CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CNNVD•added 2026/06/11 12:0 a.m.•12 views

Quest Bot 安全漏洞

Quest Bot is a multi-functional Discord community management robot developed by Duck Organization. Versions of Quest Bot prior to 1.0.3 contained security vulnerabilities. These vulnerabilities stemmed from users who had access to manage servers but did not have management roles or administrator...

7.5CVSS5.6AI score0.00238EPSS

Vulnrichment•added 2026/06/09 5:5 p.m.•8 views

CVE-2026-47631 Microsoft Exchange Server Spoofing Vulnerability

...

8.1CVSS5.4AI score0.00353EPSS

Github Security Blog•added 2026/06/05 4:45 p.m.•10 views

Vantage6: Set admin user and password from environment or configuration

Impact Vantage6 currently provides an initial user with username root and password root. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username root that probably has admin rights - The initial password is very weak and it is...

6.9CVSS5.5AI score0.00292EPSS

Exploits0References3Affected Software1

Debian CVE•added 2026/06/01 8:37 a.m.•12 views

CVE-2026-48827

Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if th...

7.1CVSS5.8AI score0.00527EPSS

Positive Technologies•added 2026/06/01 12:0 a.m.•11 views

PT-2026-45380

Name of the Vulnerable Software and Affected Versions Apache MINA SSHD versions prior to 2.18.0 Apache MINA SSHD versions 3.0.0-M1 through 3.0.0-M3 Description A path traversal issue exists in the org.apache.sshd:sshd-git bundle. Due to a lack of path validation in git-upload-pack,...

7.1CVSS5.8AI score0.00527EPSS

Exploits0References18

AstraLinux•added 2026/05/20 5:53 a.m.•4 views

Astra Linux - уязвимость в 389-ds-base

A vulnerability was discovered in the 389 Directory Server, which allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, without the need for any bind or other...

7.5CVSS6.8AI score0.05914EPSS

Exploits1References2

NVD•added 2026/05/14 4:16 p.m.•16 views

CVE-2026-42590

Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...

8.2CVSS0.0029EPSS

Exploits1References1

RedhatCVE•added 2026/05/13 8:23 p.m.•9 views

CVE-2026-44221

ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: 1 ServerSecurityUser.getDatabaseUser returned a DB user with an...

Vulnrichment•added 2026/05/12 7:53 p.m.•7 views

CVE-2026-44221 ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases

CVE•added 2026/05/12 7:53 p.m.•13 views

Exploits0References2

CVE-2026-44221

ArcadeDB prior to version 2.6.4 (also referenced as 26.4.2 in some advisories) contains a cross-database authorization bypass. Two defects enable authenticated principals to bypass both record-level and database-level controls: (1) ServerSecurityUser.getDatabaseUser() returns a DB user with an un...

Intel•added 2026/05/12 12:0 a.m.•10 views

Exploits0References2

UEFI Reference Firmware Advisory

Summary: A potential security vulnerability in UEFI for some Intel Reference Platforms may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability. Vulnerability Details: CVEID: CVE-2025-35991 Description: Improper initialization in the UEFI...

5.6CVSS5.7AI score0.00095EPSS

Snyk•added 2026/05/05 10:22 p.m.•3 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization n the ServerSecurityUser.getDatabaseUser and ArcadeDBServer.createDatabase processes. An attacker can gain unauthorized access to read, write, and modify schema and data across databases by exploiting improper...

CVE•added 2026/05/05 7:19 p.m.•13 views

Exploits0References2

CVE-2026-33975

CVE-2026-33975 affects Twenty-server SSRF protection in Twenty (NestJS) and can be bypassed in versions ≤ 1.18.0 by using IPv4-mapped IPv6 literals. The Node.js URL parser normalizes these to hex form (for example ::ffff:169.254.169.254 to ::ffff:a9fe:a9fe), while the isPrivateIp utility only rec...

8.3CVSS5.8AI score0.0024EPSS

Positive Technologies•added 2026/05/05 12:0 a.m.•7 views

PT-2026-37317

Name of the Vulnerable Software and Affected Versions ArcadeDB versions prior to 26.4.2 Description Authenticated users and API tokens scoped to a specific database can read, write, and mutate schema on any other database on the same server. This occurs due to two defects: first, the...

Oracle linux•added 2026/04/29 12:0 a.m.•9 views

Exploits0References8

xorg-x11-server security update

1.20.11-28 - CVE fix for: CVE-2026-33999, CVE-2026-34000, CVE-2026-34001 CVE-2026-34002, CVE-2026-34003 Resolves: https://redhat.atlassian.net/browse/RHEL-163216 Resolves: https://redhat.atlassian.net/browse/RHEL-163298 Resolves: https://redhat.atlassian.net/browse/RHEL-163229...

7.8CVSS5.2AI score0.00489EPSS

Packet Storm News•added 2026/04/23 12:0 a.m.•5 views

MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks

Model Context Protocol MCP is increasingly adopted for tool-integrated LLM agents, but its multi-layer design and third-party server ecosystem expand risks across tool metadata, untrusted outputs, cross-tool flows, multimodal inputs, and supply-chain vectors. Existing MCP benchmarks largely measu...

5.4AI score