent a user-admin from resetting an owner account's passwor...

7.2CVSS0.00615EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/06 1:10 p.m.10 views

CVE-2026-7185

A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable of interacting with the affected feature to attempt to access file system resources outside the...

6CVSS5.8AI score0.00292EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 5:37 p.m.30 views

CVE-2026-54094 File Browser: Symlink following lets scoped users read, overwrite, and share files outside their filebrowser scope

File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.14, it does not stop the HTTP file handlers from following symbolic links before they open, serve, write, share, or list a file. As a result, a...

7.5CVSS0.0046EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/19 4:28 p.m.9 views

CVE-2026-56211

A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC Scalable Video Coding layer ID control allows an attacker to supply crafted video frame pixels that overlap with internal encoder layer contex...

7.1CVSS6.7AI score0.00414EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.16 views

PT-2026-51062

Name of the Vulnerable Software and Affected Versions Stanza version 1.12.0 Description An issue exists where the software attempts to load PyTorch checkpoint files using a safe method but automatically falls back to an unsafe deserialization process when a pickle.UnpicklingError occurs. Because...

7.5CVSS6.2AI score0.00302EPSS
Exploits1References11
Cvelist
Cvelist
added 2026/06/10 9:1 p.m.100 views

CVE-2026-0272 PAN-OS: Privilege Escalation (PE) Vulnerability in the Command Line Interface (CLI)

A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Command Line Interface CLI to perform actions on the device with root privileges. The security risk posed by this issue is significantly minimized when CLI access i...

8.5CVSS0.00256EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.12 views

CVE-2026-0261

Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The security ri...

8.6CVSS5.7AI score0.01336EPSS
Exploits0References1
NVD
NVD
added 2026/06/04 2:16 p.m.12 views

CVE-2026-10854

A visibility control issue in the event template creation workflow allowed non-site-admin users to access private galaxies belonging to other organisations. The event template builder loaded all enabled galaxies without applying organisation or distribution-based access restrictions, potentially...

5.3CVSS0.00176EPSS
Exploits0References1
CVE
CVE
added 2026/05/29 6:15 p.m.26 views

CVE-2026-49386

CVE-2026-49386 affects JetBrains YouTrack prior to 2026.1.13570, where an improper access control allows enumeration of restricted issues and articles on Planning Canvas. The issue’s impact is limited to information exposure (enumeration) without indicating broader code execution or data modifica...

6.5CVSS5.8AI score0.00248EPSS
Exploits0References1Affected Software1
BDU FSTEC
BDU FSTEC
added 2026/05/27 12:0 a.m.4 views

The vulnerability of the package manager for Kubernetes Helm, related to incorrect path name restrictions for restricted access directories, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the package manager for Kubernetes Helm is related to an incorrect restriction on the path name to the restricted-access directory. Exploiting this vulnerability could allow a perpetrator to gain unauthorized access to protected information...

8.6CVSS6.1AI score0.00158EPSS
Exploits2References7Affected Software2
CVE
CVE
added 2026/05/26 9:32 p.m.23 views

CVE-2025-46307

The CVE-2025-46307 issue affects macOS, with the logic flaw limited to the system’s access control restrictions. The vulnerability is described as a logic issue that could allow an app to access sensitive user data. The impact is tied to local access (AV:L, PR:L) with high confidentiality impact,...

5.5CVSS5.8AI score0.0015EPSS
Exploits0References1Affected Software1
Snyk
Snyk
added 2026/05/18 5:52 p.m.10 views

UNIX Symbolic Link (Symlink) Following

Overview Affected versions of this package are vulnerable to UNIX Symbolic Link Symlink Following during docker cp mount setup due to the switching from GetResourcePath and to createIfNotExists method that has no absolute path checks. An attacker can create empty files or directories at arbitrary...

6.1CVSS5.9AI score0.00108EPSS
Exploits0References2
CVE
CVE
added 2026/05/12 8:59 p.m.19 views

CVE-2026-33570

The CVE affects the PowerSYSTEM Center REST API endpoint for devices. A low-privilege authenticated user can access information normally restricted by operational permissions, exposing confidential data (high impact on confidentiality per ICSCERT CVSS 3.1/4.0 metrics). Root cause described as ins...

6.9CVSS5.8AI score0.00161EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 2:41 p.m.7 views

CVE-2026-44200 Wagtail: Improper permission handling when copying pages

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.16 views

PT-2026-39234

Name of the Vulnerable Software and Affected Versions Wagtail versions prior to 7.0.7 Wagtail versions prior to 7.3.2 Description A CMS user with limited access to form pages can delete submissions for pages they are not authorized to access. This is achieved by crafting a form submission to dele...

6.5CVSS5.7AI score0.00174EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/28 3:18 p.m.6 views

EUVD-2026-26065

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

9.8CVSS5.3AI score0.00444EPSS
Exploits0References1
Rows per page
Query Builder