Lucene search
K

131 matches found

NVD
NVD
added 3 days ago7 views

CVE-2026-61454

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS0.00239EPSS
Exploits0References2
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-43184

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References2
OSV
OSV
added 3 days ago3 views

CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS6.1AI score0.00239EPSS
Exploits0References4
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-61454 Grav before 2.0.4 Information Disclosure via __GRAV_CONFIG__

The Grav Admin2 plugin getgrav/grav-plugin-admin2 before 2.0.4 embeds a global JavaScript variable window.GRAVCONFIG in the Admin2 SPA bootstrap page at /grav/admin and its subroutes. This object is returned in every unauthenticated response and discloses the server URL, API prefix, admin base...

8.7CVSS0.00239EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/25 3:48 p.m.32 views

CVE-2026-54030 LibreChat: Missing Resource Parameter Validation in MCP OAuth Flow

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

8CVSS0.00113EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/06/25 3:48 p.m.6 views

CVE-2026-54030

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...

8CVSS5.9AI score0.00113EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/06/25 6:43 a.m.16 views

MAL-2026-6445 Malicious code in base58-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 048a186e2e59bb0b7d9986c7099e527390e38690292bc49e237578a471c56680 The package advertises itself as a Base58 encoder/decoder but on require schedules a delayed payload that performs multiple installer-side attacks...

6AI score
Exploits0References13
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/15 3:9 p.m.14 views

Malicious code in hemi-supply-cron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c41be27601d38eb5c0b527a9ec22b7516734e8eae985a2607ae6d70878f5f1d9 package.json declares a preinstall hook node postinstall.js that fires automatically on npm install. The script collects host identity os.hostname,...

5.3AI score
Exploits0References1
NVD
NVD
added 2026/06/10 3:16 p.m.13 views

CVE-2026-45563

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history// re-uses the serverip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group —...

4.3CVSS0.00176EPSS
Exploits0References1
OSV
OSV
added 2026/06/09 5:35 p.m.13 views

MAL-2026-5411 Malicious code in @klapp-about/routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 715f07e0a1984fc9eb7d6432fc2491b08139755426b3c8905ba2d9274e2d4875 On npm install, the package's preinstall hook node index.js collects host and user identity data — os.hostname, os.userInfo.username, dirname,...

5.4AI score
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.10 views

CVE-2026-22576

A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2,...

6.5CVSS5.5AI score0.00263EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:17 p.m.12 views

CVE-2026-33078

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

9.8CVSS6.1AI score0.00352EPSS
Exploits1References1
OSV
OSV
added 2026/05/14 7:24 p.m.9 views

MAL-2026-3754 Malicious code in chalk-pack (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e6eab5e9e696250cc719b36e144f4534cac2b38a25521cda80222b6c66cd64c Package is named chalk-pack impersonating chalk with keywords and index.js impersonating lodash; index.js is a stub that self-describes as 'Just a...

5.8AI score
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/12 8:20 a.m.14 views

CVE-2026-42072

Nornicdb is a distributed low-latency, Graph+Vector, Temporal MVCC with all sub-ms HNSW search, graph traversal, and writes. Prior to version 1.0.42-hotfix, the --address CLI flag and NORNICDBADDRESS / server.host config key is plumbed through to the HTTP server correctly but never reaches the Bo...

9.8CVSS5.7AI score0.0044EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/24 2:5 a.m.29 views

CVE-2026-33078 Roxy-WI has SQL Injection in haproxy_section_save Endpoint via Unsanitized server_ip Parameter

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 8.2.6.4 have a SQL injection vulnerability in the haproxysectionsave function in app/routes/config/routes.py. The serverip parameter, sourced from the URL path, is passed unsanitized through...

9.3CVSS0.00352EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.10 views

Roxy-WI SQL注入漏洞

Roxy-WI is an open-source web interface designed for managing Haproxy, Nginx, and Keepalived servers. Versions prior to Roxy-WI 8.2.6.4 contained a SQL injection vulnerability. This vulnerability stemmed from the serverip parameter in the haproxy-sectionsave function being inserted into the SQL...

9.8CVSS5.9AI score0.00352EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 12:0 a.m.4 views

CVE-2026-31181

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi...

9.8CVSS6.1AI score0.00578EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/23 12:0 a.m.4 views

CVE-2026-31181

An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557B20221024 allowing attackers to execute arbitrary commands via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi...

6.1AI score0.00578EPSS
Exploits1References1
CVE
CVE
added 2026/04/23 12:0 a.m.13 views

CVE-2026-31181

CVE-2026-31181 affects ToToLink A3300R firmware v17.0.0cu.557_B20221024. An arbitrary command execution vulnerability exists via the stunServerAddr parameter to /cgi-bin/cstecgi.cgi, enabling likely remote code execution over the network. The CVSS v3.1 base score is 9.8 (CRITICAL) with high impac...

9.8CVSS6.1AI score0.00578EPSS
Exploits1References1Affected Software1
EUVD
EUVD
added 2026/04/14 6:30 p.m.8 views

EUVD-2026-22325

A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2,...

4.3CVSS5.8AI score0.00263EPSS
Exploits0References2
Rows per page
Query Builder