Lucene search
+L

43 matches found

EUVD
EUVD
added 2 days ago8 views

EUVD-2026-45082

grav-plugin-login before 3.8.11 contains a cross-site request forgery CSRF vulnerability in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated session user without any anti-CSRF nonce or Origin/Referer check. Because Grav core...

5.4CVSS6.1AI score0.00099EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/10 2:11 p.m.9 views

EUVD-2026-42907

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an...

8.1CVSS6.1AI score0.00308EPSS
Exploits0References3
OSV
OSV
added 2026/06/30 9:6 a.m.4 views

SUSE-SU-2026:2695-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: - CVE-2026-48618: tls: normalize hostname for server identity checks bsc1268593. - CVE-2026-48933: crypto: guard WebCrypto cipher output length bsc1268592. - CVE-2026-48615: lib,test: redact proxy credentials in tunnel errors bsc1268598. -...

9.8CVSS6.1AI score0.02806EPSS
Exploits3References39
RedhatCVE
RedhatCVE
added 2026/06/05 7:40 p.m.12 views

CVE-2026-43877

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS5.5AI score0.00121EPSS
Exploits0References1
OSV
OSV
added 2026/05/11 8:34 p.m.4 views

CVE-2026-43877 WWBN AVideo: CSRF in userSavePhoto.php Allows Cross-Origin Overwrite of Any Logged-in User's Profile Photo with Arbitrary Bytes

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

5.4CVSS6AI score0.00121EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.12 views

PT-2026-39679

Name of the Vulnerable Software and Affected Versions Dozzle versions prior to 10.5.2 Description The WebSocket upgrader for the '/exec' and '/attach' endpoints accepts upgrade requests from any origin because it uses a custom CheckOrigin function that always returns true. When combined with the...

9.6CVSS5.8AI score0.00195EPSS
Exploits1References9
ATTACKERKB
ATTACKERKB
added 2026/04/21 10:16 p.m.5 views

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.6AI score0.00113EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/06 7:6 p.m.2 views

CVE-2026-35180 WWBN AVideo affected by CSRF on Site Customization Endpoint Enables Logo Overwrite via Base64 File Write

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the site customization endpoint at admin/customizesettingsnativeUpdate.json.php lacks CSRF token validation and writes uploaded logo files to disk before the ORM's domain-based security check executes. Combined with...

4.3CVSS5.8AI score0.00112EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/03/31 11:15 p.m.7 views

AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

Summary AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin...

8.1CVSS6.1AI score0.00233EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/25 10:10 a.m.3 views

SUSE-SU-2026:1010-1 Security update 5.0.7 for Multi-Linux Manager Server

This update fixes the following issues: branch-network-formula: - Update to version 1.1.0 Enable containers on SLE15SP7 Exclude podman interfaces from sysctl setting cobbler: - Compatibility fixes for tftpboot directory setup inter-server-sync: - Version 0.3.10-0 Write log to a rotated file witho...

7.5CVSS7.1AI score0.00248EPSS
Exploits1References43
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.6 views

MiracleLinux 9 : thunderbird-102.5.0-2.el9.ML.1 (AXSA:2023-5045:06)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5045:06 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

9.8CVSS8.2AI score0.01061EPSS
Exploits0References14
Tenable Nessus
Tenable Nessus
added 2026/01/20 12:0 a.m.3 views

MiracleLinux 9 : firefox-102.5.0-1.el9.ML.1 (AXSA:2023-5007:06)

The remote MiracleLinux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2023-5007:06 advisory. Mozilla: Service Workers might have learned size of cross-origin media files CVE-2022-45403 Mozilla: Fullscreen notification bypass CVE-2022-45404...

9.8CVSS8.2AI score0.01061EPSS
Exploits0References14
RedhatCVE
RedhatCVE
added 2025/12/22 7:21 a.m.11 views

CVE-2023-53957

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

9.8CVSS6.6AI score0.00505EPSS
Exploits1References1
NVD
NVD
added 2025/12/19 9:15 p.m.7 views

CVE-2023-53957

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

9.8CVSS0.00505EPSS
Exploits1References3
Cvelist
Cvelist
added 2025/12/19 9:5 p.m.28 views

CVE-2023-53957 Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking

Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session...

9.8CVSS0.00505EPSS
Exploits1References3
CVE
CVE
added 2025/12/05 10:27 p.m.60 views

CVE-2025-34291

Summary: Langflow AI

9.4CVSS8.1AI score0.7889EPSS
In wildExploits3References5Affected Software1
NVD
NVD
added 2025/11/25 3:15 p.m.7 views

CVE-2025-36134

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie...

7.5CVSS0.00266EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/25 2:40 p.m.7 views

CVE-2025-36134 IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.5 and 6.2.1.1 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie...

3.7CVSS5.8AI score0.00266EPSS
Exploits0References1
OSV
OSV
added 2025/11/18 12:15 p.m.9 views

CVE-2025-6670

A Cross-Site Request Forgery CSRF vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation...

8.8CVSS6.3AI score
Exploits0References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.5 views

EUVD-2020-7561

Malware in sbrugna...

7.5CVSS7.6AI score0.01522EPSS
Exploits0References2
Rows per page
Query Builder